WO2017162095A1 - 基于流规则协议的通信方法、设备和系统 - Google Patents
基于流规则协议的通信方法、设备和系统 Download PDFInfo
- Publication number
- WO2017162095A1 WO2017162095A1 PCT/CN2017/076960 CN2017076960W WO2017162095A1 WO 2017162095 A1 WO2017162095 A1 WO 2017162095A1 CN 2017076960 W CN2017076960 W CN 2017076960W WO 2017162095 A1 WO2017162095 A1 WO 2017162095A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- resource
- vpn
- vpn instance
- information
- forwarding
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/03—Protocol definition or specification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/06—Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/325—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- Embodiments of the present invention relate to the field of communications, and, more particularly, to a communication method, device, and system based on a flow rule Flow Spec protocol.
- Border Gateway Protocol is a dynamic routing protocol used between autonomous systems (ASs).
- ASs autonomous systems
- BGP-1 RFC1105)
- BGP-2 RFC 1163
- BGP-3 RFC1267
- the version currently in use is BGP-4 (RFC4271).
- BGP Internet Service Providers
- ISPs Internet Service Providers
- the BGP flow specification (Flow Spec) (RFC 5575) indicates that the BGP Flow Specification is used to deliver the traffic policy to the BGP Flow Specification peer.
- the peer device that forwards the BGP Flow Specification route is the peer of the peer.
- the BGP Flow Specification peer After receiving the BGP Flow Specification route, the BGP Flow Specification peer translates the preferred route corresponding to the BGP Flow Specification route into a flow control policy of the forwarding plane, and then performs flow control.
- the BGP Flow Specification route is a BGP route defined in RFC5575.
- the BGP Flow Specification route includes a BGP Flow Spec NLRI and an extended community attribute.
- the BGP Flow Specification route can carry the matching condition of the traffic and the action performed after the traffic is matched.
- RFC 5575 defines 12 common traffic matching rules: destination address, source address, IP protocol number, port number, destination port number, source port number, ICMP type, ICMP code, TCP flag, DSCP, slice type, etc.
- the 12 traffic matching rules are encapsulated in the BGP Flow Specification route as the network layer reachable information.
- RFC 5575 defines four common traffic processing behaviors: drop traffic, traffic rate limit, DSCP value of modified packets, and redirect actions. These four traffic processing behaviors are encapsulated in BGP Flow Spec routes as extensions.
- the community attribute carries, where redirect Actions refers to directing a specific data stream into the corresponding forwarding channel.
- VRF virtual private network forwarding
- VRF Virtual Routing Forwarding
- Redirect AS-2byte redirects to the VRF (redirect IPv4format) of the route destination identifier in the form of an IPv4 address
- the VRF (redirect IPv6 specific AS) of the route destination identifier redirected to the IPv4 next hop (redirect IPv4 address); redirected to the IPv6 next hop (redirect IPv6 address).
- the BGP Flow Spec protocol should be patched so that the BGP FlowSpec protocol is always changing.
- the BGP Flow Spec Redirect Actions solution currently studied defines a general Path-ID for guiding data streams into the transport layer tunnel corresponding to the Path-ID, and is required to extend the community attribute of the BGP Flow Spec protocol. Carry the Path-ID and carry the specific information of the tunnel if necessary.
- the embodiment of the invention provides a communication method and device based on the flow rule Flow Spec protocol, which can effectively avoid the unlimited expansion of the Flow Spec protocol.
- the first aspect provides a communication method based on a flow rule Flow Spec protocol, including:
- the controller sends a border gateway protocol flow rule BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field.
- the network layer reachability information field carries the feature information of the first resource
- the extended community attribute field carries a global identifier GID for indicating the second resource
- the BGP Flow Spec protocol message is used to indicate the association.
- the first resource and the second resource is used to indicate the association.
- the feature information of the first resource can indicate the first resource.
- the first resource and the second resource of the forwarding device refer to information stored on the forwarding device for forwarding data packets (data streams).
- the data packet can be directed to enter a corresponding forwarding channel.
- the first resource indicates routing information of the first node stored on the forwarding device
- the second resource indicates a routing table of the second node stored on the forwarding device
- the first resource is associated with the first resource.
- the second resource means that the routing information of the first node is added to the routing table of the second node, so that the data packet originating from the second node can be guided into the first node. Forwarding channel.
- the first resource indicates that the source IP address is the IP address of the first node, and the destination IP address is the IP address of the second node, where the IP address of the first node and the IP address of the second node All are stored on the forwarding device, and the second resource indicates a routing table (forwarding table) of the second node stored on the forwarding device, and the first resource and the second resource are associated with each other.
- the data packet that matches the source IP address and the destination IP address with the first resource is forwarded according to the routing table of the second node, so that the data packet originating from the first node can also be guided.
- the text enters the forwarding channel of the second node.
- the network layer reachability information field of the BGP Flow Spec protocol packet carries the feature information of the first resource
- the extended community attribute field carries the global identifier GID for indicating the second resource, which can be forwarded.
- the device associates the first resource with the second resource to direct the data flow into the corresponding forwarding channel.
- the first resource and the second resource that are carried in the BGP Flow Spec protocol packet may be different resource combinations, so that multiple service requirements can be implemented by using the BGP Flow Spec protocol packet of the present application. .
- the BGP FlowSpec protocol needs to be patched for each new service requirement.
- the extended community attribute in the BGP FlowSpec protocol needs to be extended, and the BGP FlowSpec protocol is always in a changed state.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the GID carried in the extended community attribute is used to uniquely indicate the second resource in the forwarding device.
- the controller and the forwarding device store a mapping table, where the mapping table includes a mapping relationship between the second resource and the GID, and therefore, by using the GID, the controller and the The forwarding device is capable of locating the second resource. Therefore, in the present application, the second resource can be indicated by carrying a concise GID in the extended community attribute field of the BGP FlowSpec protocol packet, which can save signaling overhead.
- the communications method further includes:
- the controller acquires resources stored on the forwarding device, where the resources include the second resource;
- the controller allocates a mapping identifier to a resource stored on the forwarding device
- the controller sends a mapping table to the forwarding device, where the mapping table includes a mapping relationship between the resource stored on the forwarding device and the allocated mapping identifier.
- the GID is a mapping identifier that is allocated by the controller to the second resource.
- the controller collects the resources stored on the forwarding device, allocates a mapping identifier to the device, and then notifies the forwarding device of the mapping relationship between the resource and the mapping identifier, so that the controller and the forwarding device communicate with each other.
- the signaling only carries the mapping identifier, so that the corresponding resource can be located, thereby providing communication efficiency and saving signaling overhead.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, and the Flags field carries an indication And associating information about the first resource and the second resource on a control plane of the forwarding device or a forwarding plane of the forwarding device.
- the extended application is usually limited to the forwarding plane to direct the data stream into the corresponding forwarding channel.
- the data stream can be directed to the corresponding forwarding channel at the forwarding plane, but also the data stream can be directed to the corresponding forwarding channel at the control plane, so that the present application can implement flexible service orchestration.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned When the value of the control plane bit is 1, it is used to indicate that the first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, When the control plane bit is set to 0, it is used to indicate that the first resource and the second resource are associated on the forwarding plane.
- the forwarding plane bit and the control plane bit in the Flags field may also be replaced by the first bit, when the first bit is assigned When the value is 1, it indicates that the first resource and the second resource are associated on the control plane. When the first bit is set to 0, the first resource and the association are associated on the forwarding plane. Said second resource.
- the Flags field further includes an incremental bit, and when the incremental bit is assigned a value of 1, Indicates that a resource association relationship is added to the forwarding device. When the incremental bit is set to 0, the relationship between the first resource and the second resource is used to cover the first resource. Some relationship with other resources.
- the forwarding device is a service provider edge PE device a virtual private network VPN instance of the first user edge CE device is established on the forwarding device, where the forwarding device includes routing information of the second CE device, and routing information of the second CE device is not in the first
- the communication method further includes:
- the controller acquires a VPN service request, where the VPN service request is used to request the first CE device to access the second CE device;
- the requirement for the controller to acquire the first resource on the forwarding device that needs to be associated with the second resource on the forwarding device includes:
- the controller acquires, according to the VPN request, a requirement that the first resource needs to be associated with the second resource, where the first resource is routing information of the second CE device, and the second resource is the VPN instance of the first CE device;
- the controller sends a border gateway protocol flow rule BGP Flow Spec protocol packet to the forwarding device according to the requirement, including:
- the controller And sending, by the controller, the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first And the second resource, the BGP Flow Spec protocol message is used to indicate that the routing information of the second CE device is added to the VPN routing table of the VPN instance of the first CE device.
- the BGP Flow Spec protocol packet is sent to the PE device (ie, the forwarding device) by the controller, and the PE device is configured to add the routing information of the second CE device that does not match the VPN RT attribute to the first CE device.
- the routing table of the first CE device can be configured to enable the data packet from the first CE device to enter the forwarding channel of the second CE device, that is, the first CE device that does not match the VPN RT attribute accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- it is limited to direct the data stream to the corresponding forwarding channel at the forwarding plane, and the present application can guide the data stream to the corresponding forwarding channel at the control plane, thereby enabling flexible service orchestration.
- the communications method further includes:
- the controller obtains the attribute information of the VPN instance of the first CE device from the forwarding device, where the attribute information includes: a VPN instance name, a VPN instance route identifier RD, a VPN instance route target RT, and a VPN instance. Index value and VPN instance interface information;
- the controller allocates a mapping identifier to the attribute information of the VPN instance of the first CE device, where the mapping identifier uniquely indicates attribute information of the VPN instance of the first CE device in the forwarding device;
- the controller sends a mapping table to the forwarding device, where the mapping table includes a mapping relationship between the attribute information of the VPN instance of the first CE device and the mapping identifier.
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the controller collects the attribute information of the VPN instance established on the PE device, and assigns a mapping identifier to the PE device, and then notifies the PE device of the mapping relationship between the attribute information of the VPN instance and the mapping identifier.
- the controller and the PE device can locate the corresponding VPN instance by carrying only the mapping identifier in the BGP Flow Spec protocol packet, thereby providing communication efficiency and saving signaling overhead.
- the communications method further includes:
- the controller acquires a VPN service request for requesting configuration information of a VPN instance of a newly established third CE device on the forwarding device;
- the controller configures the following attribute information for the VPN instance of the third CE device: a VPN instance name, a VPN instance RD, a VPN instance RT, and VPN instance interface information, where the following attributes of the VPN instance of the third CE device are The information does not conflict with the attribute information of the VPN instance of the first CE device: the VPN instance name, the VPN instance RD, and the VPN instance interface information.
- the controller can obtain the conflict between the attribute information of different VPN instances when configuring the attribute information of the VPN instance added to the PE device by obtaining the attribute information of the VPN instance already existing on the PE device. .
- the present application can effectively avoid conflicts, and the operation efficiency is high.
- a VPN instance of the CE device where the VPN routing table of the VPN instance of the second CE device includes routing information of the second CE device;
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device: a VPN instance name, a VPN instance RD, a VPN instance index value, a VPN instance interface information, and a VPN instance GID. .
- a VPN instance of the CE device where the VPN public network routing table of the forwarding device includes routing information of the second CE device;
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information.
- the forwarding device is a service provider edge PE device
- the forwarding device has a virtual private network VPN instance of the first user edge CE device and a VPN instance of the third CE device, where the forwarding device further includes routing information of the second CE device, and the first CE
- the routing information of the second CE device is not included in the VPN routing table of the VPN instance of the device, and the routing information of the second CE device is included in the VPN routing table of the VPN instance of the third CE device
- the communication method Also includes:
- the controller acquires a VPN service request, where the VPN service request is used to request the first CE device to access the second CE device;
- the requirement for the controller to acquire the first resource on the forwarding device that needs to be associated with the second resource on the forwarding device includes:
- the controller acquires, according to the VPN request, a requirement that the first resource needs to be associated with the second resource, where the first resource is a source IP address, an IP address of the first CE device, and a destination IP address.
- the second resource is a VPN instance of the third CE device;
- the controller sends a BGP Flow Spec protocol packet to the forwarding device according to the requirement, including:
- the controller And sending, by the controller, the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first And the second resource, the BGP Flow Spec protocol packet is used to indicate that the source IP address and the destination IP address are consistent with the first resource, according to the VPN instance of the third CE device.
- the routing information of the second CE device included in the VPN routing table is forwarded.
- the feature information of the first resource is that the source IP address is an IP address of the first CE device, and the destination IP address is an IP address of the second CE device.
- the BGP Flow Spec protocol packet is sent to the PE device (that is, the forwarding device), and the PE device is configured to indicate that the source IP address is the IP address of the first CE device and the destination IP address is the second CE device.
- the data packet of the IP address is forwarded according to the routing table of the second CE device that does not match the first CE device, so that the data packet originating from the first CE device can be forwarded to the second CE device.
- Forwarding channel The first CE device that does not match the VPN RT attribute accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- the communications method further includes:
- the controller obtains the attribute information of the VPN instance of the third CE device from the forwarding device, where the attribute information includes: a VPN instance name, a VPN instance route identifier RD, a VPN instance route target RT, and a VPN instance. Index value and VPN instance interface information;
- the controller allocates a mapping identifier to the attribute information of the VPN instance of the third CE device, where the mapping identifier uniquely indicates attribute information of the VPN instance of the third CE device in the forwarding device;
- the controller sends a mapping table to the forwarding device, where the mapping table includes a mapping relationship between the attribute information of the VPN instance of the third CE device and the mapping identifier.
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the controller collects the attribute information of the VPN instance established on the PE device, and assigns a mapping identifier to the PE device, and then notifies the PE device of the mapping relationship between the attribute information of the VPN instance and the mapping identifier.
- the controller and the PE device can locate the corresponding VPN instance by carrying only the mapping identifier in the BGP Flow Spec protocol packet, thereby providing communication efficiency and saving signaling overhead.
- the communications method further includes:
- the controller configures the following attribute information for the VPN instance of the fourth CE device: the VPN instance name, the VPN instance RD, the VPN instance RT, and the VPN instance interface information, where the following attributes of the VPN instance of the fourth CE device are The information does not conflict with the attribute information of the VPN instance of the first CE device and the VPN instance of the third CE device: the VPN instance name, the VPN instance RD, and the VPN instance interface information.
- the controller can obtain the conflict between the attribute information of different VPN instances when configuring the attribute information of the VPN instance added to the PE device by obtaining the attribute information of the VPN instance already existing on the PE device. .
- the present application can effectively avoid conflicts, and the operation efficiency is high.
- the second CE device is Said third CE device.
- the second aspect provides a communication method based on a flow rule Flow Spec protocol, where the communication method includes:
- the forwarding device receives the border gateway protocol flow rule BGP Flow Spec protocol packet sent by the controller, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, and the network layer reachability information field Carrying characteristic information of the first resource for indicating a first resource on the forwarding device, where the extended community attribute field carries a global identifier GID for indicating a second resource on the forwarding device, the BGP The Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated;
- the forwarding device acquires the first resource according to the feature information of the first resource, and acquires the second resource according to the GID;
- the forwarding device associates the first resource with the second resource.
- the first resource and the second resource of the forwarding device are both used for storing on the forwarding device. Forwards data message (data stream) information.
- the data packet can be directed to enter a corresponding forwarding channel.
- the first resource indicates routing information of the first node stored on the forwarding device
- the second resource indicates a routing table of the second node stored on the forwarding device
- the first resource is associated with the first resource.
- the second resource means that the routing information of the first node is added to the routing table of the second node, so that the data packet originating from the second node can be guided into the first node. Forwarding channel.
- the first resource indicates that the source IP address is the IP address of the first node, and the destination IP address is the IP address of the second node, where the IP address of the first node and the IP address of the second node All are stored on the forwarding device, and the second resource indicates a routing table (forwarding table) of the second node stored on the forwarding device, and the first resource and the second resource are associated with each other.
- the data packet that matches the source IP address and the destination IP address with the first resource is forwarded according to the routing table of the second node, so that the data packet originating from the first node can also be guided.
- the text enters the forwarding channel of the second node.
- the network layer reachability information field of the BGP Flow Spec protocol packet carries the feature information of the first resource
- the extended community attribute field carries the global identifier GID for indicating the second resource, which can be forwarded.
- the device associates the first resource with the second resource to direct the data flow into the corresponding forwarding channel.
- the first resource and the second resource that are carried in the BGP Flow Spec protocol packet may be different resource combinations, so that multiple service requirements can be implemented by using the BGP Flow Spec protocol packet of the present application. .
- the BGP FlowSpec protocol needs to be patched for each new service requirement.
- the extended community attribute in the BGP FlowSpec protocol needs to be extended, and the BGP FlowSpec protocol is always in a changed state.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the GID carried in the extended community attribute is used to uniquely indicate the second resource in the forwarding device.
- the controller and the forwarding device store a mapping table, where the mapping table includes a mapping relationship between the second resource and the GID, and therefore, by using the GID, the controller and the The forwarding device is capable of locating the second resource. Therefore, in the present application, the second resource can be indicated by carrying a concise GID in the extended community attribute field of the BGP FlowSpec protocol packet, which can save signaling overhead.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, and the Flags field carries an indication And associating information about the first resource and the second resource on a control plane of the forwarding device or a forwarding plane of the forwarding device.
- the extended application is usually limited to the forwarding plane to direct the data stream into the corresponding forwarding channel.
- the data stream can be directed to the corresponding forwarding channel at the forwarding plane, but also the data stream can be directed to the corresponding forwarding channel at the control plane, so that the present application can implement flexible service orchestration.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned When the value of the control plane bit is 1, it is used to indicate that the first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, When the control plane bit is set to 0, it is used to indicate that the first resource and the second resource are associated on the forwarding plane.
- the forwarding plane bit and the control plane bit in the Flags field may also be replaced by a first bit, and when the first bit is assigned a value, it is indicated in the control.
- Associating the first resource with the second resource in a plane when the first bit is assigned a value of 0, indicating that the association is performed on the forwarding plane The first resource and the second resource.
- the forwarding device is a service provider edge PE device, and the forwarding device is configured with a first A virtual private network VPN instance of a user edge CE device, the forwarding device includes routing information of the second CE device, and the routing information of the second CE device is not in the VPN routing table of the VPN instance of the first CE device.
- the forwarding device receives the BGP Flow Spec protocol packet sent by the controller, including:
- the forwarding device receives the BGP Flow Spec protocol packet sent by the controller according to the VPN service request, where the VPN service request is used to request the first CE device to access the second CE device, where the The first resource is the routing information of the second CE device, the second resource is the VPN instance of the first CE device, and the Flags field in the BGP Flow Spec protocol packet is used to indicate the control plane. Associate the first resource with the second resource, where the BGP Flow Spec protocol message is used to indicate that the routing information of the second CE device is added to the VPN routing table of the VPN instance of the first CE device. in;
- the forwarding device associates the first resource with the second resource, including:
- the forwarding device adds the routing information of the second CE device to the VPN routing table of the VPN instance of the first CE device.
- the PE device adds the routing information of the second CE device that does not match the VPN RT attribute to the first CE device by adding the BGP Flow Spec protocol packet sent by the controller.
- the routing table of the CE device can be configured to enable the data packet from the first CE device to enter the forwarding channel of the second CE device, that is, the first CE device that does not match the VPN RT attribute accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- it is limited to direct the data stream to the corresponding forwarding channel at the forwarding plane, and the present application can guide the data stream to the corresponding forwarding channel at the control plane, thereby enabling flexible service orchestration.
- the communications method further includes:
- the forwarding device sends the attribute information of the VPN instance of the first CE device to the controller, where the attribute information includes: a VPN instance name, a VPN instance route identifier RD, a VPN instance route identifier RT, and a VPN instance index. Value and VPN instance interface information;
- the forwarding device receives the mapping table sent by the controller, where the mapping table includes the attribute information of the VPN instance of the first CE device and the attribute information of the VPN instance of the first CE device by the controller. a mapping relationship between the mapping identifiers, where the mapping identifies attribute information uniquely indicating the VPN instance of the first CE device in the forwarding device,
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the controller collects the attribute information of the VPN instance established on the PE device, and assigns a mapping identifier to the PE device, and then notifies the PE device of the mapping relationship between the attribute information of the VPN instance and the mapping identifier.
- the controller and the PE device can locate the corresponding VPN instance by carrying only the mapping identifier in the BGP Flow Spec protocol packet, thereby providing communication efficiency and saving signaling overhead.
- the forwarding device is configured with the VPN instance of the second CE device, where the The routing information of the second CE device is included in the VPN routing table of the VPN instance of the second CE device;
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device.
- Information VPN instance name, VPN instance RD, VPN instance index value, VPN instance interface information, VPN instance GID;
- the forwarding device acquires routing information of the second CE device from a VPN routing table of the VPN instance of the second CE device according to the feature information of the first resource.
- the feature information of the first resource is a GID used to indicate a VPN instance of the second CE device.
- the VPN instance of the second CE device is not established on the forwarding device, and the forwarding is performed.
- the routing information of the second CE device is included in the VPN public network routing table of the device;
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information;
- the forwarding device acquires routing information of the second CE device from the VPN public network routing table according to the feature information of the first resource.
- the forwarding device is a service provider edge PE device, and the forwarding device is configured with a first The virtual private network VPN instance of the user edge CE device and the VPN instance of the third CE device, the forwarding device further includes routing information of the second CE device, and the VPN routing table of the VPN instance of the first CE device is not Including the routing information of the second CE device, the VPN routing table of the VPN instance of the third CE device includes routing information of the second CE device, and the forwarding device receives the BGP Flow Spec sent by the controller. Protocol packets, including:
- the forwarding device receives a BGP Flow Spec protocol packet sent by the controller according to the VPN service request, where the VPN service request is used to request the first CE device to access the second CE device, where the first The source IP address is the IP address of the first CE device, and the destination IP address is the IP address of the second CE device, and the second resource is the VPN instance of the third CE device, and the BGP is The Flags field in the Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated on a forwarding plane, where the BGP Flow Spec protocol packet is used to indicate a source IP address and a destination IP address. And the data packet that is consistent with the first resource is forwarded according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device;
- the forwarding device associates the first resource with the second resource, including:
- the forwarding device receives a data packet, where the source IP address of the data packet is an IP address of the first CE device, and the destination IP address is an IP address of the second CE device;
- the forwarding device forwards the data packet according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device.
- the feature information of the first resource is that the source IP address is an IP address of the first CE device, and the destination IP address is an IP address of the second CE device.
- the PE device receives the BGP Flow Spec protocol packet sent by the controller, and the source IP address is the IP address of the first CE device, and the destination IP address is the second CE device.
- the data packet of the IP address is forwarded according to the routing forwarding table of the second CE device that does not match the first CE device, so that the data packet originating from the first CE device can be forwarded to the second CE device.
- the channel that is, the first CE device that implements the VPN RT attribute mismatch, accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- the communications method further includes:
- the forwarding device sends the attribute information of the VPN instance of the third CE device to the controller, where the attribute information includes: a VPN instance name, a VPN instance route identifier RD, a VPN instance route target RT, and a VPN instance index. Value and VPN instance interface information;
- the forwarding device receives the mapping table sent by the controller, where the mapping table includes the attribute information of the VPN instance of the third CE device and the attribute information of the VPN instance of the third CE device by the controller. a mapping relationship between the mapping identifiers, the mapping identifying attribute information uniquely indicating the VPN instance of the third CE device in the forwarding device,
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the controller collects the attribute information of the VPN instance established on the PE device, and assigns a mapping identifier to the PE device, and then notifies the PE device of the mapping relationship between the attribute information of the VPN instance and the mapping identifier.
- the controller and the PE device can locate the corresponding VPN instance by carrying only the mapping identifier in the BGP Flow Spec protocol packet, thereby providing communication efficiency and saving signaling overhead.
- the second CE device is the third CE device.
- the controller allocates a mapping identifier to the attribute information of the VPN instance of the first CE device, where the controller may be each attribute information of the VPN instance of the first CE device (VPN).
- the instance name, the VPN instance route identifier RD, the VPN instance route identifier RT, the VPN instance index value, and the VPN instance interface information are respectively assigned a mapping identifier, and may also be uniformly allocated for each attribute information of the VPN instance of the first CE device.
- a mapping label is provided as long as the controller and the PE device can be located to the VPN instance of the first CE device by using a mapping label.
- a third aspect provides a controller for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
- controller may comprise means for performing the method of the first aspect or any of the possible implementations of the first aspect.
- a fourth aspect provides a forwarding device for performing the method of any of the foregoing second aspect or the second aspect of the second aspect.
- the forwarding device may comprise means for performing the method of any of the possible implementations of the second aspect or the second aspect.
- a fifth aspect provides a controller including a memory and a processor for storing instructions for executing instructions stored in the memory, and performing execution of the instructions stored in the memory such that the processing The method of the first aspect or any of the possible implementations of the first aspect is performed.
- a sixth aspect provides a forwarding device including a memory and a processor for storing instructions for executing instructions stored in the memory, and performing execution of the instructions stored in the memory such that the processing The method of the second aspect or any of the possible implementations of the second aspect is performed.
- a seventh aspect provides a communication system based on a flow rule Flow Spec, the communication system comprising a controller and a forwarding device, the controller, such as the controller provided by the third aspect, the forwarding device, such as the fourth aspect described above The forwarding device provided.
- the VPN instance of the first CE device refers to a capability that can be established on the PE device.
- the VPN instance that the first CE device keeps in contact with is not limited to a capability that can be established on the PE device.
- the egress target export target attribute of the routing information of the second CE device does not match the ingress target import target attribute of the VPN instance of the first CE device.
- the routing information of the second CE device indicates IPv4 address information or IPv6 address information of the second CE device.
- the network layer reachability information field of the BGP Flow Spec protocol packet carries the feature information of the first resource
- the extended community attribute field carries the global identifier GID for indicating the second resource, which can be forwarded.
- the device associates the first resource with the second resource to direct the data flow into the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the second resource can be indicated, and signaling overhead can be saved.
- FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present invention.
- FIG. 2 is a schematic flowchart of a flow rule-based Flow Spec-based communication method according to an embodiment of the present invention.
- FIG. 3 shows a schematic diagram of a format of an extended community attribute provided according to an embodiment of the present invention.
- FIG. 4 is another schematic flowchart of a flow rule-based Flow Spec-based communication method according to an embodiment of the present invention.
- FIG. 5 is a schematic diagram of a flow rule based flow spec-based communication method according to an embodiment of the present invention.
- FIG. 6 shows a schematic block diagram of a controller provided in accordance with an embodiment of the present invention.
- FIG. 7 shows a schematic block diagram of a forwarding device according to an embodiment of the present invention.
- FIG. 8 shows another schematic block diagram of a controller provided in accordance with an embodiment of the present invention.
- FIG. 9 shows another schematic block diagram of a forwarding device according to an embodiment of the present invention.
- FIG. 10 shows a schematic block diagram of a flow rule Flow Spec based communication system according to an embodiment of the present invention.
- MPLS Multi-Protocol Label Switching
- Label labels
- a packet enters the network it is assigned a short-length label of a fixed length, and the label is encapsulated with the packet for forwarding. During the entire forwarding process, the switching node forwards only according to the label.
- MPLS adds a connection-oriented control plane to a connectionless IP network, adding management and operations to the IP network.
- the control plane refers to the part of the system that is used to transmit commands and calculate entries. For example, protocol packet forwarding, protocol table entry calculation, and maintenance are all in the scope of the control plane. For example, in the routing system, the process responsible for managing routing protocol operations, routing learning, and routing entry maintenance belongs to the control plane.
- the forwarding plane refers to the part of the system that encapsulates and forwards data packets. For example, the reception, decapsulation, encapsulation, and forwarding of data packets belong to the category of forwarding planes. For example, after the system receives the IP packet, the process of decapsulating the IP packet, searching the routing table based on the IP packet, and forwarding the IP packet from the outbound interface belongs to the forwarding plane.
- the BGP flow specification (Flow Spec) (RFC 5575) indicates that the BGP Flow Specification is used to deliver the traffic policy to the BGP Flow Specification peer.
- the peer device that forwards the BGP Flow Specification route is the peer of the peer.
- the BGP Flow Specification peer After receiving the BGP Flow Specification route, the BGP Flow Specification peer translates the preferred route corresponding to the BGP Flow Specification route into a flow control policy of the forwarding plane, and then performs flow control.
- the BGP Flow Specification route is a BGP route defined in RFC5575.
- the BGP Flow Specification route includes a BGP Flow Spec NLRI and an extended community attribute.
- the BGP Flow Specification route can carry the matching condition of the traffic and the action performed after the traffic is matched.
- RFC 5575 defines 12 common traffic matching rules: destination address, source address, IP protocol number, port number, destination port number, source port number, ICMP type, ICMP code, TCP flag, DSCP, slice type, etc.
- the 12 traffic matching rules are encapsulated in the BGP Flow Specification route as the network layer reachable information.
- RFC 5575 defines four common traffic handling behaviors: drop traffic, traffic rate limit, modify the DSCP value of packets, and redirect to the VPN. These four traffic processing behaviors are encapsulated in the BGP Flow Spec route and carried as extended community attributes. .
- VPN virtual private network
- the typical VPN is BGP/MPLS IP VPN, which is also called MPLS L3VPN.
- MPLS L3VPN The basic model of MPLS L3VPN consists of CE, PE, and P.
- CE refers to the Customer Edge (CE), and the CE has an interface directly connected to the Service Provider (SP) network.
- SP Service Provider
- the CE can be a router or a switch, or it can be a host.
- the CE “perceives” the existence of a VPN and does not need to support MPLS.
- PE refers to the Provider Edge (Provider Edge), which is an edge device of the service provider network. It is directly connected to the CE and is responsible for VPN service access and handling VPN-IPv4 routes.
- a PE device can connect to multiple CE devices.
- a CE device can also connect multiple PE devices belonging to the same or different service providers.
- P refers to the backbone device in the service provider network and is not directly connected to the CE.
- a VPN instance is a dedicated entity that is established and maintained by a PE device.
- the CE device has its own VPN instance on its directly connected PE device.
- VPN instance is also called VPN VPN Routing and Forwarding table (VRF).
- the content of the VRF includes an IP routing table, a tag forwarding table, an interface that uses the tag forwarding table, and management information (a route filtering policy, a member interface list, etc.).
- Each VPN instance contains a routing and forwarding table to one or more CE devices directly connected to the PE.
- a PE device has multiple routing forwarding tables, including a public network routing forwarding table and one or more VPN routing forwarding tables (also referred to as private network routing forwarding tables).
- the public network routing table includes the IPv4 routes of all PEs and is generated by the routing protocol or static route of the backbone network.
- the public network forwarding table is the minimum forwarding information extracted from the public network routing table according to the routing management policy.
- the VPN routing table of a VPN instance includes the routes of all the CE devices belonging to the VPN instance, which are obtained through the interaction of the VPN routing information between the CE device and the PE device or between the two PE devices, for example, including the VPN.
- the route obtained by the CE device corresponding to the instance may also include the route imported through the MP-iBGP route.
- the VPN forwarding table is the minimum forwarding information extracted from the corresponding VPN routing table according to the route management policy.
- Site refers to a group of IP systems with IP connectivity between each other, and the IP connectivity of this group of IP systems does not need to be implemented through the service provider network.
- Sites are classified according to the network topology of the device, not geographically. Although the geographical locations of devices in a site are usually adjacent, if two geographically separated IP systems are connected by dedicated lines, they do not need to pass.
- the service provider network can interoperate, and the two sets of IP systems form a site.
- the Site is connected to the Service Provider (SP) network through a Customer Edge (CE).
- SP Service Provider
- CE Customer Edge
- VPN is a combination of multiple sites.
- a site can belong to multiple VPNs.
- Each site is associated with a VPN instance on the PE device.
- a VPN instance combines the VPN membership and routing rules of the VPN instance. Multiple sites are combined into one VPN according to the routing rules of the VPN instance.
- Route Distinguisher is a flag indicating which VPN instance the IP route belongs to. It has global uniqueness and 8 bytes. It is used to distinguish IP address prefixes using the same address space (for example, IPv4 prefix, IPv6 prefix). Different VPNs, etc., VPN realizes the independence of address space through RD.
- the structure of the RD allows each service provider to allocate RDs independently.
- VRF VPN routing table
- the interfaces that belong to the same VPN instance on different PEs are assigned the same RD for their corresponding VRFs. In other words, Assign a globally unique RD to each VPN instance.
- the IPv4 address of the RD is added to the VPN-IPv4 address. For example, after the PE device receives the IPv4 address of the CE device from the directly connected CE device, the PE device adds the RD to translate the IPv4 address into a globally unique VPN-IPv4 address. And posted on the public network.
- the VPN-IPv6 structure is similar to VPN-IPv4 except that the IPv4 prefix is replaced with the IPv6 prefix.
- BGP/MPLS IP VPN uses the VPN Target attribute to control the advertisement of VPN routing information.
- the VPN target attribute is also called a Route Target (RT) attribute.
- RT Route Target
- BGP/MPLS IP VPN uses two types of RT attributes:
- the export target attribute is advertised to other PEs through the public network.
- the export target attribute is advertised as a BGP extended community attribute with the BGP Flow Spec route.
- the import target when the local PE device receives the VPN-IPv4 route advertised by other PEs through the public network, checks the Export Target attribute of the VPN-IPv4 route. When the export target attribute of the VPN-IPv4 route matches the Import Target attribute of a VPN instance on the local PE device, the local PE device adds the VPN-IPv4 route to the VPN routing table of the VPN instance. .
- Each VPN instance can To associate one or more RT attributes.
- the local device Before the local PE advertises the VPN-IPv4 routes learned from the CEs that are directly connected to the PEs to other PEs, the local device sets the Export Target attribute for the routes and distributes them as the extended community attribute with the Flow Spec route.
- the local device checks the export target attribute. Only when the Export Target attribute of the VPN-IPv4 route matches the Import Target attribute of a VPN instance on the PE.
- the VPN-IPv4 route is added to the corresponding VRF of the VPN instance. That is, the RT attribute defines which sites a VPN-IPv4 route can receive, and which routes the PE can receive.
- the RT attribute is also applicable to the VPN route advertisement control between different VPN instances on the same PE. That is, the same Import Target and Export Target can be set between different VPN instances on the same PE to implement different VPN instances. The introduction of VPN routes to each other.
- the advertisement of the VPN routing information includes the local CE device to the ingress PE device (the local CE device is directly connected to the ingress PE device), the ingress PE device to the egress PE device, and the egress PE device to the remote CE device (the remote CE device and the egress PE).
- the device is directly connected to the device.
- the process is as follows: The ingress PE device learns the IPv4 routing information from the local CE device and adds the RD and VPN target attributes to the standard IPv4 routes to form a VPN-IPv4 route and stores the VPN instance created for the CE device. in. It should be understood that the IPv4 routing information of the local CE device may be directly configured to the ingress PE device, or the ingress PE device may be obtained by using other methods.
- the ingress PE advertises the VPN-IPv4 route to the egress PE device through MP-BGP.
- the egress PE device compares the export target attribute of the VPN-IPv4 route with the import target attribute of the VPN instance that is maintained by the VPN device to determine whether to add the VPN-IPv4 route to the VPN routing table of a VPN instance maintained by the egress.
- the IGP can be used to ensure connectivity between the ingress PE device and the egress PE device.
- the export target attribute of the VPN-IPv4 route matches the import target attribute of a VPN instance that is maintained by the VPN-IPv4 route
- the egress PE device adds the VPN-IPv4 route to the VPN routing table of the VPN instance.
- the remote CE device learns the IPv4 route corresponding to the VPN-IPv4 route from the egress PE device.
- the remote CE can learn VPN routes from the egress PE device in various ways, for example, including static routing, RIP, OSPF, IS-IS, or BGP. This process can be used with the VPN between the local CE device and the ingress PE device. The exchange process of routing information is the same. After the three-part routing interaction is complete, a reachable route is set up between the local CE device and the remote CE device to ensure that the VPN private network routing information can be transmitted on the backbone network.
- the virtual private network VPN scenario is taken as an example.
- the forwarding device is a PE device, but the embodiment of the present invention is not limited thereto.
- a person skilled in the art can clearly understand that the method of the embodiment of the present invention can be applied to other scenarios related to guiding a data stream into a corresponding forwarding channel according to the teachings of the embodiments of the present invention. Such applications all fall within the scope of the present invention. Within the scope.
- FIG. 1 shows a specific application scenario of the embodiment of the present invention.
- PE1, PE2, and PE3 are three PEs that deploy VPN services.
- the IP addresses of PE1, PE2, and PE3 are 1.1.1.1, 2.2.2.2, and 3.3, respectively. 3.3.
- the IP address 2.2.2.2 can represent PE2.
- the controller (such as the Software Define Network (SDN) controller shown in FIG. 1) receives a VPN service request of the user equipment (such as the collaborator/network management/user APP shown in FIG. 1), based on the VPN
- the service request is implemented by signaling to the PE device to implement the VPN service requested by the user.
- SDN Software Define Network
- Figure 4 shows four sites, where Site1 is connected to PE1 through CE1, and VPN1 is connected to CE1 through VPN instance vpn1.
- Site2 is connected to PE1 through CE2.
- VPN1 is established on PE1. Keep in touch.
- Site 3 is connected to PE2 through CE3.
- the VPN instance vpn1 is connected to CE3 on PE2.
- Site 4 is connected to PE3 through CE4.
- the VPN instance vpn1 is connected to CE4 on PE3.
- the attribute information of the VPN instance vpn1 associated with CE1 established on PE1 is as follows:
- Import Target (hereinafter referred to as IRT): 100:1
- VPN interface interface1 (interface1 on PE1 as shown in Figure 1)
- VPN index 101 (not shown in Figure 1)
- the attribute information of the VPN instance vpn2 associated with CE2 established on PE1 is as follows:
- Interface 2 interface 2 on PE1 as shown in Figure 1
- VPN-Index 102 (not shown in Figure 1)
- the attribute information of the VPN instance vpn1 associated with CE3 established on PE2 is as follows:
- Interface 1 interface1 on PE2 as shown in Figure 1
- VPN-Index 201 (not shown in Figure 1)
- the attribute information of the VPN instance vpn1 associated with CE4 established on PE3 is as follows:
- Interface 1 interface1 on PE3 as shown in Figure 1
- VPN-Index 301 (not shown in Figure 1)
- VPN instance vpn1 is only meaningful on the PE device on which it is located.
- VPN instance vpn1 is established on PE1/2/3, it does not necessarily mean that they all belong to one VPN.
- Whether a VPN belongs to a VPN is determined by the matching relationship between the Import Target and the Export Target configured in each VPN instance.
- the VPN instance vpn1 on PE1 matches the Import Target and Export Target configured on the VPN instance vpn1 on PE3 to provide VPN services because they belong to a VPN.
- the VPN instance vpn1 on PE1 does not match the import target and export target configured on the VPN instance vpn1 on PE2.
- the VPN service cannot be provided. Therefore, they do not belong to a VPN.
- the description of the VPN instance of CE1 is used to describe the VPN instance associated with CE1 established on PE1.
- the similar description is also applicable to CE2, CE3, and CE4.
- the IPv4 of CE1, CE2, and CE3 can be imported into the VPN of CE4 by PE3.
- the IPv4 routing information of CE4 can also be imported to CE1 and CE2 respectively.
- the VPN instance of CE3 is in the VRF. That is, CE1 and CE4 can access each other.
- CE2 and CE4 can access each other.
- CE3 and CE4 can access each other.
- the VRF of the VPN instance of CE1 does not include the routing information of CE2 and CE3.
- the VRF of the VPN instance of CE2 does not include CE1 and CE3.
- the routing information of the VPN instance of the CE3 does not include the routing information of CE1 and CE2. Therefore, based on the current VPN routing table, CE1 and CE2, CE1 and CE3, and CE2 and CE3 cannot access each other. For example, when a user proposes to implement a VPN service request for mutual access between CE1 and CE2, the user needs cannot be satisfied based on the existing VPN deployment.
- the matching relationship between the import target and the export target of the VPN instance associated with the CE1 and the CE2 is manually configured to implement the mutual access between the CE1 and the CE2.
- the manual configuration method is cumbersome and inefficient.
- the embodiment of the present invention provides a communication method based on a flow rule, which can flexibly and efficiently implement access between CE devices whose RT attributes are not matched, and can effectively avoid unrestricted expansion of BGP Flow Spec. protocol.
- the flow method Flow Spec-based communication method 100 is described below by taking the network deployment shown in FIG. 1 as an example. As shown in FIG. 2, the method 100 includes:
- the controller (such as the SDN controller shown in FIG. 1) receives a VPN service request of the user side (such as the coordinator/network management/user APP shown in FIG. 1), and the VPN service request is used to request to implement CE1 to CE2. Access, that is, the data packet originating from CE1 is forwarded to the forwarding channel of CE2.
- the controller obtains, according to the VPN service request, a requirement that the first resource needs to be associated with the second resource, where the first resource is the routing information of the CE2, and the second resource is the VPN instance of the CE1.
- the controller sends a BGP Flow Spec protocol packet to the PE1 according to the requirement, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, where the network layer reachability information field carries the first
- the extended community attribute field carries a global identifier GID for indicating the second resource
- the feature information of the first resource indicates information indicating the routing information of the CE2
- the BGP Flow Spec protocol message is used.
- the route information of CE2 is added to the VRF of the VPN instance of CE1.
- the PE1 After receiving the BGP Flow Spec protocol packet sent by the controller, the PE1 obtains the routing information of the CE2 based on the feature information of the first resource, and obtains the VPN of the CE1 based on the GID. The instance is added to the VRF of the VPN instance of CE1.
- the CE2 to be accessed by the CE1 is directly connected to the PE1. Therefore, the PE1 can obtain the routing information of the CE2 through the direct communication with the CE2, or the routing information of the CE2 can also be configured on the PE1. This embodiment of the present invention does not limit this.
- the PE1 receives the data packet from the interface (CE1) that the CE1 is to access the CE2.
- the source IP address of the data packet is the IP address of the CE1 and the destination IP address is the IP address of the CE2.
- the PE1 searches for the VRF of the VPN instance of the CE1 according to the destination IP address of the data packet, and obtains the routing information of the CE2, and then determines the forwarding exit of the data packet, that is, the interface Interface2 of the VPN instance of the CE2.
- the packet is forwarded from Interface2, and the data packet is sent to CE2, which implements CE1 to CE2 access.
- VPN service request is CE2 and needs to access CE1, only CE1 and CE2 in the above steps S110 to S160 need to be swapped, and CE2 can access CE1.
- the controller sends a BGP Flow Spec protocol packet to the PE device, and the PE device adds the routing information of the second CE device that does not match the VPN RT attribute to the first CE device to the first CE.
- the routing table of the device is configured to enable the data packet from the first CE device to enter the forwarding channel of the second CE device, that is, the first CE device that does not match the VPN RT attribute accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- it is limited to direct the data stream to the corresponding forwarding channel at the forwarding plane, and the present application can guide the data stream to the corresponding forwarding channel at the control plane, thereby enabling flexible service orchestration.
- the visited end CE2 is directly connected to the PE1, that is, the VPN instance of the CE2 is established and maintained on the PE1 device.
- the feature information of the first resource may be Information related to the VPN instance of CE2 stored on PE1.
- the feature information of the first resource may be the following information: at least one of a VPN instance name, an RD, an RT, a VPN index, a VPN interface, an IP address prefix, and a MAC address of the CE2, or multiple information.
- the relationship between the plurality of pieces of information may be a relationship between the plurality of pieces of information.
- the GID for indicating the second resource that is carried in the extended community attribute may have a mapping relationship with the attribute information of the VPN instance of the CE1.
- the method 100 further includes:
- the controller obtains the attribute information of the VPN instance maintained on the PE1, the PE2, and the PE3, where the attribute information includes the VPN instance name, the VPN instance route identifier RD, the VPN instance route identifier RT, the VPN instance index value, and the VPN instance interface. information.
- PE1, PE2, and PE3 respectively report the attribute information of the locally established VPN instance to the controller.
- Table 1 shows the attribute information of the VPN instance reported by the PE1, PE2, and PE3 to the controller.
- PE2 is used as an example.
- the VPN-Instance Name, RD, IRT, ERT, and Interface of the VPN instance of CE3 are configured on the PE2 through the command line.
- the VPN-Index is the VPN configured on the PE2. After the instance, the PE2 device allocates an index value for the VPN instance of CE3.
- the above processing methods are also applicable to PE1 and PE3, and are not described here.
- the GID is for each PE device.
- Table 2 gives an example in which the controller assigns a GID to attribute information of a VPN instance on PE1
- Table 3 gives an example of the controller as an example.
- Table 4 as an example shows the case where the controller assigns the GID to the attribute information of the VPN instance on the PE3.
- the GID assigned by the controller corresponds to each attribute information of each VPN instance. It should be understood that Table 2, Table 3, and Table 4 are only examples and are not limited. For example, for PE1, the controller may also uniformly allocate a GID for all attribute information of the VPN instance of CE1, for example, 20, which is a VPN instance of CE2. All attribute information is uniformly assigned a GID, for example 30.
- Table 2 can also be referred to as the VPN instance-GID mapping table of PE1.
- Table 3 can also be referred to as the VPN instance-GID mapping table of PE2.
- Table 4 can also be referred to as the VPN instance-GID mapping table of PE3.
- the controller sends a VPN instance-GID mapping table corresponding to the PE to the PE1, the PE2, and the PE3. For example, the controller sends only the VPN instance-GID mapping table corresponding to the PE1:1.1.1.1 to the PE1 device (as shown in Table 2); only the VPN instance corresponding to the PE2:2.2.2.2 is sent to the PE2 device.
- the GID mapping table (as shown in Table 3); only the VPN instance-GID mapping table corresponding to "PE3:3.3.3.3" is sent to the PE3 device (as shown in Table 4).
- the PE1 After receiving the VPN instance-GID mapping table as shown in Table 2, the PE1 is saved locally. Therefore, For the PE1 and the controller, the GID "1" maps the attribute information "VPN-Instance Name: vpn1" of the VPN instance of CE1. It should be understood that on PE1, GID “1” (or any of GID “2" to “6") can uniquely indicate the VPN instance of CE1; GID “7” (or GID “8” to "12” Any one) can uniquely indicate the VPN instance of CE2.
- the feature information of the first resource may also be a GID corresponding to a certain attribute information of the VPN instance of the CE2, for example, GID "6”.
- the global identifier allocated by the controller for the attribute information of the VPN instance on the PE device may also be referred to as a mapping label, BGP FlowSpec.
- the GID carried in the GID field of the extended community attribute field of the protocol packet is one or more identifiers in the mapping label.
- the PE device can locate the VPN instance of the CE1 by using the GID. Therefore, in the embodiment of the present invention, the VPN instance of the CE1 can be indicated by carrying a simple GID in the extended community attribute field of the BGP FlowSpec protocol packet, which can save signaling overhead.
- the feature information of the first resource may be: a VPN instance name of the CE2, a VPN RD, a VPN RT, a VPN index, a VPN interface, an IP address prefix, a MAC address, and the controller is a CE2.
- the feature information of the first resource is encapsulated in the Flow Spec NLRI by TLV (Type/Length/Value, Type/Length/Value). In, as shown in Table 5:
- the extended community attribute field in the BGP Flow Spec protocol packet includes a flag Flags field and a GID field, where the Flags field includes a forwarding plane bit and a control plane bit, where the forwarding plane bit When the bit value is 0, and the control plane bit is set to 1, it is used to indicate that the first resource and the second resource are associated on the control plane, and the value of the control plane bit is set to 1, and the control plane bit is assigned 0: It is used to indicate that the first resource and the second resource are associated on the forwarding plane, and the GID field carries the second identifier.
- the extended application is usually limited to the forwarding plane to direct the data stream into the corresponding forwarding channel.
- the data flow can be directed to the corresponding forwarding channel in the forwarding plane, and the data flow can be directed to the corresponding forwarding channel in the control plane, so that the present application can implement flexible service orchestration.
- the forwarding plane bit and the control plane bit in the Flags field may also be replaced by a first bit, and when the first bit is assigned a value of 1, Associated with the control plane
- the first resource and the second resource, when the first bit is assigned a value of 0, indicates that the first resource and the second resource are associated on the forwarding plane.
- the Flags field of the extended community attribute field further includes an incremental bit, and when the incremental bit is set to 1, it indicates that a resource association relationship is added to the forwarding device. When the increment bit is set to 0, it indicates that the association relationship between the first resource and the other resource is covered by the association relationship between the first resource and the second resource.
- the extended community attribute format includes a Type field, a Sub-Type field, a Flags field, a Reserved field, and a GID field.
- the Type field and the Sub-Type field are formally assigned by the IETF standards organization. Reserved is a reserved field and assigned a value of "0".
- the flags field occupies 1 byte, and the bit 7 is a control plane bit (Control-Plane Bit). The setting of 1 indicates that the first resource and the second resource are associated on the control plane.
- bit 6 is a forwarding plane bit (F-bit), and set to 1 to associate the first resource with the second resource on the forwarding plane, otherwise set to 0;
- bit5 is Incremental Bit (Abit Bit), set to 1 means to add an association relationship on the original basis; otherwise, it will overwrite the original association relationship with a new relationship.
- the GID field carries a second identifier, which is a GID corresponding to a certain attribute information of the VPN instance of CE2.
- the BGP Flow Spec protocol packet sent by the controller to the PE1 is used to indicate that the routing information of the CE2 is added to the VRF of the VPN instance of the CE1, and the action belongs to the action located on the control plane. Therefore, as shown in FIG. 3, the C bit in the Flags field of the extended community attribute is assigned a value of "1", and the F bit is assigned a value of "0". The assignment of the A bit can be determined according to specific service requirements.
- the format of the extended community attribute is simple and clear, and the action to be performed is indicated to the PE device by using the C bit, the F bit, and the GID field. Moreover, through different combinations of A, C, and F bits, the extended community attribute can be instructed to perform different actions, thereby avoiding the unrestricted extension of the BGP Flow Spec protocol in the prior art.
- the extended community attribute including the second identifier in the embodiment of the present invention may be referred to as an extended community attribute named "Redirect to GID Action”.
- the BGP Flow Spec protocol packet is sent to the PE device (that is, the forwarding device), and the PE device is configured to add the routing information of the second CE device that does not match the VPN RT attribute to the first CE device.
- the routing table of the first CE device is configured to enable the data packet from the first CE device to enter the forwarding channel of the second CE device, that is, the first CE device that does not match the VPN RT attribute accesses the second CE. device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- it is limited to direct the data stream to the corresponding forwarding channel at the forwarding plane, and the present application can guide the data stream to the corresponding forwarding channel at the control plane, thereby enabling flexible service orchestration.
- the embodiment of the present invention further provides a method 200 for associating a first resource with a second resource on a forwarding plane, and taking the scenario shown in FIG. 1 as an example.
- the method 200 includes:
- the controller (such as the SDN controller shown in FIG. 1) receives a VPN service request of the user side (the collaborator/network management/user APP shown in FIG. 1), and the VPN service request is used to request to implement CE1 to CE2. Access, that is, the data packet originating from CE1 is forwarded to the forwarding channel of CE2.
- the controller acquires, according to the VPN service request, a requirement that the first resource needs to be associated with the second resource, where the first resource is an IP address whose source IP address is CE1, and the destination IP address is an IP address of CE2,
- the second resource is a VPN instance of CE2.
- the controller sends a BGP Flow Spec protocol packet to the PE1 according to the requirement, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, where the network layer reachability information field carries the first The feature information of a resource, the extended community attribute field carries a global identifier GID for indicating a second resource, and the feature information of the first resource indicates that the source IP address is an IP address of CE1, and the destination IP address is an IP of CE2.
- the BGP Flow Spec protocol packet is used to forward the data packet that matches the source IP address and the destination IP address with the feature information of the first resource, and is forwarded according to the VPN routing forwarding table of the VPN instance of CE2.
- the PE1 parses the BGP Flow Spec protocol packet, and learns that the IP address of the source IP address is the IP address of the CE1 and the IP address of the destination IP address is the IP address of the CE2. The packet is bound to the VPN instance of CE2.
- the PE1 receives the data packet from the CE1.
- the source IP address of the data packet is the IP address of the CE1 and the destination IP address is the IP address of the CE2.
- the PE1 searches for the VRF of the VPN instance of the CE2 according to the destination IP address of the data packet, and determines the forwarding interface of the data packet, that is, the interface Interface2 of the VPN instance of the CE2, and forwards the data packet from the interface 2, so that the data packet is forwarded from the interface 2
- the data packet is delivered to CE2, which implements CE1 to CE2 access.
- the format of the extended community attribute is as shown in FIG. 3, and the C bit in the Flags field is assigned a value of “0”, the F bit is assigned a value of “1”, and the GID field carries the attribute information of the VPN instance of the CE2.
- the GID (such as the controller shown in Table 2 is the GID assigned to the attribute information of the VPN instance of CE2).
- VPN service request is CE2 and needs to access CE1, only CE1 and CE2 in the above steps S210 to S250 need to be swapped, and CE2 can access CE1.
- the controller sends a BGP Flow Spec protocol packet to the PE device, indicating that the source IP address is the IP address of the first CE device, and the destination IP address is the IP address of the second CE device.
- the data packet is forwarded according to the routing table of the second CE device that does not match the first CE device, so that the data packet originating from the first CE device can be forwarded to the forwarding channel of the second CE device. That is, the first CE device that does not match the VPN RT attribute accesses the second CE device. Therefore, the present application can flexibly and efficiently implement VPN communication between two CE devices whose VPN RT attributes do not match, compared to the manual configuration manner in the prior art.
- the method described above in connection with FIG. 2 and FIG. 4 is assuming that the VPN service request is CE1 accessing CE2, or CE2 accessing CE1 as an example, that is, the access CE and the visited CE are both the same PE.
- the device is directly connected, but the embodiment of the present invention is not limited thereto.
- the method provided by the embodiment of the present invention can also be applied to an application scenario in which the access end CE and the accessed end CE are directly connected to different PE devices.
- the network deployment shown in FIG. 1 is taken as an example, and the controller (such as the SDN controller shown in FIG. 1) receives a VPN service request from the user side (the collaborator/network management/user APP shown in FIG. 1).
- the VPN service request is used to request the access of CE1 to CE3, that is, the data packet originating from CE1 is forwarded to the forwarding channel of CE3.
- the controller obtains, according to the VPN service request, a requirement that the first resource needs to be associated with the second resource, where the first resource is the routing information of the CE3, and the second resource is the VPN instance of the CE1.
- the controller sends a BGP Flow Spec protocol packet to the PE1 according to the requirement.
- the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field.
- the layer reachability information field carries the feature information of the first resource
- the extended community attribute field carries a global identifier GID for indicating the second resource
- the feature information of the first resource represents the information that can indicate the routing information of the CE3.
- the BGP Flow Spec protocol packet is used to indicate that the routing information of CE3 is added to the VRF of the VPN instance of CE1.
- the PE1 After receiving the BGP Flow Spec protocol packet sent by the controller, the PE1 obtains the routing information of the CE3 based on the feature information of the first resource, and obtains the VPN instance of the CE1 based on the GID.
- the routing information of CE3 is added to the VRF of the VPN instance of CE1.
- PE1 receives the data packet from CE1 to access CE2.
- the source IP address of the data packet is the IP address of CE1 and the destination IP address is the IP address of CE2.
- PE1 searches for the VRF of the VPN instance of CE1, obtains the routing information of CE3, and imports the data packet into the forwarding channel of CE3 according to the forwarding entry of the routing information of CE3.
- PE1 can obtain routing information of CE3 through communication with PE2.
- the VPN-IPv4 concept those skilled in the art may understand that after the PE2 obtains the IPv4 (or IPv6) address of the CE2, the RD and ERT attributes of the VPN instance of the CE3 are added to the IPv4 address. It is understood that the VPN instance of the CE3 is set up on the PE2, as shown in FIG. 1 to obtain the VPN-IPv4 route of the CE3, and then the VPN-IPv4 route is advertised to the PE1 through the communication link between the PE2 and the PE1. PE1 obtains the routing information of CE3.
- CE3 access to CE1 is similar to the above description, and the positions of CE1 and CE3 are interchanged, and the positions of PE1 and PE2 are interchanged.
- the network deployment described in FIG. 1 is taken as an example, and the attribute information of the VPN instance of CE2 on PE1 is as follows:
- Interface 2 interface 2 on PE1 as shown in Figure 1
- VPN-Index 102 (not shown in Figure 1)
- the VPN instance of CE3 matches the RT attribute of the VPN instance of CE2.
- the VRF of the VPN instance of CE2 that is maintained by PE1 includes the routing information of CE3, that is, the VPN forwarding table of the VPN instance of CE2 is included. Forwarding entry of routing information of CE3.
- the controller (such as the SDN controller shown in FIG. 1) receives a VPN service request from the user side (such as the coordinator/network management/user APP shown in FIG. 1), and the VPN service request is used to request access to CE1 to CE3. That is, the data packet originating from CE1 is forwarded to the forwarding channel of CE3.
- the controller obtains, according to the VPN service request, a requirement that the first resource needs to be associated with the second resource, where the first resource is an IP address whose source IP address is CE1, and the destination IP address is an IP address of CE2, and the second The resource is a VPN instance of CE3.
- the controller sends a BGP Flow Spec protocol packet to the PE1 according to the requirement.
- the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, where the network layer reachability information field carries the first resource. Feature information, the extended community attribute field carries a global identifier GID for indicating a second resource, and the feature information of the first resource indicates that the source IP address is an IP address of CE1, and the destination IP address is an IP address of CE2.
- the BGP Flow Spec protocol packet is used to indicate the source IP address and destination.
- the data packet whose IP address is consistent with the feature information of the first resource is forwarded according to the VPN routing forwarding table of the VPN instance of CE3.
- the PE1 parses the BGP Flow Spec protocol packet.
- PE1 receives the data packet from CE1.
- the source IP address of the data packet is the IP address of CE1 and the destination IP address is the IP address of CE2.
- the PE1 searches for the VPN forwarding table of the VPN instance of the CE2, locates the forwarding entry of the routing information of the CE3, and forwards the data packet according to the forwarding entry.
- the data packet is forwarded. It will reach CE3, thus achieving CE1 to CE3 access.
- the method provided by the embodiment of the present invention implements the action on the forwarding plane to implement the accessing CE to the accessed CE.
- the premise of the access is that the PE device directly connected to the accessing CE has a VPN instance, and the VRF of the VPN instance includes the routing information of the CE.
- the flow rule-based Flow Spec-based communication method provided by the embodiment of the present invention can flexibly and efficiently implement VPN communication between CE devices whose RT attributes are not matched by modifying the VPN routing table in the control plane.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource. Instructing the forwarding device to associate the first resource with the second resource to direct the data stream to the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the second resource can be indicated, and signaling overhead can be saved.
- the method further includes:
- the controller obtains a second VPN service request, and the second VPN service request is used to request the configuration information of the VPN instance that is added to the CE5 (as shown in FIG. 5), which is added to the PE3 device, and is added to the CE6 on the PE3 device. As shown in Figure 5, the VPN instance configuration attribute information.
- the controller configures the following attribute information for the VPN instance of the CE5 according to the second VPN service request: the VPN instance name, the VPN instance RD, the VPN instance RT, the VPN instance index value, and the VPN instance interface information, and is configured for the VPN instance of the CE6.
- the following attribute information VPN instance name, VPN instance RD, VPN instance RT, VPN instance index value, and VPN instance interface information.
- the VPN instance of the CE5 device does not conflict with the following attribute information of the VPN instance of CE3: VPN instance name, VPN Instance RD and VPN instance index information.
- the VPN instance of the CE6 device does not conflict with the following attributes of the VPN instance of the CE4: VPN instance name, VPN instance RD, and VPN instance index information.
- the user has two devices, CE5 and CE6.
- the two devices, CE5 and CE6, need to be connected to each other through the carrier's network.
- Step 1 The user sends a VPN service request to the controller, and the VPN service request is used to request to communicate with CE5 and CE6 through VPN.
- the VPN service request includes CE device information such as an IP address and a MAC address of the CE5 and the CE6.
- Step 2 The controller is configured to connect the CE5 to the PE2 according to the information of the CE device carried in the VPN service request, and the CE6 is connected to the PE3, and then the VPN is deployed on the PE2 and the PE3 to connect the CE5 and the CE6.
- Step 3 The controller configures a VPN instance corresponding to CE5 on PE2, and assigns a GID to the attribute information of the VPN instance of the CE5, as shown in Table 6. As shown in Table 6, the controller assigns the VPN instance Instance Name, RD, IRT, ERT, and VPN-Index that do not conflict with the existing VPN instance of CE3 on the VPN instance of CE5 on PE2, and also gives CE5 Each attribute information of the VPN instance is assigned a GID value.
- Step 4 The controller sends the attribute information of the VPN instance of the newly assigned CE5 to PE2.
- Step 5 The controller sends the GID resource table (as shown in Table 6) after the attribute information of the VPN instance of the CE5 is added to the PE2 to synchronize the GID resource table information on the controller and the controlled device.
- the controller obtains the attribute information of the VPN instance that is existing on the PE device, so as to avoid attribute information of different VPN instances when configuring the attribute information of the VPN instance added to the PE device.
- the conflict between Compared with the prior art to avoid conflicts by planning, the present application can effectively avoid conflicts, and the operation efficiency is high.
- FIG. 6 shows a schematic block diagram of a controller 300 according to an embodiment of the present invention. As shown in FIG. 6, the controller 300 includes:
- the obtaining module 310 is configured to acquire a requirement that the first resource on the forwarding device needs to be associated with the second resource on the forwarding device;
- the sending module 320 is configured to send, according to the requirements acquired by the acquiring module, a border gateway protocol flow rule BGP Flow Spec protocol packet, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute. a field, the network layer reachability information field carrying the feature information of the first resource, the extended community attribute field carrying a global identifier GID for indicating the second resource, the BGP Flow Spec protocol message is used to indicate the association of the first Resources and the second resource.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource.
- the forwarding device can be instructed to associate the first resource with the second resource to direct the data stream into the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- by carrying a simple GID in the extended community attribute field of the BGP FlowSpec protocol packet it is possible to indicate The second resource can save signaling overhead.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, where the Flags field carries a control plane or the forwarding that is used to indicate the forwarding device.
- Information about the first resource and the second resource is associated on a forwarding plane of the device.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that The first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, and the control plane bit is assigned a value of 0, it is used to indicate that the first resource is associated with the forwarding plane.
- the second resource when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that the first resource is associated with the forwarding plane.
- the forwarding device is a service provider edge PE device, and the forwarding device has a virtual private network VPN instance of the first user edge CE device, where the forwarding device includes the second CE device.
- Routing information, and the routing information of the second CE device is not in the VPN routing table of the VPN instance of the first CE device, and the obtaining module 310 is configured to obtain a VPN service request, where the VPN service request is used to request the first CE.
- the device accesses the second CE device.
- the first resource needs to be associated with the second resource.
- the first resource is the routing information of the second CE device, and the second resource is the first resource.
- VPN instance of the CE device
- the sending module 320 is configured to send the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first resource is associated with the control plane.
- the second resource, the BGP Flow Spec protocol packet is used to indicate that the routing information of the second CE device is added to the VPN routing table of the VPN instance of the first CE device.
- the obtaining module 310 is further configured to: obtain the attribute information of the VPN instance of the first CE device from the forwarding device, where the attribute information includes: a VPN instance name, and a VPN instance route identifier. RD, VPN instance route target RT, VPN instance index value, and VPN instance interface information;
- the controller 300 also includes:
- the identifier allocation module 330 is configured to allocate a mapping identifier to the attribute information of the VPN instance of the first CE device, where the mapping identifies the attribute information of the VPN instance that is uniquely indicated by the first CE device in the forwarding device;
- the sending module 320 is further configured to send, to the forwarding device, a mapping table, where the mapping table includes a mapping relationship between the attribute information of the VPN instance of the first CE device and the mapping identifier.
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the obtaining module 310 is further configured to: obtain a VPN service request for requesting configuration attribute information of a VPN instance of a newly established third CE device on the forwarding device;
- the controller 300 also includes:
- the VPN instance configuration module 340 is configured to configure the following attribute information for the VPN instance of the third CE device: a VPN instance name, a VPN instance RD, a VPN instance RT, and a VPN instance interface information, where the VPN instance of the third CE device The following attribute information does not conflict with the attribute information corresponding to the VPN instance of the first CE device: VPN instance name, VPN instance RD, and VPN instance interface information.
- the VPN device is configured with the VPN instance of the second CE device, and the VPN routing table of the VPN instance of the second CE device includes the routing information of the second CE device.
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device: a VPN instance name, a VPN instance RD, a VPN instance index value, a VPN instance interface information, and a VPN instance GID.
- the VPN instance of the second CE device is not configured on the forwarding device, and the VPN public network routing table of the forwarding device includes routing information of the second CE device.
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information.
- the forwarding device is a service provider edge PE device, and the virtual private network VPN instance of the first user edge CE device and the VPN instance of the third CE device are established on the forwarding device, and the forwarding is performed.
- the device further includes the routing information of the second CE device, and the VPN routing table of the VPN instance of the first CE device does not include the routing information of the second CE device, and the VPN instance of the VPN instance of the third CE device is in the VPN routing table.
- the obtaining module 310 is configured to obtain a VPN service request, where the VPN service request is used to request the first CE device to access the second CE device, and obtain the first A resource needs to be associated with the second resource, where the source IP address is the IP address of the first CE device, and the destination IP address is the IP address of the second CE device, and the second resource is the first resource.
- the sending module 320 is further configured to send the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first resource is associated with the forwarding plane.
- the second resource, the BGP Flow Spec protocol packet is used to indicate that the source IP address and the destination IP address are consistent with the first resource, and is included in the VPN routing table of the VPN instance of the third CE device. The routing information of the second CE device is forwarded.
- the second CE device is the third CE device.
- controller 300 may correspond to a controller in the Flow Spec-based communication method of the embodiment of the present invention, and the above and other operations and/or functions of the respective modules in the controller 300 are respectively The corresponding processes of the various methods in FIG. 1 to FIG. 5 are implemented, and are not described herein for brevity.
- FIG. 7 shows a schematic block diagram of a forwarding device 400 according to an embodiment of the present invention. As shown in FIG. 7, the forwarding device 400 includes:
- the receiving module 410 is configured to receive a border gateway protocol flow rule BGP Flow Spec protocol packet sent by the controller, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, and the network layer reachability
- the information field carries the feature information of the first resource for indicating the first resource on the forwarding device, where the extended community attribute field carries a global identifier GID for indicating the second resource on the forwarding device, the BGP Flow Spec protocol
- the message is used to indicate that the first resource and the second resource are associated;
- the obtaining module 420 is configured to acquire the first resource according to the feature information of the first resource received by the receiving module, and obtain the first resource according to the GID;
- the association module 430 is configured to associate the first resource with the second resource according to the BGP Flow Spec protocol packet received by the receiving module.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource.
- the forwarding device can be instructed to associate the first resource with the second resource to direct the data stream into the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the second resource can be indicated, and signaling overhead can be saved.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, where the Flags field carries a control plane or the forwarding that is used to indicate the forwarding device.
- Information about the first resource and the second resource is associated on a forwarding plane of the device.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that The first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, and the control plane bit is assigned a value of 0, it is used to indicate that the first resource is associated with the forwarding plane.
- the second resource when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that the first resource is associated with the forwarding plane.
- the forwarding device 400 is a service provider edge PE device, and the forwarding device has a virtual private network VPN instance of the first user edge CE device, where the forwarding device includes the second CE device. Routing information, and the routing information of the second CE device is not in the VPN routing table of the VPN instance of the first CE device, and the receiving module 410 is configured to receive the BGP Flow Spec protocol sent by the controller according to the VPN service request.
- the VPN service request is used to request the first CE device to access the second CE device, where the first resource is routing information of the second CE device, and the second resource is a VPN of the first CE device
- the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated with the control plane
- the BGP Flow Spec protocol packet is used to indicate the route of the second CE device. The information is added to the VPN routing table of the VPN instance of the first CE device.
- the association module 430 is configured to add the routing information of the second CE device to the VPN routing table of the VPN instance of the first CE device.
- the forwarding device 400 further includes:
- the sending module 440 is configured to send the attribute information of the VPN instance of the first CE device to the controller, where the attribute information includes: a VPN instance name, a VPN instance route identifier RD, a VPN instance route target RT, and a VPN instance index value. Interface information with the VPN instance;
- the receiving module 410 is configured to receive a mapping table that is sent by the controller, where the mapping table includes the attribute information of the VPN instance of the first CE device and the mapping of the controller to the attribute information of the VPN instance of the first CE device. a mapping relationship between the identifiers, where the mapping identifies the attribute information of the VPN instance that is uniquely indicated by the first CE device in the forwarding device,
- the GID carried in the GID field is one or more identifiers in the mapping identifier.
- the forwarding device 400 is configured with the VPN instance of the second CE device, and the VPN routing table of the VPN instance of the second CE device includes the routing information of the second CE device.
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device: a VPN instance name, a VPN instance RD, a VPN instance index value, a VPN instance interface information, and a VPN instance GID;
- the obtaining module 420 is configured to obtain routing information of the second CE device from the VPN routing table of the VPN instance of the second CE device according to the feature information of the first resource.
- the VPN instance of the second CE device is not established on the forwarding device 400, and the VPN public network routing table of the forwarding device 400 includes routing information of the second CE device.
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information;
- the obtaining module 420 is configured to obtain routing information of the second CE device from the VPN public network routing table according to the feature information of the first resource.
- the forwarding device 400 is a service provider edge PE device, and the forwarding device 400 has a virtual private network VPN instance of the first user edge CE device and a VPN instance of the third CE device.
- the forwarding device further includes the routing information of the second CE device, and the VPN routing table of the VPN instance of the first CE device does not include the routing information of the second CE device, and the VPN route of the VPN instance of the third CE device
- the table includes the second CE
- the routing information of the device, the receiving module 410 is configured to receive a BGP Flow Spec protocol packet sent by the controller according to the VPN service request, where the VPN service request is used to request the first CE device to access the second CE device, where The first resource is a source IP address that is an IP address of the first CE device, and a destination IP address is an IP address of the second CE device, where the second resource is a VPN instance of the third CE device, the BGP Flow Spec The Flags field in the protocol packet is used to indicate that the first resource and the second resource are associated
- the association module 430 includes:
- a receiving unit configured to receive a data packet, where the source IP address of the data packet is an IP address of the first CE device, and the destination IP address is an IP address of the second CE device;
- the forwarding unit is configured to forward the data packet according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device.
- the second CE device is the third CE device.
- the forwarding device 400 may correspond to a forwarding device in a Flow Spec-based communication method according to an embodiment of the present invention, and the above-described and other operations and/or functions of the respective modules in the forwarding device 400 are respectively The corresponding processes of the various methods in FIG. 1 to FIG. 5 are implemented, and are not described herein for brevity.
- an embodiment of the present invention further provides a controller 500, which includes a processor 510, a memory 520, a bus system 530, a receiver 540, and a transmitter 550.
- the processor 510, the memory 520, the receiver 540 and the transmitter 550 are connected by a bus system 530 for storing instructions for executing instructions stored in the memory 520 to control the receiver 540 to receive.
- the processor 510 is configured to: acquire a requirement that the first resource on the forwarding device needs to be associated with the second resource on the forwarding device, and send, by the transmitter 550, a boundary gateway protocol flow rule to the forwarding device according to the requirement.
- a BGP Flow Spec protocol packet where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, where the network layer reachability information field carries feature information of the first resource, where the extended community attribute field carries The global identifier GID is used to indicate the second resource, and the BGP Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource.
- the forwarding device can be instructed to associate the first resource with the second resource to direct the data stream into the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the second resource can be indicated, and signaling overhead can be saved.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, where the Flags field carries a control plane or the forwarding that is used to indicate the forwarding device.
- Information about the first resource and the second resource is associated on a forwarding plane of the device.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that The first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, and the control plane bit is assigned a value of 0, it is used to indicate that the first resource is associated with the forwarding plane.
- the second resource when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that the first resource is associated with the forwarding plane.
- the forwarding device is a service provider edge PE device, and the forwarding device has a virtual private network VPN instance of the first user edge CE device, where the forwarding device includes the second CE device. Routing information, and the routing information of the second CE device is not in the VPN routing table of the VPN instance of the first CE device, the processor 510 is configured to obtain a VPN service request, where the VPN service request is used to request the first CE The device accesses the second CE device. According to the VPN service request, the first resource needs to be associated with the second resource. The first resource is the routing information of the second CE device, and the second resource is the first resource.
- the VPN instance of the CE device is configured to send the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate association on the control plane.
- the first resource and the second resource, the BGP Flow Spec protocol message is used to indicate that the routing information of the second CE device is added to the VPN routing table of the VPN instance of the first CE device.
- the processor 510 is configured to obtain the attribute information of the VPN instance of the first CE device from the forwarding device, where the attribute information includes: a VPN instance name, and a VPN instance route identifier. RD, VPN instance route target RT, VPN instance index value, and VPN instance interface information; assign a mapping identifier to the attribute information of the VPN instance of the first CE device, where the mapping identifier uniquely indicates the first CE device in the forwarding device Attribute information of the VPN instance; the sender 550 is configured to send a mapping table to the forwarding device, where the mapping table includes a mapping relationship between the attribute information of the VPN instance of the first CE device and the mapping identifier, and the GID field The GID carried in the one is one or more identifiers in the mapping identifier.
- the processor 510 is configured to: obtain a VPN service request for requesting configuration information of a VPN instance of a newly established third CE device on the forwarding device;
- the VPN instance of the device is configured with the following attribute information: the VPN instance name, the VPN instance RD, the VPN instance RT, and the VPN instance interface information.
- the following attribute information of the VPN instance of the third CE device corresponds to the VPN instance of the first CE device.
- the attribute information does not conflict with each other: VPN instance name, VPN instance RD, and VPN instance interface information.
- the VPN device is configured with the VPN instance of the second CE device, and the VPN routing table of the VPN instance of the second CE device includes the routing information of the second CE device.
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device: a VPN instance name, a VPN instance RD, a VPN instance index value, a VPN instance interface information, and a VPN instance GID.
- the VPN instance of the second CE device is not configured on the forwarding device, and the VPN public network routing table of the forwarding device includes routing information of the second CE device.
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information.
- the forwarding device is a service provider edge PE device, and the virtual private network VPN instance of the first user edge CE device and the VPN instance of the third CE device are established on the forwarding device, and the forwarding is performed.
- the device further includes the routing information of the second CE device, and the VPN routing table of the VPN instance of the first CE device does not include the routing information of the second CE device, and the VPN instance of the VPN instance of the third CE device is in the VPN routing table.
- the processor 510 is configured to obtain a VPN service request, where the VPN service request is used to request the first CE device to access the second CE device, and obtain the first A resource needs to be associated with the second resource, where the source IP address is the IP address of the first CE device, and the destination IP address is the IP address of the second CE device, and the second resource is the first resource.
- a VPN instance of the third CE device The transmitter 550 is configured to send the BGP Flow Spec protocol packet to the forwarding device according to the requirement, where the Flags field in the BGP Flow Spec protocol packet is used to indicate the forwarding plane.
- the BGP Flow Spec protocol packets with The data packet indicating that the source IP address and the destination IP address are consistent with the first resource is forwarded according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device.
- the second CE device is the third CE device.
- the processor 510 may be a central processing unit (“CPU"), and the processor 510 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 520 can include read only memory and random access memory and provides instructions and data to the processor 510. A portion of the memory 520 may also include a non-volatile random access memory. For example, the memory 520 can also store information of the device type.
- the bus system 530 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 530 in the figure.
- each step of the above method may be completed by an integrated logic circuit of hardware in the processor 510 or an instruction in a form of software.
- the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 520, and the processor 510 reads the information in the memory 520 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
- controller 500 may correspond to a controller in a Flow Spec-based communication method according to an embodiment of the present invention, and may correspond to the controller 300 according to an embodiment of the present invention, and in the controller 500
- the above and other operations and/or functions of the respective modules are respectively implemented in order to implement the respective processes of the respective methods in FIG. 1 to FIG. 5, and are not described herein again for brevity.
- an embodiment of the present invention further provides a forwarding device 600.
- the forwarding device 600 includes a processor 610, a memory 620, a bus system 630, a receiver 640, and a transmitter 650.
- the processor 610, the memory 620, the receiver 640, and the transmitter 650 are connected by a bus system 630.
- the memory 620 is configured to store instructions for executing the instructions stored in the memory 620 to control the receiver 640 to receive.
- Signal and control transmitter 650 to send a signal.
- the receiver 640 is configured to receive a BGP Flow Spec protocol packet sent by the controller, where the BGP Flow Spec protocol packet includes a network layer reachability information field and an extended community attribute field, where the network layer is reachable.
- the information field carries the feature information of the first resource for indicating the first resource on the forwarding device
- the extended community attribute field carries a global identifier GID for indicating the second resource on the forwarding device, the BGP Flow Spec
- the protocol packet is used to indicate that the first resource and the second resource are associated
- the processor 610 is configured to acquire the first resource according to the feature information of the first resource, and obtain the first resource according to the GID;
- the forwarding device associates the first resource with the second resource.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource.
- the forwarding device can be instructed to associate the first resource with the second resource to direct the data stream into the corresponding forwarding channel.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- by carrying a simple GID in the extended community attribute field of the BGP FlowSpec protocol packet it is possible to indicate The second resource can save signaling overhead.
- the extended community attribute field includes a GID field and a flag Flags field, where the GID field carries the GID, where the Flags field carries a control plane or the forwarding that is used to indicate the forwarding device.
- Information about the first resource and the second resource is associated on a forwarding plane of the device.
- the Flags field includes a forwarding plane bit and a control plane bit, and when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that The first resource and the second resource are associated with the control plane, and when the forwarding plane bit is assigned a value of 1, and the control plane bit is assigned a value of 0, it is used to indicate that the first resource is associated with the forwarding plane.
- the second resource when the forwarding plane bit is assigned a value of 0, and the control plane bit is assigned a value of 1, is used to indicate that the first resource is associated with the forwarding plane.
- the forwarding device 600 is a service provider edge PE device, and the forwarding device has a virtual private network VPN instance of the first user edge CE device, where the forwarding device includes the second CE device. Routing information, and the routing information of the second CE device is not in the VPN routing table of the VPN instance of the first CE device, and the receiver 640 is configured to receive the BGP Flow Spec protocol sent by the controller according to the VPN service request.
- the VPN service request is used to request the first CE device to access the second CE device, where the first resource is routing information of the second CE device, and the second resource is a VPN of the first CE device
- the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated with the control plane
- the BGP Flow Spec protocol packet is used to indicate the route of the second CE device. The information is added to the VPN routing table of the VPN instance of the first CE device.
- the processor 610 is configured to add the routing information of the second CE device to the VPN routing table of the VPN instance of the first CE device.
- the sender 650 is configured to send the attribute information of the VPN instance of the first CE device to the controller, where the attribute information includes: a VPN instance name, and a VPN instance route identifier RD.
- the receiver 640 is configured to receive a mapping table sent by the controller, where the mapping table includes the attribute information of the VPN instance of the first CE device.
- the GID carried in the one is one or more identifiers in the mapping identifier.
- the forwarding device 600 has a VPN instance of the second CE device, and the VPN routing table of the VPN instance of the second CE device includes routing information of the second CE device.
- the feature information of the first resource is at least one of the following attribute information of the VPN instance of the second CE device: a VPN instance name, a VPN instance RD, a VPN instance index value, a VPN instance interface information, and a VPN instance GID;
- the processor 610 is configured to obtain routing information of the second CE device from a VPN routing table of the VPN instance of the second CE device according to the feature information of the first resource.
- the VPN instance of the second CE device is not established on the forwarding device 600, and the VPN public network routing table of the forwarding device includes routing information of the second CE device.
- the feature information of the first resource is at least one of the following information: the RD information corresponding to the routing information of the second CE device, the export target export target information, or the route prefix information;
- the processor 610 is configured to obtain routing information of the second CE device from the VPN public network routing table according to the feature information of the first resource.
- the forwarding device 600 is a service provider edge PE device, where the virtual private network VPN instance of the first user edge CE device and the VPN instance of the third CE device are established on the forwarding device, where Forwarding The backup device further includes the routing information of the second CE device, and the VPN routing table of the VPN instance of the first CE device does not include the routing information of the second CE device, and the VPN instance of the VPN instance of the third CE device is in the VPN routing table.
- the receiver 640 is configured to receive a BGP Flow Spec protocol packet sent by the controller according to the VPN service request, where the VPN service request is used to request the first CE device to access the second The CE device, wherein the first resource is the source IP address is the IP address of the first CE device, and the destination IP address is the IP address of the second CE device, and the second resource is the VPN instance of the third CE device.
- the Flags field in the BGP Flow Spec protocol packet is used to indicate that the first resource and the second resource are associated with the BGP Flow Spec protocol packet, where the BGP Flow Spec protocol packet is used to indicate the source IP address and the destination IP address.
- the data packet that is consistent with the first resource is forwarded according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device;
- the receiver 640 is configured to receive a data packet, where the source IP address of the data packet is an IP address of the first CE device, and the destination IP address is an IP address of the second CE device.
- the processor 610 is configured to forward the data packet according to the routing information of the second CE device included in the VPN routing table of the VPN instance of the third CE device.
- the second CE device is the third CE device.
- the processor 610 may be a central processing unit ("CPU"), and the processor 610 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 620 can include read only memory and random access memory and provides instructions and data to the processor 610. A portion of the memory 620 can also include a non-volatile random access memory. For example, the memory 620 can also store information of the device type.
- the bus system 630 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 630 in the figure.
- each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 610 or an instruction in a form of software.
- the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 620, and the processor 610 reads the information in the memory 620 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
- the forwarding device 600 may correspond to a forwarding device in a Flow Spec-based communication method according to an embodiment of the present invention, and may correspond to the forwarding device 400 according to an embodiment of the present invention, and may be in the forwarding device 600.
- the above and other operations and/or functions of the respective modules are respectively implemented in order to implement the respective processes of the respective methods in FIG. 1 to FIG. 5, and are not described herein again for brevity.
- an embodiment of the present invention further provides a flow rule based traffic spec-based communication system 700, which includes a controller 710 and a forwarding device 720, which corresponds to the control of the embodiment of the present invention.
- the forwarding device 720 corresponds to the forwarding device 400 of the embodiment of the present invention.
- the feature information of the first resource is carried in the network layer reachability information field of the BGP Flow Spec protocol packet, and the extended community attribute field carries the global identifier GID for indicating the second resource.
- the device can be instructed to associate the first resource with the second resource to direct the data stream to the corresponding forwarding pass. Road.
- the BGP FlowSpec protocol in this application can meet a variety of service requirements through a unified packet format, thereby effectively preventing the extended community attribute in the BGP Flow Spec protocol from being unrestricted.
- the second resource can be indicated, and signaling overhead can be saved.
- the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
- the implementation process constitutes any limitation.
- the disclosed systems, devices, and methods may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
- the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
- the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the communication method of various embodiments of the present invention.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例提供一种基于流规则的通信方法、设备和系统,该方法包括:控制器获取转发设备上的第一资源需要关联该转发设备上的第二资源的需求;该控制器根据该需求,向该转发设备发送边界网关协议流规则BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带第一资源的特征信息,该扩展团体属性字段携带用于指示该第二资源的全局标识GID,该BGP Flow Spec协议报文用于指示关联该第一资源与该第二资源。本发明实施例能够有效避免无限制地扩展BGP Flow Spec协议。
Description
本申请要求于2016年3月21日提交中国专利局、申请号为CN 201610160664.3、发明名称为“基于流规则协议的通信方法、设备和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本发明实施例涉及通信领域,并且更具体地,涉及一种基于流规则Flow Spec协议的通信方法、设备和系统。
边界网关协议(Border Gateway Protocol,BGP),是一种用于自治系统(Autonomous System,AS)之间的动态路由协议,早期发布的三个版本分别是BGP-1(RFC1105)、BGP-2(RFC1163)和BGP-3(RFC1267),主要用于交换AS之间的可达性路由信息,构建AS域间的传播路径,防止路由环路的产生,并在AS级别应用一些路由策略。当前使用的版本是BGP-4(RFC4271)。BGP作为事实上的互联网(Internet)外部路由协议标准,被广泛应用于互联网服务提供商(Internet Service Provider,ISP)之间。
BGP流规则(Flow Specification,Flow Spec)(RFC 5575),表示通过传递BGP Flow Specification路由将流量策略传递给BGP Flow Specification对等体(传递BGP Flow Specification路由的对端设备互为对方的对等体),BGP Flow Specification对等体收到BGP Flow Specification路由后,将该BGP Flow Specification路由对应的优选的路由转换为转发平面的流量控制策略,进而进行流量控制。其中,BGP Flow Specification路由为RFC5575中定义的一种BGP路由,这种BGP Flow Specification路由包含BGP网络层可达信息类型(BGP Flow Spec NLRI)和扩展团体属性。通过网络层可达信息和扩展团体属性,BGP Flow Specification路由可以携带流量的匹配条件和流量匹配后执行的动作。RFC 5575定义了12种常用的流量匹配规则:目的地址、源地址、IP协议号、端口号、目的端口号、源端口号、ICMP类型、ICMP编码、TCP的标志位、DSCP、分片类型等,这12种流量匹配规则封装在BGP Flow Specification路由中,作为网络层可达信息传递。RFC 5575定义了4种常用的流量处理行为:丢弃流量、流量限速、修改报文的DSCP值、重定向动作(redirect Actions),这4种流量处理行为封装在BGP Flow Spec路由中,作为扩展团体属性携带,其中,redirect Actions指的是引导特定数据流进入相应的转发通道。
目前,BGP Flow Spec协议支持的重定向动作(redirect Actions)已经有下面六种:重定向到2字节AS号形式的路由目标标识的虚拟专用网VPN路由转发表(Virtual Routing Forwarding,VRF)(redirect AS-2byte);重定向到IPv4地址形式的路由目标标识的VRF(redirect IPv4format);重定向到4字节AS号形式的路由目标标识的VRF(redirect AS-4byte);重定向到IPv6地址形式的路由目标标识的VRF(redirect IPv6specific AS);重定向到IPv4下一跳(redirect IPv4address);重定向到IPv6下一跳(redirect IPv6address)。
利用传统方式扩展相关应用,例如,重定向到VRF/IP/隧道(Tunnel),每增加一个新
业务需求,就要给BGP Flow Spec协议打个补丁,使BGP FlowSpec协议始终处于变化状态。例如,目前研究的BGP Flow Spec Redirect Actions方案为,定义一种通用的Path-ID,用于引导数据流进入该Path-ID所对应的传输层隧道,就要在BGP Flow Spec协议的扩展团体属性中携带该Path-ID,必要时还要携带隧道的具体信息。
因此,沿用传统方式扩展相关应用,会导致无限制地扩展BGP FlowSpec协议。
发明内容
本发明实施例提供一种基于流规则Flow Spec协议的通信方法和设备,能够有效避免Flow Spec协议的无限制扩展。
第一方面提供了一种基于流规则Flow Spec协议的通信方法,包括:
控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求;
所述控制器根据所述需求,向所述转发设备发送边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带第一资源的特征信息,所述扩展团体属性字段携带用于指示所述第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源。
应理解,第一资源的特征信息能够指示所述第一资源。
在本申请中,所述转发设备的第一资源与第二资源均指存储在所述转发设备上的用于转发数据报文(数据流)的信息。通过关联所述第一资源与所述第二资源,能够引导数据报文进入相应的转发通道。例如所述第一资源指示所述转发设备上存储的第一节点的路由信息,第二资源指示所述转发设备上存储的第二节点的路由表,则关联所述第一资源与所述第二资源指的是,将所述第一节点的路由信息加入到所述第二节点的路由表中,这样,就能够引导来源于所述第二节点的数据报文进入所述第一节点的转发通道。再例如,所述第一资源指示源IP地址为第一节点的IP地址,目的IP地址为第二节点的IP地址,其中,所述第一节点的IP地址以及所述第二节点的IP地址均存储在所述转发设备上,所述第二资源指示所述转发设备上存储的所述第二节点的路由表(转发表),则关联所述第一资源与所述第二资源指的是,将源IP地址与目的IP地址与所述第一资源相一致的数据报文,按照所述第二节点的路由表进行转发,这样,也能够引导来源于所述第一节点的数据报文进入所述第二节点的转发通道。
因此,本申请中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。如上一段所述,BGP Flow Spec协议报文中携带的所述第一资源与所述第二资源可以是不同的资源组合,从而通过本申请的BGP Flow Spec协议报文,可以实现多种业务需求。传统技术中每扩展一个新的业务需求就需要给BGP FlowSpec协议打个补丁,即需要扩展BGP FlowSpec协议中的扩展团体属性,导致BGP FlowSpec协议始终处于变化状态。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。
在本申请中,所述扩展团体属性中携带的所述GID用于在所述转发设备中唯一指示所述第二资源。例如,所述控制器与所述转发设备上存储有映射表,该映射表包括所述第二资源与所述GID之间的映射关系,因此,通过所述GID,所述控制器与所述转发设备都能够定位到所述第二资源。因此,在本申请中,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,这样能够节省信令开销。
结合第一方面,在第一方面的第一种可能的实现方式中,所述通信方法还包括:
所述控制器获取所述转发设备上存储的资源,所述资源包括所述第二资源;
所述控制器为所述转发设备上存储的资源分配映射标识;
所述控制器向所述转发设备发送映射表,所述映射表包括所述转发设备上存储的资源与所分配的映射标识之间的映射关系,
其中,所述GID为所述控制器为所述第二资源分配的映射标识。
在本申请中,控制器通过搜集转发设备上存储的资源,并为其分配映射标识,然后将资源与映射标识之间的映射关系告知给所述转发设备,使得控制器与转发设备通过在通信信令中仅携带映射标识,就能定位到对应的资源,从而能够提供通信效率,同时也能够节省信令开销。
结合第一方面,在第一方面的第二种可能的实现方式中,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
传统技术中,扩展的应用通常仅局限在转发平面引导数据流进入相应的转发通道。在本申请中,不仅可以在转发平面引导数据流进入相应的转发通道,也可以在控制平面引导数据流进入相应的转发通道,从而本申请能够实现灵活地业务编排。
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
应理解,在上述第一方面的第三种可能的实现方式中,所述Flags字段中的转发平面比特位与控制平面比特位,也可以用第一比特位替换,当该第一比特位赋值为1时,表示在所述控制平面上关联所述第一资源与所述第二资源,当该第一比特位赋值为0时,表示在所述转发平面上关联所述第一资源与所述第二资源。
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,所述Flags字段还包括增量比特位,当所述增量比特位赋值为1时,表示在所述转发设备上增加一个资源关联关系,当所述增量比特位赋值为0时,表示利用所述第一资源与所述第二资源之间的关联关系覆盖所述第一资源原有的与其他资源之间的关联关系。
结合第一方面的第二种至第四种可能的实现方式中的任一种可能的实现方式,在第一方面的第五种可能的实现方式中,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,所述转发设备上包括第二CE设备的路由信息,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述通信方法还包括:
所述控制器获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备;
所述控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求,包括:
所述控制器根据所述VPN请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例;
所述控制器根据所述需求,向所述转发设备发送边界网关协议流规则BGP Flow Spec协议报文,包括:
所述控制器根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
在本申请中,通过控制器向PE设备(即转发设备)下发BGP Flow Spec协议报文,指示PE设备将VPN RT属性与第一CE设备不匹配的第二CE设备的路由信息加入所述第一CE设备的路由表中,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。此外,相对于传统技术中局限于在转发平面引导数据流进入相应的转发通道,本申请能够在控制平面引导数据流进入相应的转发通道,从而能够实现灵活的业务编排。
结合第一方面的第五种可能的实现方式,在第一方面的第六种可能的实现方式中,所述通信方法还包括:
所述控制器从所述转发设备上获取所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
所述控制器为所述第一CE设备的VPN实例的属性信息分配映射标识,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息;
所述控制器向所述转发设备发送映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述映射标识之间的映射关系,
所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
在本申请中,控制器通过搜集PE设备上建立的VPN实例的属性信息,并为其分配映射标识,然后将VPN实例的属性信息与映射标识之间的映射关系告知给所述PE设备,使得控制器与PE设备通过在BGP Flow Spec协议报文中仅携带映射标识,就能定位到对应的VPN实例,从而能够提供通信效率,同时也能够节省信令开销。
结合第一方面的第六种可能的实现方式,在第一方面的第七种可能的实现方式中,所述通信方法还包括:
所述控制器获取用于请求为所述转发设备上新建立的第三CE设备的VPN实例配置属性信息的VPN服务请求;
所述控制器为所述第三CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,所述第三CE设备的VPN实例的下列属性
信息与所述第一CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
在本申请中,控制器通过获取PE设备上已有的VPN实例的属性信息,从而在为所述PE设备上增加的VPN实例配置属性信息时,能够避免不同VPN实例的属性信息之间的冲突。相比于现有技术中靠规划避免冲突,本申请能够有效地避免冲突,而且操作效率较高。
结合第一方面的第五种至第七种可能的实现方式中的任一种可能的实现方式,在第一方面的第八种可能的实现方式中,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;
所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID。
结合第一方面的第五种至第七种可能的实现方式中的任一种可能的实现方式,在第一方面的第九种可能的实现方式中,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;
所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息。
结合第一方面的第二种至第四种可能的实现方式中的任一种可能的实现方式,在第一方面的第十种可能的实现方式中,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,所述转发设备上还包括第二CE设备的路由信息,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述通信方法还包括:
所述控制器获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备;
所述控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求,包括:
所述控制器根据所述VPN请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址,所述第二资源为所述第三CE设备的VPN实例;
所述控制器根据所述需求,向所述转发设备发送BGP Flow Spec协议报文,包括:
所述控制器根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发。
应理解,在本实现方式中,所述第一资源的特征信息为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址。
在本申请中,通过控制器向PE设备(即转发设备)下发BGP Flow Spec协议报文,指示PE设备针对源IP地址为第一CE设备的IP地址、且目的IP地址为第二CE设备的IP地址的数据报文,按照VPN RT属性与第一CE设备不匹配的第二CE设备的路由转发表进行转发,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实
现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。
结合第一方面的第十种可能的实现方式,在第一方面的第十一种可能的实现方式中,所述通信方法还包括:
所述控制器从所述转发设备上获取所述第三CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
所述控制器为所述第三CE设备的VPN实例的属性信息分配映射标识,所述映射标识在所述转发设备中唯一指示所述第三CE设备的VPN实例的属性信息;
所述控制器向所述转发设备发送映射表,所述映射表包括所述第三CE设备的VPN实例的属性信息与所述映射标识之间的映射关系,
所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
在本申请中,控制器通过搜集PE设备上建立的VPN实例的属性信息,并为其分配映射标识,然后将VPN实例的属性信息与映射标识之间的映射关系告知给所述PE设备,使得控制器与PE设备通过在BGP Flow Spec协议报文中仅携带映射标识,就能定位到对应的VPN实例,从而能够提供通信效率,同时也能够节省信令开销。
结合第一方面的第十一种可能的实现方式,在第一方面的第十二种可能的实现方式中,所述通信方法还包括:
所述控制器获取用于请求为所述转发设备上新建立的第四CE设备的VPN实例配置属性信息的VPN服务请求;
所述控制器为所述第四CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,所述第四CE设备的VPN实例的下列属性信息与所述第一CE设备的VPN实例以及所述第三CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
在本申请中,控制器通过获取PE设备上已有的VPN实例的属性信息,从而在为所述PE设备上增加的VPN实例配置属性信息时,能够避免不同VPN实例的属性信息之间的冲突。相比于现有技术中靠规划避免冲突,本申请能够有效地避免冲突,而且操作效率较高。
结合第一方面的第十种至第十二种可能的实现方式中的任何一种可能的实现方式,在第一方面的第十三种可能的实现方式中,所述第二CE设备为所述第三CE设备。
第二方面提供了一种基于流规则Flow Spec协议的通信方法,所述通信方法包括:
转发设备接收控制器发送的边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带用于指示所述转发设备上的第一资源的所述第一资源的特征信息,所述扩展团体属性字段携带用于指示所述转发设备上的第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源;
所述转发设备根据所述第一资源的特征信息,获取所述第一资源,根据所述GID,获取所述第二资源;
所述转发设备关联所述第一资源与所述第二资源。
在本申请中,所述转发设备的第一资源与第二资源均指存储在所述转发设备上的用于
转发数据报文(数据流)的信息。通过关联所述第一资源与所述第二资源,能够引导数据报文进入相应的转发通道。例如所述第一资源指示所述转发设备上存储的第一节点的路由信息,第二资源指示所述转发设备上存储的第二节点的路由表,则关联所述第一资源与所述第二资源指的是,将所述第一节点的路由信息加入到所述第二节点的路由表中,这样,就能够引导来源于所述第二节点的数据报文进入所述第一节点的转发通道。再例如,所述第一资源指示源IP地址为第一节点的IP地址,目的IP地址为第二节点的IP地址,其中,所述第一节点的IP地址以及所述第二节点的IP地址均存储在所述转发设备上,所述第二资源指示所述转发设备上存储的所述第二节点的路由表(转发表),则关联所述第一资源与所述第二资源指的是,将源IP地址与目的IP地址与所述第一资源相一致的数据报文,按照所述第二节点的路由表进行转发,这样,也能够引导来源于所述第一节点的数据报文进入所述第二节点的转发通道。
因此,本申请中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。如上一段所述,BGP Flow Spec协议报文中携带的所述第一资源与所述第二资源可以是不同的资源组合,从而通过本申请的BGP Flow Spec协议报文,可以实现多种业务需求。传统技术中每扩展一个新的业务需求就需要给BGP FlowSpec协议打个补丁,即需要扩展BGP FlowSpec协议中的扩展团体属性,导致BGP FlowSpec协议始终处于变化状态。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。
在本申请中,所述扩展团体属性中携带的所述GID用于在所述转发设备中唯一指示所述第二资源。例如,所述控制器与所述转发设备上存储有映射表,该映射表包括所述第二资源与所述GID之间的映射关系,因此,通过所述GID,所述控制器与所述转发设备都能够定位到所述第二资源。因此,在本申请中,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,这样能够节省信令开销。
结合第二方面,在第二方面的第一种可能的实现方式中,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
传统技术中,扩展的应用通常仅局限在转发平面引导数据流进入相应的转发通道。在本申请中,不仅可以在转发平面引导数据流进入相应的转发通道,也可以在控制平面引导数据流进入相应的转发通道,从而本申请能够实现灵活地业务编排。
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
应理解,在上述实现方式中,所述Flags字段中的转发平面比特位与控制平面比特位,也可以用第一比特位替换,当该第一比特位赋值为1时,表示在所述控制平面上关联所述第一资源与所述第二资源,当该第一比特位赋值为0时,表示在所述转发平面上关联所述
第一资源与所述第二资源。
结合第二方面的第一种或第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,所述转发设备上包括第二CE设备的路由信息,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述转发设备接收所述控制器发送的BGP Flow Spec协议报文,包括:
所述转发设备接收所述控制器根据VPN服务请求发送的所述BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中;
所述转发设备关联所述第一资源与所述第二资源,包括:
所述转发设备将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
在本申请中,PE设备(即转发设备)通过接收控制器向下发的BGP Flow Spec协议报文,将VPN RT属性与第一CE设备不匹配的第二CE设备的路由信息加入所述第一CE设备的路由表中,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。此外,相对于传统技术中局限于在转发平面引导数据流进入相应的转发通道,本申请能够在控制平面引导数据流进入相应的转发通道,从而能够实现灵活的业务编排。
结合第二方面的第三种的实现方式,在第二方面的第四种可能的实现方式中,所述通信方法还包括:
所述转发设备向所述控制器发送所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
所述转发设备接收所述控制器发送的映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述控制器为所述第一CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息,
所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
在本申请中,控制器通过搜集PE设备上建立的VPN实例的属性信息,并为其分配映射标识,然后将VPN实例的属性信息与映射标识之间的映射关系告知给所述PE设备,使得控制器与PE设备通过在BGP Flow Spec协议报文中仅携带映射标识,就能定位到对应的VPN实例,从而能够提供通信效率,同时也能够节省信令开销。
结合第二方面的第三种或第四种的实现方式,在第二方面的第五种可能的实现方式中,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;
所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一
种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID;
所述转发设备根据所述第一资源的特征信息,获取所述第一资源,包括:
所述转发设备根据所述第一资源的特征信息,从所述第二CE设备的VPN实例的VPN路由表中获取所述第二CE设备的路由信息。
在上述实现方式中,所述第一资源的特征信息为用于指示所述第二CE设备的VPN实例的GID。
结合第二方面的第三种或第四种的实现方式,在第二方面的第六种可能的实现方式中,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;
所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息;
所述转发设备根据所述第一资源的特征信息,获取所述第一资源,包括:
所述转发设备根据所述第一资源的特征信息,从所述VPN公网路由表中获取所述第二CE设备的路由信息。
结合第二方面的第一种或第二种的实现方式,在第二方面的第七种可能的实现方式中,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,所述转发设备上还包括第二CE设备的路由信息,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述转发设备接收所述控制器发送的BGP Flow Spec协议报文,包括:
所述转发设备接收所述控制器根据VPN服务请求发送的BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址,所述第二资源为所述第三CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发;
所述转发设备关联所述第一资源与所述第二资源,包括:
所述转发设备接收数据报文,所述数据报文的源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址;
所述转发设备按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息转发所述数据报文。
应理解,在本实现方式中,所述第一资源的特征信息为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址。
在本申请中,PE设备(即转发设备)通过接收控制器向下发的BGP Flow Spec协议报文,针对源IP地址为第一CE设备的IP地址、且目的IP地址为第二CE设备的IP地址的数据报文,按照VPN RT属性与第一CE设备不匹配的第二CE设备的路由转发表进行转发,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。
结合第二方面的第七种的实现方式,在第二方面的第八种可能的实现方式中,所述通信方法还包括:
所述转发设备向所述控制器发送所述第三CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
所述转发设备接收所述控制器发送的映射表,所述映射表包括所述第三CE设备的VPN实例的属性信息与所述控制器为所述第三CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,所述映射标识在所述转发设备中唯一指示所述第三CE设备的VPN实例的属性信息,
所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
在本申请中,控制器通过搜集PE设备上建立的VPN实例的属性信息,并为其分配映射标识,然后将VPN实例的属性信息与映射标识之间的映射关系告知给所述PE设备,使得控制器与PE设备通过在BGP Flow Spec协议报文中仅携带映射标识,就能定位到对应的VPN实例,从而能够提供通信效率,同时也能够节省信令开销。
结合第二方面的第七种或第八种的实现方式,在第二方面的第九种可能的实现方式中,所述第二CE设备为所述第三CE设备。
在上述某些实现方式中,所述控制器为所述第一CE设备的VPN实例的属性信息分配映射标识,所述控制器可以为所述第一CE设备的VPN实例的各个属性信息(VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息)分别分配映射标识,也可以为所述第一CE设备的VPN实例的各个属性信息统一分配一个映射标签,只要能够使得控制器和PE设备通过映射标签定位到所述第一CE设备的VPN实例即可。
第三方面提供了一种控制器,该控制器用于执行上述第一方面或第一方面的任一可能的实现方式中的方法。
具体地,该控制器可以包括用于执行第一方面或第一方面的任一可能的实现方式中的方法的模块。
第四方面提供了一种转发设备,该转发设备用于执行上述第二方面或第二方面的任一可能的实现方式中的方法。
具体地,该转发设备可以包括用于执行第二方面或第二方面的任一可能的实现方式中的方法的模块。
第五方面提供了一种控制器,该控制器包括存储器和处理器,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,并且对该存储器中存储的指令的执行使得该处理器执行第一方面或第一方面的任一可能的实现方式中的方法。
第六方面提供了一种转发设备,该转发设备包括存储器和处理器,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,并且对该存储器中存储的指令的执行使得该处理器执行第二方面或第二方面的任一可能的实现方式中的方法。
第七方面提供了一种基于流规则Flow Spec的通信系统,所述通信系统包括控制器和转发设备,所述控制器如上述第三方面提供的控制器,所述转发设备如上述第四方面提供的转发设备。
在上述某些实现方式中,所述第一CE设备的VPN实例指的是PE设备上建立的能够与
所述第一CE设备保持联系的VPN实例。
在上述某些实现方式中,所述第二CE设备的路由信息的出口目标Export Target属性与所述第一CE设备的VPN实例的入口目标Import Target属性不匹配。
在上述某些实现方式中,所述第二CE设备的路由信息指示所述第二CE设备的IPv4地址信息或者IPv6地址信息。
因此,本申请中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,能够节省信令开销。
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1示出了本发明实施例的一个应用场景的示意图。
图2示出了根据本发明实施例提供的基于流规则Flow Spec的通信方法的示意性流程图。
图3示出了根据本发明实施例提供的扩展团体属性的格式的示意图。
图4示出了根据本发明实施例提供的基于流规则Flow Spec的通信方法的另一示意性流程图。
图5示出了根据本发明实施例提供的基于流规则Flow Spec的通信方法的示意图。
图6示出了根据本发明实施例提供的控制器的示意性框图。
图7示出了根据本发明实施例提供的转发设备的示意性框图。
图8示出了根据本发明实施例提供的控制器的另一示意性框图。
图9示出了根据本发明实施例提供的转发设备的另一示意性框图。
图10示出了根据本发明实施例提供的基于流规则Flow Spec的通信系统的示意性框图。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
为了方便理解本发明实施例,首先在此介绍本发明实施例描述中会引入的几个概念。
多协议标签交换(Multi-Protocol Label Switching,MPLS),是新一代的IP高速骨
干网络交换标准,MPLS是利用标签(Label)进行数据转发的。当分组进入网络时,为其分配固定长度的短的标签,并将标签与分组封装在一起转发,在整个转发过程中,交换节点仅根据标签进行转发。MPLS在无连接的IP网络中增加了面向连接的控制平面,为IP网络增添了管理和运营的手段。
控制平面,指系统中用来传送指令、计算表项的部分,例如协议报文转发、协议表项计算、维护等都属于控制平面的范畴。再例如,在路由系统中,负责管理路由协议运行、路由学习、路由表项维护的进程就属于控制平面。
转发平面,指系统中用来进行数据报文的封装、转发的部分。例如数据报文的接收、解封装、封装、转发等都属于转发平面的范畴。再例如,系统接收到IP报文后,负责对IP报文进行解封装、根据IP报文查找路由表、从出接口将IP报文转发出去等行为的进程就属于转发平面。
BGP流规则(Flow Specification,Flow Spec)(RFC 5575),表示通过传递BGP Flow Specification路由将流量策略传递给BGP Flow Specification对等体(传递BGP Flow Specification路由的对端设备互为对方的对等体),BGP Flow Specification对等体收到BGP Flow Specification路由后,将该BGP Flow Specification路由对应的优选的路由转换为转发平面的流量控制策略,进而进行流量控制。其中,BGP Flow Specification路由为RFC5575中定义的一种BGP路由,这种BGP Flow Specification路由包含BGP网络层可达信息类型(BGP Flow Spec NLRI)和扩展团体属性。通过网络层可达信息和扩展团体属性,BGP Flow Specification路由可以携带流量的匹配条件和流量匹配后执行的动作。RFC 5575定义了12种常用的流量匹配规则:目的地址、源地址、IP协议号、端口号、目的端口号、源端口号、ICMP类型、ICMP编码、TCP的标志位、DSCP、分片类型等,这12种流量匹配规则封装在BGP Flow Specification路由中,作为网络层可达信息传递。RFC 5575定义了4种常用的流量处理行为:丢弃流量、流量限速、修改报文的DSCP值、重定向到VPN,这4种流量处理行为封装在BGP Flow Spec路由中,作为扩展团体属性携带。
有时一个很大的机构有许多部门分布在相距较远的一些地点,而在每一个地点都有自己的专用网。假定这些分布在不同地点的专用网需要经常进行通信,可以利用因特网(即公用互联网)来实现本机构的专用网,因此这样的专用网称为虚拟专用网(Virtual Private Network,VPN)。
目前典型的VPN为BGP/MPLS IP VPN,通常也称为MPLS L3VPN,MPLS L3VPN的基本模型由CE、PE和P三部分组成。
CE指的是用户边缘设备(Customer Edge),CE具有直接与服务提供商(Service Provider,SP)网络相连的接口。CE可以是路由器或交换机,也可以是一台主机。通常情况下,CE“感知”不到VPN的存在,也不需要支持MPLS。
PE指的是提供商边缘设备(Provider Edge),是服务提供商网络的边缘设备,与CE直接相连,负责VPN业务接入,处理VPN-IPv4路由。一个PE设备可以连接多个CE设备。一个CE设备也可以连接属于相同或不同服务提供商的多个PE设备。
P指的是服务提供商网络中的骨干设备,不与CE直接相连。
VPN实例(VPN-instance),是PE设备为与其直接相连的CE设备建立并维护的一个专门实体,每个CE设备在与其直连的PE设备上都有自己的VPN实例。VPN实例也称为VPN
路由转发表(VPN Routing and Forwarding table,VRF)。VRF的内容包括IP路由表,标记转发表,使用标记转发表的接口,管理信息(路由过滤策略,成员接口列表等)。每个VPN实例包含到一个或多个与该PE直接相连的CE设备的路由和转发表。
PE设备上具有多个路由转发表,包括一个公网路由转发表与一个或多个VPN路由转发表(也可称为私网路由转发表)。公网路由表包括所有PE设备的IPv4路由,且是由骨干网的路由协议或静态路由产生的,公网转发表是根据路由管理策略从公网路由表提取出来的最小转发信息。而一个VPN实例的VPN路由表包括属于该VPN实例的所有CE设备的路由,是通过CE设备与PE设备之间或者两个PE设备之间的VPN路由信息交互获得的,例如,包括从该VPN实例对应的CE设备获得的路由,还有可能包括通过MP-iBGP路由引入的路由,VPN转发表是根据路由管理策略从对应的VPN路由表提取出来的最小转发信息。
Site(站点),是指相互之间具备IP连通性的一组IP系统,且这组IP系统的IP连通性不需通过服务提供商网络实现。Site是根据设备的网络拓扑关系而非地理位置划分的,尽管通常情况下一个Site中的设备的地理位置均相邻,如果地理位置隔离的两组IP系统之间使用专线互联,而不需要通过服务提供商网络就可以互通,则这两组IP系统构成一个Site。Site通过用户边缘设备(Customer Edge,CE)与服务提供商(Service Provider,SP)网络相连。
VPN、Site、VPN实例之间的关系为:VPN是多个Site的组合。一个Site可以属于多个VPN。每一个Site在PE设备上都关联一个VPN实例。一个VPN实例综合了该VPN实例的VPN成员关系与路由规则,多个site根据VPN实例的路由规则组合成一个VPN。
路由标识符(Route Distinguisher,RD),是说明IP路由属于哪个VPN实例的标志,具有全局唯一性,8个字节,用于区分使用相同地址空间的IP地址前缀(例如,IPv4前缀、IPv6前缀等)的不同VPN,VPN通过RD实现地址空间的独立。RD的结构使得每个服务供应商可以独立地分配RD。RD和VPN路由转发表(VRF)之间具有一一对应的关系,通常情况下,对于不同PE设备上属于同一个VPN实例的接口,为其所对应的VRF分配相同的RD,换句话说,为每一个VPN实例分配一个全局唯一的RD。
增加了RD的IPv4地址称为VPN-IPv4地址,例如PE设备从与其直连的CE设备接收到该CE设备的IPv4地址后,通过添加RD,将该IPv4地址转换为全局唯一的VPN-IPv4地址,并在公网上发布。VPN-IPv6结构与VPN-IPv4类似,只是将IPv4前缀替换成了IPv6前缀。
BGP/MPLS IP VPN使用VPN目标(VPN Target)属性来控制VPN路由信息的发布。通常,VPN目标属性也被称为路由目标(Route Target,RT)属性。BGP/MPLS IP VPN使用两种类型的RT属性:
出口目标(Export Target,ERT),PE设备从直接相连CE设备学到IPv4路由后,通过添加RD,将该IPv4路由转换为VPN IPv4路由,并为该VPN IPv4路由设置Export Target属性,然后将该设置了Export Target属性的VPN IPv4路由通过公网发布给其他PE设备,其中,Export Target属性作为BGP的扩展团体属性随BGP Flow Spec路由发布。
入口目标(Import Target,IRT),本地PE设备收到其它PE设备通过公网发布的VPN-IPv4路由时,检查该VPN-IPv4路由的Export Target属性。当该VPN-IPv4路由的Export Target属性与该本地PE设备上某个VPN实例的Import Target属性匹配时,该本地PE设备则将该VPN-IPv4路由加入到该某个VPN实例的VPN路由表中。每个VPN实例可
以关联一个或多个RT属性。
本地PE在把从与自己直接相连的CE学到的VPN-IPv4路由发布给其他PE前,为这些路由设置Export Target属性,并作为扩展团体属性随Flow Spec路由发布。一个PE收到其他PE发布的VPN-IPv4路由时,检查其Export Target属性,只有当该VPN-IPv4路由的Export Target属性与该PE上某个VPN实例的Import Target属性匹配时,才会把该VPN-IPv4路由加入到该某个VPN实例相应的VRF中。也就是说,RT属性定义了一条VPN-IPv4路由可以为哪些站点所接收,以及PE可以接收哪些站点发送来的路由。
应理解,RT属性同样适用于同一PE上不同VPN实例之间的VPN路由发布控制,即同一PE上的不同VPN实例之间可以设置相同的Import Target与Export Target,来实现不同VPN实例之间的VPN路由的互相引入。
VPN路由信息的发布包括,本地CE设备到入口PE设备(本地CE设备与入口PE设备直连)、入口PE设备到出口PE设备、出口PE设备到远端CE设备(远端CE设备与出口PE设备直连),大致流程为:入口PE设备从本地CE设备学习IPv4路由信息,并为这些标准IPv4路由增加RD和VPN Target属性,形成VPN-IPv4路由,存放到为该CE设备创建的VPN实例中。应理解,该本地CE设备的IPv4路由信息可以直接配置到该入口PE设备上,或者该入口PE设备使用其他方法来获得。入口PE通过MP-BGP把该VPN-IPv4路由发布给出口PE设备。出口PE设备根据该VPN-IPv4路由的Export Target属性与自己维护的VPN实例的Import Target属性进行比较,判决是否将该VPN-IPv4路由加入到自己维护的某个VPN实例的VPN路由表中。入口PE设备与出口PE设备之间可以通过IGP来保证连通性。当该VPN-IPv4路由的Export Target属性与自己维护的某个VPN实例的Import Target属性相符时,出口PE设备将该VPN-IPv4路由加入到该某个VPN实例的VPN路由表中。远端CE设备从出口PE设备学习该VPN-IPv4路由对应的IPv4路由。远端CE可以通过多种方式从出口PE设备学习VPN路由,例如,包括静态路由、RIP、OSPF、IS-IS或BGP等路方式,这个过程可以与本地CE设备与入口PE设备之间的VPN路由信息的交换过程相同。完成这三部分的路由交互之后,本地CE设备与远端CE设备之间将建立可达路由,保证了VPN私网路由信息能够在骨干网上传递。
为了便于理解和描述,下文以虚拟专用网VPN场景为例进行描述,对应地,转发设备以PE设备为例,但本发明实施例不限于此。本领域技术人员根据本发明实施例的教导可以很清楚地理解,本发明实施例的方法同样可以应用于其他的与引导数据流进入相应转发通道有关的场景,这样的应用均落入本发明的范围内。
图1示出了本发明实施例的一个具体应用场景,PE1、PE2和PE3为部署VPN业务的3个PE设备,PE1、PE2和PE3的IP地址分别为1.1.1.1、2.2.2.2与3.3.3.3,例如在图1所示网络中,IP地址2.2.2.2就可以代表PE2。控制器(如图1中所示的软件定义网络(Software Define Network,SDN)控制器)接收用户设备(如图1中所示的协同器/网管/用户APP)的VPN服务请求,基于该VPN服务请求,通过向PE设备下发信令,以实现用户所请求的VPN业务。
图1中示意性地给出了4个Site,其中,Site1通过CE1与PE1相连,PE1上通过建立VPN实例vpn1与CE1保持联系;Site2通过CE2与PE1相连,PE1上通过建立VPN实例vpn2与CE1保持联系;Site3通过CE3与PE2相连,PE2上通过建立VPN实例vpn1与CE3保持联系;Site4通过CE4与PE3相连,PE3上通过建立VPN实例vpn1与CE4保持联系。
PE1上建立的与CE1关联的VPN实例vpn1的属性信息如下:
VPN-Instance Name:vpn1
RD:100:1
Import Target(下文简称IRT):100:1
Export Target(下文简称ERT):100:2
VPN接口(Interface):interface1(如图1所示PE1上的interface1)
VPN索引(VPN-Index):101(图1未示出)
PE1上建立的与CE2关联的VPN实例vpn2的属性信息如下:
VPN-Instance Name:vpn2
RD:100:2
IRT:100:1
ERT:100:2
Interface:interface2(如图1所示PE1上的interface2)
VPN-Index:102(图1未示出)
PE2上建立的与CE3关联的VPN实例vpn1的属性信息如下:
VPN-Instance Name:vpn1
RD:100:1
IRT:100:1
ERT:100:2
Interface:interface1(如图1所示PE2上的interface1)
VPN-Index:201(图1未示出)
PE3上建立的与CE4关联的VPN实例vpn1的属性信息如下:
VPN-Instance Name:vpn1
RD:100:1
IRT:100:2
ERT:100:1
Interface:interface1(如图1所示PE3上的interface1)
VPN-Index:301(图1未示出)
应理解,VPN实例的名称(例如图1中所示的vpn1与vpn2)仅在自己所在的PE设备上有意义。虽然PE1/2/3上都建立有VPN实例vpn1,但并不一定表示它们均属于一个VPN,是否属于一个VPN是由每个VPN实例所配置的Import Target、Export Target的匹配关系决定的。例如,在图1中,PE1上的VPN实例vpn1与PE3上的VPN实例vpn1所配置的Import Target、Export Target相互匹配,可以提供VPN服务,因为它们属于一个VPN。但是PE1上的VPN实例vpn1与PE2上的VPN实例vpn1所配置的Import Target、Export Target不匹配,不能提供VPN服务,因此他们不属于一个VPN。
为了简洁起见,下文中采用“CE1的VPN实例”的描述方式来表示“PE1上建立的与CE1关联的VPN实例”,类似描述方式同样适用于CE2、CE3与CE4。
由上可知,CE1、CE2与CE3各自VPN实例的RT属性(即IRT与ERT)分别与CE4的VPN实例的RT属性相匹配,则CE1、CE2与CE3各自的IPv4可以被PE3引入到CE4的VPN实例的VPN路由转发表(VRF)中,CE4的IPv4路由信息也可以分别被引入到CE1、CE2与
CE3的VPN实例的VRF中。也就是说,CE1与CE4之间可以互相访问,CE2与CE4之间可以互相访问,CE3与CE4之间可以互相访问。但是,CE1、CE2与CE3之间各自的VPN实例的RT属性彼此都不匹配,则CE1的VPN实例的VRF中不包括CE2与CE3的路由信息,CE2的VPN实例的VRF中不包括CE1与CE3的路由信息,CE3的VPN实例的VRF中不包括CE1与CE2的路由信息。因此,基于当前的VPN路由转发表,CE1与CE2之间、CE1与CE3、以及CE2与CE3之间无法进行互相访问。例如,当用户提出要实现CE1与CE2进行互访的VPN服务请求时,基于现有的VPN部署,无法满足用户需求。
针对上述技术问题,现有技术中,通常通过人工配置分别与CE1与CE2关联的VPN实例的Import Target、Export Target的匹配关系,以实现CE1与CE2的互访。但是人工配置方式操作繁琐,效率较低。
针对上述技术问题,本发明实施例提出一种基于流规则Flow Spec的通信方法,能够灵活、高效地实现RT属性不匹配的CE设备之间的访问,同时能够有效避免无限制地扩展BGP Flow Spec协议。
为了便于理解和描述,下面以图1所示网络部署为例,描述根据本发明实施例提供的基于流规则Flow Spec的通信方法100。如图2所示,该方法100包括:
S110,控制器(如图1所示的SDN控制器)接收用户侧(如图1所示的协同器/网管/用户APP)的VPN服务请求,该VPN服务请求用于请求实现CE1到CE2的访问,也就是引导源于CE1的数据报文进入CE2的转发通道。
S120,控制器根据该VPN服务请求,获取到第一资源需要关联第二资源的需求,所述第一资源为CE2的路由信息,所述第二资源为CE1的VPN实例。
S130,控制器根据该需求,向PE1发送BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带该第一资源的特征信息,所述扩展团体属性字段携带用于指示第二资源的全局标识GID,所述第一资源的特征信息表示能够指示CE2的路由信息的信息,该BGP Flow Spec协议报文用于指示将CE2的路由信息加入到CE1的VPN实例的VRF中。
S140,PE1接收到控制器下发的该BGP Flow Spec协议报文后,通过解析该BGP Flow Spec协议报文,基于该第一资源的特征信息获取CE2的路由信息,基于该GID获取CE1的VPN实例,然后将CE2的路由信息加入到CE1的VPN实例的VRF中。
应理解,在本发明实施例中,CE1要访问的CE2与PE1直连,因此,PE1可以通过与CE2之间的直接通信获取到CE2的路由信息,或者CE2的路由信息也可以配置在PE1上,本发明实施例对此不作限定。
通过上述步骤打通了CE1到CE2的访问路径。
S150,PE1从接口(Interface)1接收到源于CE1要访问CE2的数据报文,即该数据报文的源IP地址为CE1的IP地址、目的IP地址为CE2的IP地址。
S160,PE1根据该数据报文的目的IP地址,查找CE1的VPN实例的VRF,获取到CE2的路由信息,进而确定该数据报文的转发出口,即CE2的VPN实例的接口Interface2,将该数据报文从Interface2转发出去,使得该数据报文送达CE2,即实现了CE1到CE2的访问。
应理解,如果VPN服务请求为CE2需要对CE1进行访问,只需将上述步骤S110至S160中的CE1与CE2对换位置,就能实现CE2对CE1的访问了。
在本发明实施例中,通过控制器向PE设备下发BGP Flow Spec协议报文,指示PE设备将VPN RT属性与第一CE设备不匹配的第二CE设备的路由信息加入所述第一CE设备的路由表中,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。此外,相对于传统技术中局限于在转发平面引导数据流进入相应的转发通道,本申请能够在控制平面引导数据流进入相应的转发通道,从而能够实现灵活的业务编排。
具体地,在图1所示场景中,被访问端CE2与PE1直连,即PE1设备上建立并维护有CE2的VPN实例,在本发明实施例中,该第一资源的特征信息可以是在PE1上存储的与CE2的VPN实例相关的信息。具体地,该第一资源的特征信息可以是下列信息:CE2的VPN实例名称、RD、RT、VPN索引、VPN接口、IP地址前缀、MAC地址中的至少一个信息,或多个信息,当该第一资源的特征信息包括上述信息中的多个信息时,这个多个信息之间可以是和/或的关系。
具体地,在本发明实施例中,所述扩展团体属性中携带的用于指示第二资源的GID可以与所述CE1的VPN实例的属性信息具有映射关系。
可选地,在本发明实施例中,该方法100还包括:
S170,控制器分别获取PE1、PE2、PE3上维护的VPN实例的属性信息,该属性信息包括VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息。
具体地,PE1、PE2、PE3分别向控制器上报本地建立的VPN实例的属性信息,表1示意性地给出了PE1、PE2、PE3分别向控制器上报的VPN实例的属性信息:
表1
应理解,以PE2为例,CE3的VPN实例的属性信息VPN-Instance Name、RD、IRT、ERT、Interface是通过命令行配置到PE2设备上的,VPN-Index是在PE2设备上配置CE3的VPN实例之后,PE2设备为CE3的VPN实例分配的索引值。上述处理方式同样适用于PE1和PE3,这里不再赘述。
S180,控制器获得PE1、PE2、PE3的VPN实例的属性信息后,为每个PE设备上的VPN实例的属性信息分配通用标识(Generic ID,GID)。
具体地,该GID是针对每个PE设备而言的,例如,表2作为示例给出了控制器为PE1上的VPN实例的属性信息分配GID的情形,表3作为示例给出了控制器为PE2上的VPN实例的属性信息分配GID的情形,表4作为示例给出了控制器为PE3上的VPN实例的属性信息分配GID的情形。
从表2、表3和表4可知,在一个PE设备内,控制器分配的GID与每个VPN实例的各个属性信息一一对应。应理解,表2、表3和表4仅为示例而非限定,例如,针对PE1,控制器也可以为CE1的VPN实例的全部属性信息统一分配一个GID,例如20,为CE2的VPN实例的全部属性信息统一分配一个GID,例如30。
表2
表3
表4
表2也可称之为PE1的VPN实例-GID映射表。表3也可称之为PE2的VPN实例-GID映射表。表4也可称之为PE3的VPN实例-GID映射表。这些VPN实例-GID映射表包含了相关VPN实例属性信息与为其分配的GID之间的映射关系。
S190,控制器分别向PE1、PE2、PE3下发对应PE所对应的VPN实例-GID映射表。例如控制器仅向PE1设备发送“PE1:1.1.1.1”所对应的VPN实例-GID映射表(如表2所示);仅向PE2设备发送“PE2:2.2.2.2”所对应的VPN实例-GID映射表(如表3所示);仅向PE3设备发送“PE3:3.3.3.3”所对应的VPN实例-GID映射表(如表4所示)。
PE1收到控制器下发的如表2所示的VPN实例-GID映射表后,在本地保存,因此,对
于PE1与控制器来说,二者公知GID“1”映射CE1的VPN实例的属性信息“VPN-Instance Name:vpn1”。应理解,在PE1上,GID“1”(或GID“2”至“6”中的任一个)能够唯一指示CE1的VPN实例;GID“7”(或GID“8”至“12”中的任一个)能够唯一指示CE2的VPN实例。
可选地,在本发明实施例中,用于指示第二资源的GID为CE1的VPN实例的某个属性信息所对应的GID,例如,GID“1”。第一资源的特征信息也可以为CE2的VPN实例的某个属性信息所对应的GID,例如,GID“6”。
应理解,在本发明实施例中,控制器为PE设备(如图1中所示的PE1/2/3)上的VPN实例的属性信息分配的全局标识也可称之为映射标签,BGP FlowSpec协议报文的扩展团体属性字段的GID字段中携带的GID为该映射标签中的一个或多个标识。
因此,在本发明实施例中,通过所述GID,所述PE设备能够定位到所述CE1的VPN实例。因此,在本发明实施例中,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述CE1的VPN实例,这样能够节省信令开销。
具体地,在本发明实施例中,第一资源的特征信息可以为:CE2的VPN实例名称、VPN RD、VPN RT、VPN索引、VPN接口、IP地址前缀、MAC地址,以及控制器为CE2的VPN实例的属性信息分配的GID中的任一种信息,或多个信息时,该第一资源的特征信息以TLV(Type/Length/Value,类型/长度/值)的方式封装在Flow Spec NLRI中,如表5所示:
表5
可选地,在本发明实施例中,BGP Flow Spec协议报文中的扩展团体属性字段包括标志Flags字段与GID字段,该Flags字段包括转发平面比特位、控制平面比特位,在该转发平面比特位赋值为0、且该控制平面比特位赋值为1时,用于指示在控制平面上关联第一资源与第二资源,在该转发平面比特位赋值为1、且该控制平面比特位赋值为0时,用于指示在转发平面上关联第一资源与第二资源,GID字段携带该第二标识。
传统技术中,扩展的应用通常仅局限在转发平面引导数据流进入相应的转发通道。在本发明实施例中,不仅可以在转发平面引导数据流进入相应的转发通道,也可以在控制平面引导数据流进入相应的转发通道,从而本申请能够实现灵活地业务编排。
应理解,在本发明实施例中,所述Flags字段中的转发平面比特位与控制平面比特位,也可以用第一比特位替换,当该第一比特位赋值为1时,表示在所述控制平面上关联所述
第一资源与所述第二资源,当该第一比特位赋值为0时,表示在所述转发平面上关联所述第一资源与所述第二资源。
可选地,在本发明实施例中,扩展团体属性字段的Flags字段还包括增量比特位,当所述增量比特位赋值为1时,表示在所述转发设备上增加一个资源关联关系,当所述增量比特位赋值为0时,表示利用所述第一资源与所述第二资源之间的关联关系覆盖所述第一资源原有的与其他资源之间的关联关系。
具体地,如图3所示,该扩展团体属性格式包括Type字段、Sub-Type字段、Flags字段、Reserved字段和GID字段。Type字段与Sub-Type字段待IETF标准组织正式分配。Reserved为保留字段,赋值为“0”。Flags字段,占用1个字节,bit 7为控制平面比特位(Control-Plane Bit,控制平面比特位),设置为1表示在控制平面上关联所述第一资源与所述第二资源,否则设置为0;bit 6为转发平面比特位(Forwarding-Plane Bit,F比特位),设置为1表示在转发平面上关联所述第一资源与所述第二资源,否则设置为0;bit5为增量比特位(Additive Bit,A比特位),设置为1表示是在原有的基础上,增加一个关联关系;否则就是以新的关联关系覆盖原有的关联关系。GID字段携带第二标识,该第二标识为CE2的VPN实例的某个属性信息所对应的GID。
应理解,在本发明实施例中,控制器向PE1下发的BGP Flow Spec协议报文用于指示将CE2的路由信息加入到CE1的VPN实例的VRF中,该动作属于位于控制平面上的动作,因此,如图3所示扩展团体属性的Flags字段中的C比特为赋值为“1”,F比特位赋值为“0”,A比特的赋值可以根据具体业务需求确定。
在本发明实施例中,扩展团体属性的格式简单明了,利用C比特位、F比特位以及GID字段,就向PE设备指明了要执行的动作。而且,通过A、C、F比特位的不同组合,能让该扩展团体属性指示不同的动作,避免了现有技术中对BGP Flow Spec协议的无限制扩展。
本发明实施例中包括第二标识的扩展团体属性可称之为名为“Redirect to GID Action”的扩展团体属性。
在本发明实施例中,通过控制器向PE设备(即转发设备)下发BGP Flow Spec协议报文,指示PE设备将VPN RT属性与第一CE设备不匹配的第二CE设备的路由信息加入所述第一CE设备的路由表中,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。此外,相对于传统技术中局限于在转发平面引导数据流进入相应的转发通道,本申请能够在控制平面引导数据流进入相应的转发通道,从而能够实现灵活的业务编排。
如图4所示,本发明实施例还提供了一种在转发平面上关联第一资源与第二资源的方法200,还以图1所示场景为例,该方法200包括:
S210,控制器(如图1所示的SDN控制器)接收用户侧(如图1所示的协同器/网管/用户APP)的VPN服务请求,该VPN服务请求用于请求实现CE1到CE2的访问,也就是引导源于CE1的数据报文进入CE2的转发通道。
S220,控制器根据该VPN服务请求,获取到第一资源需要关联第二资源的需求,所述第一资源为源IP地址为CE1的IP地址、且目的IP地址为CE2的IP地址,所述第二资源为CE2的VPN实例。
S230,控制器根据该需求,向PE1发送BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带该第一资源的特征信息,所述扩展团体属性字段携带用于指示第二资源的全局标识GID,所述第一资源的特征信息表示源IP地址为CE1的IP地址、且目的IP地址为CE2的IP地址,该BGP Flow Spec协议报文用于指示将源IP地址与目的IP地址与该第一资源的特征信息相一致的数据报文,按照CE2的VPN实例的VPN路由转发表进行转发。
S240,PE1接收到控制器下发的该BGP Flow Spec协议报文后,解析该BGP Flow Spec协议报文,获知要将源IP地址为CE1的IP地址、目的IP地址为CE2的IP地址的数据报文,与CE2的VPN实例进行绑定。
S250,PE1从CE1接收到数据报文,该数据报文的源IP地址为CE1的IP地址、目的IP地址为CE2的IP地址。
S260,PE1根据该数据报文的目的IP地址,查找CE2的VPN实例的VRF,确定该数据报文的转发出口,即CE2的VPN实例的接口Interface2,将该数据报文从Interface2转发出去,使得该数据报文送达CE2,即实现了CE1到CE2的访问。
具体地,该扩展团体属性的格式如图3所示,且Flags字段中的C比特为赋值为“0”,F比特位赋值为“1”,GID字段携带CE2的VPN实例的属性信息所对应的GID(如表2中所示的控制器为CE2的VPN实例的属性信息分配的GID)。
应理解,如果VPN服务请求为CE2需要对CE1进行访问,只需将上述步骤S210至S250中的CE1与CE2对换位置,就能实现CE2对CE1的访问了。
在本发明实施例中,通过控制器向PE设备下发BGP Flow Spec协议报文,指示PE设备针对源IP地址为第一CE设备的IP地址、且目的IP地址为第二CE设备的IP地址的数据报文,按照VPN RT属性与第一CE设备不匹配的第二CE设备的路由转发表进行转发,从而能够引导来源于第一CE设备的数据报文进入第二CE设备的转发通道,即实现了VPN RT属性不匹配的第一CE设备访问第二CE设备。因此,相对于现有技术中的手工配置方式,本申请能够灵活、高效地实现两个VPN RT属性不匹配的CE设备之间的VPN通信。
上文所述步骤S170至S190描述的方案同样适用于如图4所示在转发平面执行动作的方法200,为了避免重复,这里不再赘述。
需要说明的是,上述结合图2和图4描述的方法,均是假设VPN服务请求为CE1访问CE2,或者CE2访问CE1为例进行说明,即访问端CE与被访问端CE均与同一个PE设备直连,但本发明实施例并非限定于此,本发明实施例提供的方法也可应用于访问端CE与被访问端CE分别与不同PE设备直连的应用场景。
在访问端CE与被访问端CE分别与不同PE设备直连的应用场景下,利用本发明实施例提供的方法,通过在控制平面执行动作来实现访问端CE对被访问端CE的访问的步骤如下:
还以图1所述网络部署为例进行描述,控制器(如图1所示的SDN控制器)接收用户侧(如图1所示的协同器/网管/用户APP)的VPN服务请求,该VPN服务请求用于请求实现CE1到CE3的访问,即引导源于CE1的数据报文进入CE3的转发通道。控制器根据该VPN服务请求,获取到第一资源需要关联第二资源的需求,所述第一资源为CE3的路由信息,所述第二资源为CE1的VPN实例。控制器根据该需求,向PE1发送BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络
层可达性信息字段携带该第一资源的特征信息,所述扩展团体属性字段携带用于指示第二资源的全局标识GID,所述第一资源的特征信息表示能够指示CE3的路由信息的信息,该BGP Flow Spec协议报文用于指示将CE3的路由信息加入到CE1的VPN实例的VRF中。PE1接收到控制器下发的该BGP Flow Spec协议报文后,通过解析该BGP Flow Spec协议报文,基于该第一资源的特征信息获取CE3的路由信息,基于该GID获取CE1的VPN实例,然后将CE3的路由信息加入到CE1的VPN实例的VRF中。PE1从接口Interface1接收到源于CE1要访问CE2的数据报文,即该数据报文的源IP地址为CE1的IP地址、目的IP地址为CE2的IP地址。PE1根据该数据报文的目的IP地址,查找CE1的VPN实例的VRF,获取到CE3的路由信息,根据CE3的路由信息的转发表项,将该数据报文导入CE3的转发通道。
应理解,虽然PE1不与CE3直连,但是PE1可以通过与PE2的通信,获取到CE3的路由信息。结合上文针对VPN-IPv4概念的描述,本领域技术人员可以了解到,PE2获取到CE2的IPv4(也可以是IPv6)地址后,为该IPv4地址增加CE3的VPN实例的RD和ERT属性(应理解,在PE2上建立有CE3的VPN实例,如图1所示),得到CE3的VPN-IPv4路由,然后将该VPN-IPv4路由通过PE2与PE1之间的通信链路向PE1发布,从而,PE1就获取到了CE3的路由信息。
应理解,实现CE3访问CE1的方法与上述描述类似,将CE1与CE3的位置互换,并将PE1与PE2的位置互换,即可。
在访问端CE与被访问端CE分别与不同PE设备直连的应用场景下,利用本发明实施例提供的方法,通过在转发平面执行动作来实现访问端CE对被访问端CE的访问的步骤如下:
还以图1所述网络部署为例进行描述,并且假设CE2在PE1上的VPN实例的属性信息如下:
VPN-Instance Name:vpn2
RD:100:2
IRT:100:2
ERT:100:1
Interface:interface2(如图1所示PE1上的interface2)
VPN-Index:102(图1未示出)
也就是说,CE3的VPN实例与CE2的VPN实例的RT属性向匹配,PE1维护的CE2的VPN实例的VRF中包括CE3的路由信息,也就是说,在CE2的VPN实例的VPN转发表中包括CE3的路由信息的转发表项。
控制器(如图1所示的SDN控制器)接收用户侧(如图1所示的协同器/网管/用户APP)的VPN服务请求,该VPN服务请求用于请求实现CE1到CE3的访问,也就是引导源于CE1的数据报文进入CE3的转发通道。控制器根据该VPN服务请求,获取到第一资源需要关联第二资源的需求,所述第一资源为源IP地址为CE1的IP地址、且目的IP地址为CE2的IP地址,所述第二资源为CE3的VPN实例。控制器根据该需求,向PE1发送BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带该第一资源的特征信息,所述扩展团体属性字段携带用于指示第二资源的全局标识GID,所述第一资源的特征信息表示源IP地址为CE1的IP地址、且目的IP地址为CE2的IP地址,该BGP Flow Spec协议报文用于指示将源IP地址与目
的IP地址与该第一资源的特征信息相一致的数据报文,按照CE3的VPN实例的VPN路由转发表进行转发。PE1接收到控制器下发的该BGP Flow Spec协议报文后,解析该BGP Flow Spec协议报文。PE1从CE1接收到数据报文,该数据报文的源IP地址为CE1的IP地址、目的IP地址为CE2的IP地址。PE1根据该数据报文的目的IP地址,查找CE2的VPN实例的VPN转发表,定位到CE3的路由信息的转发表项,按照该转发表项将该数据报文转发出去,该数据报文就会到达CE3,从而实现了CE1到CE3的访问。
应理解,在访问端CE与被访问端CE分别与不同PE设备直连的应用场景下,利用本发明实施例提供的方法,通过在转发平面执行动作来实现访问端CE对被访问端CE的访问的前提是,与访问端CE直连的PE设备上具有一个VPN实例,且该VPN实例的VRF中包括被访问端CE的路由信息。
本发明实施例提供的基于流规则Flow Spec的通信方法,通过在控制平面修改VPN路由表,能够灵活、高效地实现RT属性不匹配的CE设备之间的VPN通信。
因此,本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,能够节省信令开销。
可选地,在本发明实施例中,还包括:
该控制器获取第二VPN服务请求,该第二VPN服务请求用于请求为PE2设备上新增的CE5(如图5所示)的VPN实例配置属性信息,为PE3设备上新增的CE6(如图5所示)的VPN实例配置属性信息。
该控制器根据该第二VPN服务请求,为CE5的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT、VPN实例索引值和VPN实例接口信息,并为CE6的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT、VPN实例索引值和VPN实例接口信息,其中,CE5设备的VPN实例与CE3的VPN实例的下列属性信息不冲突:VPN实例名称、VPN实例RD、VPN实例索引信息,CE6设备的VPN实例与CE4的VPN实例的下列属性信息不冲突:VPN实例名称、VPN实例RD、VPN实例索引信息。
具体地,如图5所示,用户有CE5和CE6两个设备,现在需要通过运营商的网络以VPN的方式连通CE5和CE6这两个设备。
步骤1:用户向控制器发送VPN服务请求,VPN服务请求用于请求通过VPN方式联通CE5和CE6。
具体地,该VPN服务请求中包括CE5和CE6的IP地址、MAC地址等CE设备信息。
步骤2:控制器根据该VPN服务请求中携带的CE设备信息,获知CE5与PE2连接,CE6与PE3连接,则确定要在PE2和PE3上部署VPN,以将CE5和CE6连通。
步骤3,控制器在PE2上配置对应于CE5的VPN实例,并为该CE5的VPN实例的属性信息分配GID,如表6所示。由表6可知,控制器为PE2上的CE5的VPN实例分配了与已有的CE3的VPN实例不冲突的属性信息VPN-Instance Name、RD、IRT、ERT及VPN-Index,同时也给CE5的VPN实例的每个属性信息分配了一个GID值。
步骤4:控制器将为PE2新分配的CE5的VPN实例的属性信息下发给PE2。
步骤5:控制器将新增CE5的VPN实例的属性信息后的GID资源表(如表6所示)下发给PE2,实现控制器和被控制设备上的GID资源表信息同步。
表6
在如上步骤3、4、5中,仅描述了与PE2相关的处理过程,在实际实施过程中,对PE3的处理过程与PE2相同。
因此,在本发明实施例中,控制器通过获取PE设备上已有的VPN实例的属性信息,从而在为所述PE设备上增加的VPN实例配置属性信息时,能够避免不同VPN实例的属性信息之间的冲突。相比于现有技术中靠规划避免冲突,本申请能够有效地避免冲突,而且操作效率较高。
图6示出了根据本发明实施例提供的控制器300的示意性框图,如图6所示,该控制器300包括:
获取模块310,用于获取转发设备上的第一资源需要关联该转发设备上的第二资源的需求;
发送模块320,用于根据该获取模块获取的需求,向该转发设备发送边界网关协议流规则BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带第一资源的特征信息,该扩展团体属性字段携带用于指示该第二资源的全局标识GID,该BGP Flow Spec协议报文用于指示关联该第一资源与该第二资源。
因此,在本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所
述第二资源,能够节省信令开销。
可选地,在本发明实施例中,该扩展团体属性字段包括GID字段与标志Flags字段,该GID字段携带该GID,该Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联该第一资源与该第二资源的信息。
可选地,在本发明实施例中,该Flags字段包括转发平面比特位与控制平面比特位,当该转发平面比特位赋值为0、且该控制平面比特位赋值为1时,用于指示在该控制平面上关联该第一资源与该第二资源,当该转发平面比特位赋值为1、且该控制平面比特位赋值为0时,用于指示在该转发平面上关联该第一资源与该第二资源。
可选地,在本发明实施例中,该转发设备为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,该转发设备上包括第二CE设备的路由信息,且该第二CE设备的路由信息不在该第一CE设备的VPN实例的VPN路由表中,该获取模块310用于,获取VPN服务请求,该VPN服务请求用于请求该第一CE设备访问该第二CE设备;根据该VPN服务请求,获取该第一资源需要关联该第二资源的需求,该第一资源为该第二CE设备的路由信息,该第二资源为该第一CE设备的VPN实例;
该发送模块320用于,根据该需求,向该转发设备发送该BGP Flow Spec协议报文,该BGP Flow Spec协议报文中的该Flags字段用于指示在控制平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中。
可选地,在本发明实施例中,该获取模块310还用于,从该转发设备上获取该第一CE设备的VPN实例的属性信息,该属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
该控制器300还包括:
标识分配模块330,用于为该第一CE设备的VPN实例的属性信息分配映射标识,该映射标识在该转发设备中唯一指示该第一CE设备的VPN实例的属性信息;
该发送模块320还用于,向该转发设备发送映射表,该映射表包括该第一CE设备的VPN实例的属性信息与该映射标识之间的映射关系,
该GID字段中携带的该GID为该映射标识中的一个或多个标识。
可选地,在本发明实施例中,该获取模块310还用于,获取用于请求为该转发设备上新建立的第三CE设备的VPN实例配置属性信息的VPN服务请求;
该控制器300还包括:
VPN实例配置模块340,用于为该第三CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,该第三CE设备的VPN实例的下列属性信息与该第一CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
可选地,在本发明实施例中,该转发设备上建立有该第二CE设备的VPN实例,该第二CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为该第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID。
可选地,在本发明实施例中,该转发设备上没有建立该第二CE设备的VPN实例,该转发设备的VPN公网路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为下列信息中的至少一种:该第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息。
可选地,在本发明实施例中,该转发设备为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,该转发设备上还包括第二CE设备的路由信息,且该第一CE设备的VPN实例的VPN路由表中不包括该第二CE设备的路由信息,该第三CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息,该获取模块310用于,获取VPN服务请求,该VPN服务请求用于请求该第一CE设备访问该第二CE设备;根据该VPN服务请求,获取该第一资源需要关联该第二资源的需求,该第一资源为源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址,该第二资源为该第三CE设备的VPN实例;
该发送模块320还用于,根据该需求,向该转发设备发送该BGP Flow Spec协议报文,该BGP Flow Spec协议报文中的该Flags字段用于指示在转发平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与该第一资源相一致的数据报文,按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息进行转发。
可选地,在本发明实施例中,该第二CE设备为该第三CE设备。
应理解,根据本发明实施例的控制器300可对应于本发明实施例的基于Flow Spec的通信方法中的控制器,并且控制器300中的各个模块的上述和其它操作和/或功能分别为了实现图1至图5中的各个方法的相应流程,为了简洁,在此不再赘述。
图7示出了根据本发明实施例的转发设备400的示意性框图,如图7所示,该转发设备400包括:
接收模块410,用于接收控制器发送的边界网关协议流规则BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带用于指示该转发设备上的第一资源的该第一资源的特征信息,该扩展团体属性字段携带用于指示该转发设备上的第二资源的全局标识GID,该BGP Flow Spec协议报文用于指示关联该第一资源与该第二资源;
获取模块420,用于根据该接收模块接收的该第一资源的特征信息,获取该第一资源,根据该GID,获取该第一资源;
关联模块430,用于根据该接收模块接收的该BGP Flow Spec协议报文,关联该第一资源与该第二资源。
因此,在本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,能够节省信令开销。
可选地,在本发明实施例中,该扩展团体属性字段包括GID字段与标志Flags字段,该GID字段携带该GID,该Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联该第一资源与该第二资源的信息。
可选地,在本发明实施例中,该Flags字段包括转发平面比特位与控制平面比特位,当该转发平面比特位赋值为0、且该控制平面比特位赋值为1时,用于指示在该控制平面上关联该第一资源与该第二资源,当该转发平面比特位赋值为1、且该控制平面比特位赋值为0时,用于指示在该转发平面上关联该第一资源与该第二资源。
可选地,在本发明实施例中,该转发设备400为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,该转发设备上包括第二CE设备的路由信息,且该第二CE设备的路由信息不在该第一CE设备的VPN实例的VPN路由表中,该接收模块410用于,接收该控制器根据VPN服务请求发送的该BGP Flow Spec协议报文,该VPN服务请求用于请求该第一CE设备访问该第二CE设备,其中,该第一资源为该第二CE设备的路由信息,该第二资源为该第一CE设备的VPN实例,该BGP Flow Spec协议报文中的该Flags字段用于指示在控制平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中;
该关联模块430,用于将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中。
可选地,在本发明实施例中,该转发设备400还包括:
发送模块440,用于向该控制器发送该第一CE设备的VPN实例的属性信息,该属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;
该接收模块410用于,接收该控制器发送的映射表,该映射表包括该第一CE设备的VPN实例的属性信息与该控制器为该第一CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,该映射标识在该转发设备中唯一指示该第一CE设备的VPN实例的属性信息,
该GID字段中携带的该GID为该映射标识中的一个或多个标识。
可选地,在本发明实施例中,该转发设备400上建立有该第二CE设备的VPN实例,该第二CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为该第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID;
该获取模块420用于,根据该第一资源的特征信息,从该第二CE设备的VPN实例的VPN路由表中获取该第二CE设备的路由信息。
可选地,在本发明实施例中,该转发设备400上没有建立该第二CE设备的VPN实例,该转发设备400的VPN公网路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为下列信息中的至少一种:该第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息;
该获取模块420用于,根据该第一资源的特征信息,从该VPN公网路由表中获取该第二CE设备的路由信息。
可选地,在本发明实施例中,该转发设备400为服务商边缘PE设备,该转发设备400上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,该转发设备上还包括第二CE设备的路由信息,且该第一CE设备的VPN实例的VPN路由表中不包括该第二CE设备的路由信息,该第三CE设备的VPN实例的VPN路由表中包括该第二CE
设备的路由信息,该接收模块410用于,接收该控制器根据VPN服务请求发送的BGP Flow Spec协议报文,该VPN服务请求用于请求该第一CE设备访问该第二CE设备,其中,该第一资源为源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址,该第二资源为该第三CE设备的VPN实例,该BGP Flow Spec协议报文中的该Flags字段用于指示在转发平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与该第一资源相一致的数据报文,按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息进行转发;
该关联模块430包括:
接收单元,用于接收数据报文,该数据报文的源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址;
转发单元,用于按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息转发该数据报文。
可选地,在本发明实施例中,该第二CE设备为该第三CE设备。
应理解,根据本发明实施例的转发设备400可对应于本发明实施例的基于Flow Spec的通信方法中的转发设备,并且转发设备400中的各个模块的上述和其它操作和/或功能分别为了实现图1至图5中的各个方法的相应流程,为了简洁,在此不再赘述。
如图8所示,本发明实施例还提供了一种控制器500,该控制器500包括处理器510、存储器520、总线系统530、接收器540和发送器550。其中,处理器510、存储器520、接收器540和发送器550通过总线系统530相连,该存储器520用于存储指令,该处理器510用于执行该存储器520存储的指令,以控制接收器540接收信号,并控制发送器550发送信号。其中,该处理器510用于,获取转发设备上的第一资源需要关联该转发设备上的第二资源的需求;发送器550用于,根据该需求,向该转发设备发送边界网关协议流规则BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带第一资源的特征信息,该扩展团体属性字段携带用于指示该第二资源的全局标识GID,该BGP Flow Spec协议报文用于指示关联该第一资源与该第二资源。
因此,在本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,能够节省信令开销。
可选地,在本发明实施例中,该扩展团体属性字段包括GID字段与标志Flags字段,该GID字段携带该GID,该Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联该第一资源与该第二资源的信息。
可选地,在本发明实施例中,该Flags字段包括转发平面比特位与控制平面比特位,当该转发平面比特位赋值为0、且该控制平面比特位赋值为1时,用于指示在该控制平面上关联该第一资源与该第二资源,当该转发平面比特位赋值为1、且该控制平面比特位赋值为0时,用于指示在该转发平面上关联该第一资源与该第二资源。
可选地,在本发明实施例中,该转发设备为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,该转发设备上包括第二CE设备的路由信息,且该第二CE设备的路由信息不在该第一CE设备的VPN实例的VPN路由表中,该处理器510用于,获取VPN服务请求,该VPN服务请求用于请求该第一CE设备访问该第二CE设备;根据该VPN服务请求,获取该第一资源需要关联该第二资源的需求,该第一资源为该第二CE设备的路由信息,该第二资源为该第一CE设备的VPN实例;该发送器550用于,根据该需求,向该转发设备发送该BGP Flow Spec协议报文,该BGP Flow Spec协议报文中的该Flags字段用于指示在控制平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中。
可选地,在本发明实施例中,该处理器510用于,从该转发设备上获取该第一CE设备的VPN实例的属性信息,该属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;为该第一CE设备的VPN实例的属性信息分配映射标识,该映射标识在该转发设备中唯一指示该第一CE设备的VPN实例的属性信息;该发送器550用于,向该转发设备发送映射表,该映射表包括该第一CE设备的VPN实例的属性信息与该映射标识之间的映射关系,该GID字段中携带的该GID为该映射标识中的一个或多个标识。
可选地,在本发明实施例中,该处理器510用于,获取用于请求为该转发设备上新建立的第三CE设备的VPN实例配置属性信息的VPN服务请求;为该第三CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,该第三CE设备的VPN实例的下列属性信息与该第一CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
可选地,在本发明实施例中,该转发设备上建立有该第二CE设备的VPN实例,该第二CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为该第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID。
可选地,在本发明实施例中,该转发设备上没有建立该第二CE设备的VPN实例,该转发设备的VPN公网路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为下列信息中的至少一种:该第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息。
可选地,在本发明实施例中,该转发设备为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,该转发设备上还包括第二CE设备的路由信息,且该第一CE设备的VPN实例的VPN路由表中不包括该第二CE设备的路由信息,该第三CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息,该处理器510用于,获取VPN服务请求,该VPN服务请求用于请求该第一CE设备访问该第二CE设备;根据该VPN服务请求,获取该第一资源需要关联该第二资源的需求,该第一资源为源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址,该第二资源为该第三CE设备的VPN实例;该发送器550用于,根据该需求,向该转发设备发送该BGP Flow Spec协议报文,该BGP Flow Spec协议报文中的该Flags字段用于指示在转发平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用
于指示将源IP地址、目的IP地址与该第一资源相一致的数据报文,按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息进行转发。
可选地,在本发明实施例中,该第二CE设备为该第三CE设备。
应理解,在本发明实施例中,该处理器510可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器510还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器520可以包括只读存储器和随机存取存储器,并向处理器510提供指令和数据。存储器520的一部分还可以包括非易失性随机存取存储器。例如,存储器520还可以存储设备类型的信息。
该总线系统530除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统530。
在实现过程中,上述方法的各步骤可以通过处理器510中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器520,处理器510读取存储器520中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
应理解,根据本发明实施例的控制器500可对应于本发明实施例的基于Flow Spec的通信方法中的控制器,以及可以对应于根据本发明实施例的控制器300,并且控制器500中的各个模块的上述和其它操作和/或功能分别为了实现图1至图5中的各个方法的相应流程,为了简洁,在此不再赘述。
如图9所示,本发明实施例还提供了一种转发设备600,该转发设备600包括处理器610、存储器620、总线系统630、接收器640和发送器650。其中,处理器610、存储器620、接收器640和发送器650通过总线系统630相连,该存储器620用于存储指令,该处理器610用于执行该存储器620存储的指令,以控制接收器640接收信号,并控制发送器650发送信号。其中,接收器640用于接收控制器发送的边界网关协议流规则BGP Flow Spec协议报文,该BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,该网络层可达性信息字段携带用于指示该转发设备上的第一资源的该第一资源的特征信息,该扩展团体属性字段携带用于指示该转发设备上的第二资源的全局标识GID,该BGP Flow Spec协议报文用于指示关联该第一资源与该第二资源;该处理器610用于,根据该第一资源的特征信息,获取该第一资源,根据该GID,获取该第一资源;该转发设备关联该第一资源与该第二资源。
因此,在本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所
述第二资源,能够节省信令开销。
可选地,在本发明实施例中,该扩展团体属性字段包括GID字段与标志Flags字段,该GID字段携带该GID,该Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联该第一资源与该第二资源的信息。
可选地,在本发明实施例中,该Flags字段包括转发平面比特位与控制平面比特位,当该转发平面比特位赋值为0、且该控制平面比特位赋值为1时,用于指示在该控制平面上关联该第一资源与该第二资源,当该转发平面比特位赋值为1、且该控制平面比特位赋值为0时,用于指示在该转发平面上关联该第一资源与该第二资源。
可选地,在本发明实施例中,该转发设备600为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,该转发设备上包括第二CE设备的路由信息,且该第二CE设备的路由信息不在该第一CE设备的VPN实例的VPN路由表中,该接收器640用于,接收该控制器根据VPN服务请求发送的该BGP Flow Spec协议报文,该VPN服务请求用于请求该第一CE设备访问该第二CE设备,其中,该第一资源为该第二CE设备的路由信息,该第二资源为该第一CE设备的VPN实例,该BGP Flow Spec协议报文中的该Flags字段用于指示在控制平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中;
该处理器610用于,将该第二CE设备的路由信息加入到该第一CE设备的VPN实例的VPN路由表中。
可选地,在本发明实施例中,该发送器650用于,向该控制器发送该第一CE设备的VPN实例的属性信息,该属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;该接收器640用于,接收该控制器发送的映射表,该映射表包括该第一CE设备的VPN实例的属性信息与该控制器为该第一CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,该映射标识在该转发设备中唯一指示该第一CE设备的VPN实例的属性信息,该GID字段中携带的该GID为该映射标识中的一个或多个标识。
可选地,在本发明实施例中,该转发设备600上建立有该第二CE设备的VPN实例,该第二CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为该第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID;
该处理器610用于,根据该第一资源的特征信息,从该第二CE设备的VPN实例的VPN路由表中获取该第二CE设备的路由信息。
可选地,在本发明实施例中,该转发设备600上没有建立该第二CE设备的VPN实例,该转发设备的VPN公网路由表中包括该第二CE设备的路由信息;
该第一资源的特征信息为下列信息中的至少一种:该第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息;
该处理器610用于,根据该第一资源的特征信息,从该VPN公网路由表中获取该第二CE设备的路由信息。
可选地,在本发明实施例中,该转发设备600为服务商边缘PE设备,该转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,该转发设
备上还包括第二CE设备的路由信息,且该第一CE设备的VPN实例的VPN路由表中不包括该第二CE设备的路由信息,该第三CE设备的VPN实例的VPN路由表中包括该第二CE设备的路由信息,该接收器640用于,接收该控制器根据VPN服务请求发送的BGP Flow Spec协议报文,该VPN服务请求用于请求该第一CE设备访问该第二CE设备,其中,该第一资源为源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址,该第二资源为该第三CE设备的VPN实例,该BGP Flow Spec协议报文中的该Flags字段用于指示在转发平面上关联该第一资源与该第二资源,该BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与该第一资源相一致的数据报文,按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息进行转发;
该接收器640用于,接收数据报文,该数据报文的源IP地址为该第一CE设备的IP地址、且目的IP地址为该第二CE设备的IP地址;
该处理器610用于,按照该第三CE设备的VPN实例的VPN路由表中包括的该第二CE设备的路由信息转发该数据报文。
可选地,在本发明实施例中,该第二CE设备为该第三CE设备。
应理解,在本发明实施例中,该处理器610可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器610还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器620可以包括只读存储器和随机存取存储器,并向处理器610提供指令和数据。存储器620的一部分还可以包括非易失性随机存取存储器。例如,存储器620还可以存储设备类型的信息。
该总线系统630除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统630。
在实现过程中,上述方法的各步骤可以通过处理器610中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器620,处理器610读取存储器620中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
应理解,根据本发明实施例的转发设备600可对应于本发明实施例的基于Flow Spec的通信方法中的转发设备,以及可以对应于根据本发明实施例的转发设备400,并且转发设备600中的各个模块的上述和其它操作和/或功能分别为了实现图1至图5中的各个方法的相应流程,为了简洁,在此不再赘述。
如图10所示,本发明实施例还提出了一种基于流规则Flow Spec的通信系统700,该通信系统700包括控制器710和转发设备720,该控制器710对应于本发明实施例的控制器300,该转发设备720对应于本发明实施例的转发设备400。
因此,在本发明实施例中,通过在BGP Flow Spec协议报文的网络层可达性信息字段携带第一资源的特征信息,扩展团体属性字段中携带用于指示第二资源的全局标识GID,能够指示转发设备关联所述第一资源与所述第二资源,以引导数据流进入相应的转发通
道。相对于传统技术,本申请中的BGP FlowSpec协议通过统一的报文格式,可以满足多种业务需求,从而能够有效避免无限制地扩展BGP Flow Spec协议中的扩展团体属性。此外,通过在BGP FlowSpec协议报文的扩展团体属性字段中携带简洁的GID,就能够指示所述第二资源,能够节省信令开销。
还应理解,本文中涉及各种数字编号仅为描述方便进行的区分,并不用来限制本发明实施例的范围。
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述通信方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。
Claims (42)
- 一种基于流规则协议的通信方法,其特征在于,包括:控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求;所述控制器根据所述需求,向所述转发设备发送边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带第一资源的特征信息,所述扩展团体属性字段携带用于指示所述第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源。
- 根据权利要求1所述的通信方法,其特征在于,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
- 根据权利要求2所述的通信方法,其特征在于,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
- 根据权利要求2或3所述的通信方法,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述通信方法还包括:所述控制器获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备;所述控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求,包括:所述控制器根据所述VPN请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例;所述控制器根据所述需求,向所述转发设备发送边界网关协议流规则BGP Flow Spec协议报文,包括:所述控制器根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
- 根据权利要求4所述的通信方法,其特征在于,所述通信方法还包括:所述控制器从所述转发设备上获取所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述控制器为所述第一CE设备的VPN实例的属性信息分配映射标识,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息;所述控制器向所述转发设备发送映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述映射标识之间的映射关系,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求5所述的通信方法,其特征在于,所述通信方法还包括:所述控制器获取用于请求为所述转发设备上新建立的第三CE设备的VPN实例配置属性信息的VPN服务请求;所述控制器为所述第三CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,所述第三CE设备的VPN实例的下列属性信息与所述第一CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
- 根据权利要求4至6中任一项所述的通信方法,其特征在于,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID。
- 根据权利要求4至6中任一项所述的通信方法,其特征在于,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息。
- 根据权利要求2或3所述的通信方法,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述通信方法还包括:所述控制器获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备;所述控制器获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求,包括:所述控制器根据所述VPN请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址,所述第二资源为所述第三CE设备的VPN实例;所述控制器根据所述需求,向所述转发设备发送BGP Flow Spec协议报文,包括:所述控制器根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发。
- 根据权利要求9所述的通信方法,其特征在于,所述通信方法还包括:所述控制器从所述转发设备上获取所述第三CE设备的VPN实例的属性信息,所述属 性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述控制器为所述第三CE设备的VPN实例的属性信息分配映射标识,所述映射标识在所述转发设备中唯一指示所述第三CE设备的VPN实例的属性信息;所述控制器向所述转发设备发送映射表,所述映射表包括所述第三CE设备的VPN实例的属性信息与所述映射标识之间的映射关系,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求10所述的通信方法,其特征在于,所述通信方法还包括:所述控制器获取用于请求为所述转发设备上新建立的第四CE设备的VPN实例配置属性信息的VPN服务请求;所述控制器为所述第四CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,所述第四CE设备的VPN实例的下列属性信息与所述第一CE设备的VPN实例以及所述第三CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
- 根据权利要求9至11中任一项所述的通信方法,其特征在于,所述第二CE设备为所述第三CE设备。
- 一种基于流规则协议的通信方法,其特征在于,包括:转发设备接收控制器发送的边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带用于指示所述转发设备上的第一资源的所述第一资源的特征信息,所述扩展团体属性字段携带用于指示所述转发设备上的第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源;所述转发设备根据所述第一资源的特征信息,获取所述第一资源,根据所述GID,获取所述第二资源;所述转发设备关联所述第一资源与所述第二资源。
- 根据权利要求13所述的通信方法,其特征在于,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
- 根据权利要求14所述的通信方法,其特征在于,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
- 根据权利要求14或15所述的通信方法,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述转发设备接收所述控制器发送的BGP Flow Spec协议报文,包括:所述转发设备接收所述控制器根据VPN服务请求发送的所述BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源 为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中;所述转发设备关联所述第一资源与所述第二资源,包括:所述转发设备将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
- 根据权利要求16所述的通信方法,其特征在于,所述通信方法还包括:所述转发设备向所述控制器发送所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述转发设备接收所述控制器发送的映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述控制器为所述第一CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求16或17所述的通信方法,其特征在于,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID;所述转发设备根据所述第一资源的特征信息,获取所述第一资源,包括:所述转发设备根据所述第一资源的特征信息,从所述第二CE设备的VPN实例的VPN路由表中获取所述第二CE设备的路由信息。
- 根据权利要求16或17所述的通信方法,其特征在于,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息;所述转发设备根据所述第一资源的特征信息,获取所述第一资源,包括:所述转发设备根据所述第一资源的特征信息,从所述VPN公网路由表中获取所述第二CE设备的路由信息。
- 根据权利要求14或15所述的通信方法,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述转发设备接收所述控制器发送的BGP Flow Spec协议报文,包括:所述转发设备接收所述控制器根据VPN服务请求发送的BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址, 所述第二资源为所述第三CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发;所述转发设备关联所述第一资源与所述第二资源,包括:所述转发设备接收数据报文,所述数据报文的源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址;所述转发设备按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息转发所述数据报文。
- 根据权利要求20所述的通信方法,其特征在于,所述通信方法还包括:所述转发设备向所述控制器发送所述第三CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述转发设备接收所述控制器发送的映射表,所述映射表包括所述第三CE设备的VPN实例的属性信息与所述控制器为所述第三CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,所述映射标识在所述转发设备中唯一指示所述第三CE设备的VPN实例的属性信息,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求20或21所述的通信方法,其特征在于,所述第二CE设备为所述第三CE设备。
- 一种控制器,其特征在于,包括:获取模块,用于获取转发设备上的第一资源需要关联所述转发设备上的第二资源的需求;发送模块,用于根据所述获取模块获取的需求,向所述转发设备发送边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带第一资源的特征信息,所述扩展团体属性字段携带用于指示所述第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源。
- 根据权利要求23所述的控制器,其特征在于,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
- 根据权利要求24所述的控制器,其特征在于,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
- 根据权利要求24或25所述的控制器,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述获取模块用 于,获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备;根据所述VPN服务请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例;所述发送模块用于,根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
- 根据权利要求26所述的控制器,其特征在于,所述获取模块还用于,从所述转发设备上获取所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述控制器还包括:标识分配模块,用于为所述第一CE设备的VPN实例的属性信息分配映射标识,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息;所述发送模块还用于,向所述转发设备发送映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述映射标识之间的映射关系,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求27所述的控制器,其特征在于,所述获取模块还用于,获取用于请求为所述转发设备上新建立的第三CE设备的VPN实例配置属性信息的VPN服务请求;所述控制器还包括:VPN实例配置模块,用于为所述第三CE设备的VPN实例配置如下属性信息:VPN实例名称、VPN实例RD、VPN实例RT和VPN实例接口信息,其中,所述第三CE设备的VPN实例的下列属性信息与所述第一CE设备的VPN实例对应的属性信息互不冲突:VPN实例名称、VPN实例RD、VPN实例接口信息。
- 根据权利要求26至28中任一项所述的控制器,其特征在于,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID。
- 根据权利要求26至28中任一项所述的控制器,其特征在于,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息。
- 根据权利要求24或25所述的控制器,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述获取模块用于,获取VPN服务请求,所述VPN服务请求用于请求所述第一CE设备访 问所述第二CE设备;根据所述VPN服务请求,获取所述第一资源需要关联所述第二资源的需求,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址,所述第二资源为所述第三CE设备的VPN实例;所述发送模块还用于,根据所述需求,向所述转发设备发送所述BGP Flow Spec协议报文,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发。
- 根据权利要求31所述的控制器,其特征在于,所述第二CE设备为所述第三CE设备。
- 一种转发设备,其特征在于,包括:接收模块,用于接收控制器发送的边界网关协议流规则BGP Flow Spec协议报文,所述BGP Flow Spec协议报文包括网络层可达性信息字段与扩展团体属性字段,所述网络层可达性信息字段携带用于指示所述转发设备上的第一资源的所述第一资源的特征信息,所述扩展团体属性字段携带用于指示所述转发设备上的第二资源的全局标识GID,所述BGP Flow Spec协议报文用于指示关联所述第一资源与所述第二资源;获取模块,用于根据所述接收模块接收的所述第一资源的特征信息,获取所述第一资源,根据所述GID,获取所述第二资源;关联模块,用于根据所述接收模块接收的所述BGP Flow Spec协议报文,关联所述第一资源与所述第二资源。
- 根据权利要求33所述的转发设备,其特征在于,所述扩展团体属性字段包括GID字段与标志Flags字段,所述GID字段携带所述GID,所述Flags字段携带用于指示在所述转发设备的控制平面或所述转发设备的转发平面上关联所述第一资源与所述第二资源的信息。
- 根据权利要求34所述的转发设备,其特征在于,所述Flags字段包括转发平面比特位与控制平面比特位,当所述转发平面比特位赋值为0、且所述控制平面比特位赋值为1时,用于指示在所述控制平面上关联所述第一资源与所述第二资源,当所述转发平面比特位赋值为1、且所述控制平面比特位赋值为0时,用于指示在所述转发平面上关联所述第一资源与所述第二资源。
- 根据权利要求34或35所述的转发设备,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例,且所述第二CE设备的路由信息不在所述第一CE设备的VPN实例的VPN路由表中,所述接收模块用于,接收所述控制器根据VPN服务请求发送的所述BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源为所述第二CE设备的路由信息,所述第二资源为所述第一CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在控制平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中;所述关联模块,用于将所述第二CE设备的路由信息加入到所述第一CE设备的VPN实例的VPN路由表中。
- 根据权利要求36所述的转发设备,其特征在于,所述转发设备还包括:发送模块,用于向所述控制器发送所述第一CE设备的VPN实例的属性信息,所述属性信息包括:VPN实例名称、VPN实例路由标识符RD、VPN实例路由目标符RT、VPN实例索引值和VPN实例接口信息;所述接收模块用于,接收所述控制器发送的映射表,所述映射表包括所述第一CE设备的VPN实例的属性信息与所述控制器为所述第一CE设备的VPN实例的属性信息分配的映射标识之间的映射关系,所述映射标识在所述转发设备中唯一指示所述第一CE设备的VPN实例的属性信息,所述GID字段中携带的所述GID为所述映射标识中的一个或多个标识。
- 根据权利要求36或37所述的转发设备,其特征在于,所述转发设备上建立有所述第二CE设备的VPN实例,所述第二CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为所述第二CE设备的VPN实例的下列属性信息中的至少一种信息:VPN实例名称、VPN实例RD、VPN实例索引值、VPN实例接口信息、VPN实例GID;所述获取模块用于,根据所述第一资源的特征信息,从所述第二CE设备的VPN实例的VPN路由表中获取所述第二CE设备的路由信息。
- 根据权利要求36或37所述的转发设备,其特征在于,所述转发设备上没有建立所述第二CE设备的VPN实例,所述转发设备的VPN公网路由表中包括所述第二CE设备的路由信息;所述第一资源的特征信息为下列信息中的至少一种:所述第二CE设备的路由信息对应的RD信息、出口目标Export Target信息或路由前缀信息;所述获取模块用于,根据所述第一资源的特征信息,从所述VPN公网路由表中获取所述第二CE设备的路由信息。
- 根据权利要求34或35所述的转发设备,其特征在于,所述转发设备为服务商边缘PE设备,所述转发设备上建立有第一用户边缘CE设备的虚拟专用网VPN实例和第三CE设备的VPN实例,且所述第一CE设备的VPN实例的VPN路由表中不包括所述第二CE设备的路由信息,所述第三CE设备的VPN实例的VPN路由表中包括所述第二CE设备的路由信息,所述接收模块用于,接收所述控制器根据VPN服务请求发送的BGP Flow Spec协议报文,所述VPN服务请求用于请求所述第一CE设备访问所述第二CE设备,其中,所述第一资源为源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址,所述第二资源为所述第三CE设备的VPN实例,所述BGP Flow Spec协议报文中的所述Flags字段用于指示在转发平面上关联所述第一资源与所述第二资源,所述BGP Flow Spec协议报文用于指示将源IP地址、目的IP地址与所述第一资源相一致的数据报文,按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息进行转发;所述关联模块包括:接收单元,用于接收数据报文,所述数据报文的源IP地址为所述第一CE设备的IP地址、且目的IP地址为所述第二CE设备的IP地址;转发单元,用于按照所述第三CE设备的VPN实例的VPN路由表中包括的所述第二CE设备的路由信息转发所述数据报文。
- 根据权利要求40所述的转发设备,其特征在于,所述第二CE设备为所述第三CE设备。
- 一种基于流规则Flow Spec协议的通信系统,该通信系统包括如上述要求23至32中任一项所述的控制器与如上述权利要求33至41中任一项所述的转发设备。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20181581.8A EP3780545B1 (en) | 2016-03-21 | 2017-03-16 | Flow specification protocol-based communications method, and device |
EP17769372.8A EP3422660B1 (en) | 2016-03-21 | 2017-03-16 | Communication method, device and system based on flow specification protocol |
EP22211033.0A EP4213449A1 (en) | 2016-03-21 | 2017-03-16 | Flow specification protocol-based communications method, device, and system |
US16/137,817 US10757008B2 (en) | 2016-03-21 | 2018-09-21 | Flow specification protocol-based communications method, device, and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610160664.3A CN107222449B (zh) | 2016-03-21 | 2016-03-21 | 基于流规则协议的通信方法、设备和系统 |
CN201610160664.3 | 2016-03-21 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/137,817 Continuation US10757008B2 (en) | 2016-03-21 | 2018-09-21 | Flow specification protocol-based communications method, device, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017162095A1 true WO2017162095A1 (zh) | 2017-09-28 |
Family
ID=59899240
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/076960 WO2017162095A1 (zh) | 2016-03-21 | 2017-03-16 | 基于流规则协议的通信方法、设备和系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US10757008B2 (zh) |
EP (3) | EP3422660B1 (zh) |
CN (2) | CN107222449B (zh) |
WO (1) | WO2017162095A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108199965A (zh) * | 2017-12-28 | 2018-06-22 | 新华三技术有限公司 | Flow spec表项下发方法、网络设备、控制器及自治系统 |
CN109873798A (zh) * | 2018-08-03 | 2019-06-11 | 中国有色金属长沙勘察设计研究院有限公司 | 一种数据结构、传输方法及数据终端 |
US20220200893A1 (en) * | 2019-09-11 | 2022-06-23 | Huawei Technologies Co., Ltd. | Data Transmission Control Method and Apparatus |
WO2024007640A1 (zh) * | 2022-07-08 | 2024-01-11 | 中兴通讯股份有限公司 | 数据传输方法、数据处理方法、电子设备、存储介质 |
Families Citing this family (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234312B (zh) * | 2016-12-15 | 2021-03-05 | 中国电信股份有限公司 | 一种流量调度方法、pce及sdn网络系统 |
US10218572B2 (en) * | 2017-06-19 | 2019-02-26 | Cisco Technology, Inc. | Multiprotocol border gateway protocol routing validation |
US10447499B2 (en) * | 2017-10-06 | 2019-10-15 | At&T Intellectual Property I, L.P. | Virtual private network interworking |
CN108011759B (zh) * | 2017-12-05 | 2021-06-18 | 锐捷网络股份有限公司 | 一种vpn管理方法、装置及系统 |
CN108616451B (zh) * | 2018-04-25 | 2020-12-29 | 新华三技术有限公司 | 一种Flow Spec路由生效方法、装置及网络设备 |
US10454715B1 (en) * | 2018-05-03 | 2019-10-22 | At&T Intellectual Property I, L.P. | Virtual private wire service interworking |
US10484281B1 (en) * | 2018-06-25 | 2019-11-19 | Cisco Technology, Inc. | Router operating methods and apparatus using virtual VPN instances for hosts of remote extranet VPNs |
US11463324B2 (en) * | 2018-07-09 | 2022-10-04 | At&T Intellectual Property I, L.P. | Systems and methods for supporting connectivity to multiple VRFs from a data link |
CN109587009B (zh) * | 2018-12-28 | 2019-11-08 | 华为技术有限公司 | 配置无缝双向转发检测sbfd机制的方法和装置 |
CN114978988A (zh) * | 2019-06-28 | 2022-08-30 | 华为技术有限公司 | 一种实现表项备份的方法和装置 |
CN112468353B (zh) * | 2019-09-09 | 2023-11-21 | 华为数字技术(苏州)有限公司 | 一种网络可达性检测方法及装置 |
CN112787930B (zh) * | 2019-11-06 | 2024-04-09 | 华为技术有限公司 | 一种监控对等体的运行状态的方法、装置及存储介质 |
JP7551755B2 (ja) * | 2019-12-20 | 2024-09-17 | パブリック・ジョイント・ストック・カンパニー・“シブール・ホールディング” | 高処理速度でboppフィルムを製造するためのポリマー |
CN111064670B (zh) * | 2019-12-30 | 2021-05-11 | 联想(北京)有限公司 | 一种获取下一跳路由信息的方法和装置 |
US12040965B2 (en) * | 2020-02-04 | 2024-07-16 | Nokia Solutions And Networks Oy | Supporting multicast communications |
CN113315645B (zh) * | 2020-02-27 | 2024-06-04 | 华为技术有限公司 | 配置性能探测指示信息的方法及相关设备 |
CN114095305A (zh) * | 2020-07-21 | 2022-02-25 | 华为技术有限公司 | Bier报文转发的方法、设备以及系统 |
CN114070778A (zh) * | 2020-08-06 | 2022-02-18 | 华为技术有限公司 | 路由引入方法、设备及系统 |
CN114257544A (zh) * | 2020-09-22 | 2022-03-29 | 华为技术有限公司 | 一种流量处理方法、装置和网络设备 |
CN114500162A (zh) * | 2020-10-23 | 2022-05-13 | 中国移动通信有限公司研究院 | Sd-wan系统和数据转发方法 |
CN112532519B (zh) * | 2020-12-21 | 2022-07-22 | 安徽皖通邮电股份有限公司 | 一种采用BGP Flow Specification控制数据流量行为的方法 |
CN115051951B (zh) * | 2021-02-26 | 2024-04-19 | 中国电信股份有限公司 | 业务流调度方法、集中控制器以及存储介质 |
CN115473812A (zh) * | 2021-05-24 | 2022-12-13 | 中兴通讯股份有限公司 | 流量报文转发方法、客户端、控制器及存储介质 |
CN113904981B (zh) * | 2021-09-15 | 2023-11-17 | 锐捷网络股份有限公司 | 一种路由信息处理方法、装置、电子设备和存储介质 |
CN115834491A (zh) * | 2021-09-16 | 2023-03-21 | 华为技术有限公司 | 报文处理方法、流规范传输方法、设备、系统及存储介质 |
CN113949662B (zh) * | 2021-11-18 | 2023-04-21 | 新华三大数据技术有限公司 | 一种报文转发方法、装置、网络设备及存储介质 |
US20230319082A1 (en) * | 2022-04-04 | 2023-10-05 | Arbor Networks, Inc. | Flowspec message processing apparatus and method |
US20230344765A1 (en) * | 2022-04-26 | 2023-10-26 | At&T Intellectual Property I, L.P. | On-demand virtual routing and forwarding table creation |
US11949560B1 (en) | 2023-01-03 | 2024-04-02 | Juniper Networks, Inc. | Dynamic creation of overlay network slices using border gateway protocol flow specifications |
CN117614887B (zh) * | 2024-01-22 | 2024-04-09 | 北京天维信通科技股份有限公司 | 用于在ospf中传递bgp社区属性值的方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008089305A2 (en) * | 2007-01-17 | 2008-07-24 | Nortel Networks Limited | Border gateway protocol procedures for mpls and layer-2 vpn using ethernet-based tunnels |
CN103684959A (zh) * | 2012-09-20 | 2014-03-26 | 华为技术有限公司 | Vpn实现方法和pe设备 |
CN103731347A (zh) * | 2012-10-10 | 2014-04-16 | 杭州华三通信技术有限公司 | 一种基于嵌套vpn网络的vpnv4路由处理方法和设备 |
CN104468348A (zh) * | 2014-12-22 | 2015-03-25 | 迈普通信技术股份有限公司 | 实现vpn快速重路由的服务商边界路由器、系统及方法 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7773596B1 (en) * | 2004-02-19 | 2010-08-10 | Juniper Networks, Inc. | Distribution of traffic flow criteria |
CN100421422C (zh) * | 2005-10-12 | 2008-09-24 | 华为技术有限公司 | 一种通过边界网关协议实施路由策略的方法 |
CN100440846C (zh) * | 2007-01-26 | 2008-12-03 | 成都迈普产业集团有限公司 | 虚拟专用网动态连接方法 |
CN101895480B (zh) * | 2010-08-18 | 2012-11-28 | 杭州华三通信技术有限公司 | 一种报文的传输方法和设备 |
CN103139040B (zh) * | 2013-03-13 | 2016-08-10 | 杭州华三通信技术有限公司 | 一种扩展的vpn frr实现方法和设备 |
CN104253759B (zh) * | 2013-06-30 | 2017-08-29 | 华为技术有限公司 | 报文转发方法、装置及系统 |
CN105099917B (zh) * | 2014-05-08 | 2018-09-28 | 华为技术有限公司 | 业务报文的转发方法和装置 |
CN105119820B (zh) * | 2015-07-23 | 2018-01-02 | 中国人民解放军信息工程大学 | 路由协议多实例并行执行系统及其并行执行方法 |
US10476817B2 (en) * | 2017-05-31 | 2019-11-12 | Juniper Networks, Inc. | Transport LSP setup using selected fabric path between virtual nodes |
-
2016
- 2016-03-21 CN CN201610160664.3A patent/CN107222449B/zh active Active
- 2016-03-21 CN CN202010490398.7A patent/CN111865898B/zh active Active
-
2017
- 2017-03-16 EP EP17769372.8A patent/EP3422660B1/en active Active
- 2017-03-16 EP EP22211033.0A patent/EP4213449A1/en active Pending
- 2017-03-16 WO PCT/CN2017/076960 patent/WO2017162095A1/zh active Application Filing
- 2017-03-16 EP EP20181581.8A patent/EP3780545B1/en active Active
-
2018
- 2018-09-21 US US16/137,817 patent/US10757008B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008089305A2 (en) * | 2007-01-17 | 2008-07-24 | Nortel Networks Limited | Border gateway protocol procedures for mpls and layer-2 vpn using ethernet-based tunnels |
CN103684959A (zh) * | 2012-09-20 | 2014-03-26 | 华为技术有限公司 | Vpn实现方法和pe设备 |
CN103731347A (zh) * | 2012-10-10 | 2014-04-16 | 杭州华三通信技术有限公司 | 一种基于嵌套vpn网络的vpnv4路由处理方法和设备 |
CN104468348A (zh) * | 2014-12-22 | 2015-03-25 | 迈普通信技术股份有限公司 | 实现vpn快速重路由的服务商边界路由器、系统及方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3422660A4 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108199965A (zh) * | 2017-12-28 | 2018-06-22 | 新华三技术有限公司 | Flow spec表项下发方法、网络设备、控制器及自治系统 |
CN108199965B (zh) * | 2017-12-28 | 2021-01-01 | 新华三技术有限公司 | Flow spec表项下发方法、网络设备、控制器及自治系统 |
CN109873798A (zh) * | 2018-08-03 | 2019-06-11 | 中国有色金属长沙勘察设计研究院有限公司 | 一种数据结构、传输方法及数据终端 |
US20220200893A1 (en) * | 2019-09-11 | 2022-06-23 | Huawei Technologies Co., Ltd. | Data Transmission Control Method and Apparatus |
WO2024007640A1 (zh) * | 2022-07-08 | 2024-01-11 | 中兴通讯股份有限公司 | 数据传输方法、数据处理方法、电子设备、存储介质 |
Also Published As
Publication number | Publication date |
---|---|
EP3422660B1 (en) | 2020-09-02 |
CN111865898A (zh) | 2020-10-30 |
CN107222449A (zh) | 2017-09-29 |
EP3780545B1 (en) | 2023-05-10 |
EP3780545A1 (en) | 2021-02-17 |
CN111865898B (zh) | 2023-07-21 |
US20190028381A1 (en) | 2019-01-24 |
CN107222449B (zh) | 2020-06-16 |
EP4213449A1 (en) | 2023-07-19 |
EP3422660A4 (en) | 2019-04-03 |
EP3422660A1 (en) | 2019-01-02 |
US10757008B2 (en) | 2020-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017162095A1 (zh) | 基于流规则协议的通信方法、设备和系统 | |
US11888651B2 (en) | Virtual private network VPN service optimization method and device | |
EP3836490B1 (en) | Vpn cross-domain implementation method, device, and border node | |
CN103685022B (zh) | 报文转发方法及服务提供商网络边缘设备 | |
US20170118043A1 (en) | Method for implementing communication between nvo3 network and mpls network, and apparatus | |
EP4131872A1 (en) | Multicast traffic transmission method and apparatus, communication node, and storage medium | |
WO2020052410A1 (zh) | 一种通信方法、设备和系统 | |
WO2015165311A1 (zh) | 传输数据报文的方法和供应商边缘设备 | |
WO2013182061A1 (zh) | 一种网络标签分配方法、设备与系统 | |
CN106936714B (zh) | 一种vpn的处理方法和pe设备以及系统 | |
WO2013139270A1 (zh) | 实现三层虚拟专用网络的方法、设备及系统 | |
WO2020098611A1 (zh) | 一种获取路由信息方法及装置 | |
WO2013159694A1 (zh) | 一种标签分配方法、设备与系统 | |
WO2006002598A1 (fr) | Systeme vpn de reseau federateur hybride a site hybride et son procede de mise en oeuvre | |
CN113904981B (zh) | 一种路由信息处理方法、装置、电子设备和存储介质 | |
WO2023082779A1 (zh) | 报文转发方法、电子设备及存储介质 | |
Wu et al. | Research on the application of cross-domain VPN technology based on MPLS BGP | |
WO2005125103A1 (fr) | Systeme de reseau prive virtuel d'un site hybride et reseau de base hybride et procede de mise en oeuvre associe | |
WO2005114944A1 (fr) | Procede de mise en place d'un reseau prive virtuel de sites ipv4 et ipv6 | |
CN112910771B (zh) | 连接建立方法、装置、设备和存储介质 | |
WO2021103744A1 (zh) | 一种异构网络通信方法、系统和控制器 | |
WO2024001553A1 (zh) | 路由发布方法、电子设备和计算机可读存储介质 | |
JP2012175198A (ja) | 流通経路設定システム及び方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2017769372 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2017769372 Country of ref document: EP Effective date: 20180927 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17769372 Country of ref document: EP Kind code of ref document: A1 |