Network Working Group K. Kompella, Ed.
Request for Comments: 4761 Y. Rekhter, Ed.
Category: Standards Track Juniper Networks
January 2007
Network Working Group K. Kompella, Ed.
Request for Comments: 4761 Y. Rekhter, Ed.
Category: Standards Track Juniper Networks
January 2007
Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling
使用BGP进行自动发现和信令的虚拟专用LAN服务(VPLS)
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
IESG Note
IESG注释
The L2VPN Working Group produced two separate documents, RFC 4762 and this document, that ultimately perform similar functions in different manners. Be aware that each method is commonly referred to as "VPLS" even though they are distinct and incompatible with one another.
L2VPN工作组编制了两份单独的文件,RFC 4762和本文件,最终以不同的方式执行类似的功能。请注意,每个方法通常被称为“VPL”,即使它们彼此不同且不兼容。
Abstract
摘要
Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful Service Provider offering. The service offers a Layer 2 Virtual Private Network (VPN); however, in the case of VPLS, the customers in the VPN are connected by a multipoint Ethernet LAN, in contrast to the usual Layer 2 VPNs, which are point-to-point in nature.
虚拟专用LAN服务(VPLS),也称为透明LAN服务和虚拟专用交换网络服务,是一种有用的服务提供商产品。该服务提供第二层虚拟专用网络(VPN);然而,在VPL的情况下,VPN中的客户通过多点以太网LAN连接,这与通常的第2层VPN不同,后者本质上是点对点的。
This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched network.
本文档描述了提供VPLS所需的功能、发送VPLS信号的机制以及通过分组交换网络转发VPLS帧的规则。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Scope of This Document .....................................3
1.2. Conventions Used in This Document ..........................4
2. Functional Model ................................................4
2.1. Terminology ................................................5
2.2. Assumptions ................................................5
2.3. Interactions ...............................................6
3. Control Plane ...................................................6
3.1. Auto-Discovery .............................................7
3.1.1. Functions ...........................................7
3.1.2. Protocol Specification ..............................7
3.2. Signaling ..................................................8
3.2.1. Label Blocks ........................................8
3.2.2. VPLS BGP NLRI .......................................9
3.2.3. PW Setup and Teardown ..............................10
3.2.4. Signaling PE Capabilities ..........................10
3.3. BGP VPLS Operation ........................................11
3.4. Multi-AS VPLS .............................................13
3.4.1. Method (a): VPLS-to-VPLS Connections at the ASBRs ..13
3.4.2. Method (b): EBGP Redistribution of VPLS
Information between ASBRs ..........................14
3.4.3. Method (c): Multi-Hop EBGP Redistribution
of VPLS Information ................................15
3.4.4. Allocation of VE IDs across Multiple ASes ..........16
3.5. Multi-homing and Path Selection ...........................16
3.6. Hierarchical BGP VPLS .....................................17
4. Data Plane .....................................................18
4.1. Encapsulation .............................................18
4.2. Forwarding ................................................18
4.2.1. MAC Address Learning ...............................18
4.2.2. Aging ..............................................19
4.2.3. Flooding ...........................................19
4.2.4. Broadcast and Multicast ............................20
4.2.5. "Split Horizon" Forwarding .........................20
4.2.6. Qualified and Unqualified Learning .................21
4.2.7. Class of Service ...................................21
5. Deployment Options .............................................21
6. Security Considerations ........................................22
7. IANA Considerations ............................................23
8. References .....................................................24
8.1. Normative References ......................................24
8.2. Informative References ....................................24
Appendix A. Contributors .........................................26
Appendix B. Acknowledgements .....................................26
1. Introduction ....................................................3
1.1. Scope of This Document .....................................3
1.2. Conventions Used in This Document ..........................4
2. Functional Model ................................................4
2.1. Terminology ................................................5
2.2. Assumptions ................................................5
2.3. Interactions ...............................................6
3. Control Plane ...................................................6
3.1. Auto-Discovery .............................................7
3.1.1. Functions ...........................................7
3.1.2. Protocol Specification ..............................7
3.2. Signaling ..................................................8
3.2.1. Label Blocks ........................................8
3.2.2. VPLS BGP NLRI .......................................9
3.2.3. PW Setup and Teardown ..............................10
3.2.4. Signaling PE Capabilities ..........................10
3.3. BGP VPLS Operation ........................................11
3.4. Multi-AS VPLS .............................................13
3.4.1. Method (a): VPLS-to-VPLS Connections at the ASBRs ..13
3.4.2. Method (b): EBGP Redistribution of VPLS
Information between ASBRs ..........................14
3.4.3. Method (c): Multi-Hop EBGP Redistribution
of VPLS Information ................................15
3.4.4. Allocation of VE IDs across Multiple ASes ..........16
3.5. Multi-homing and Path Selection ...........................16
3.6. Hierarchical BGP VPLS .....................................17
4. Data Plane .....................................................18
4.1. Encapsulation .............................................18
4.2. Forwarding ................................................18
4.2.1. MAC Address Learning ...............................18
4.2.2. Aging ..............................................19
4.2.3. Flooding ...........................................19
4.2.4. Broadcast and Multicast ............................20
4.2.5. "Split Horizon" Forwarding .........................20
4.2.6. Qualified and Unqualified Learning .................21
4.2.7. Class of Service ...................................21
5. Deployment Options .............................................21
6. Security Considerations ........................................22
7. IANA Considerations ............................................23
8. References .....................................................24
8.1. Normative References ......................................24
8.2. Informative References ....................................24
Appendix A. Contributors .........................................26
Appendix B. Acknowledgements .....................................26
Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful service offering. A Virtual Private LAN appears in (almost) all respects as an Ethernet LAN to customers of a Service Provider. However, in a VPLS, the customers are not all connected to a single LAN; the customers may be spread across a metro or wide area. In essence, a VPLS glues together several individual LANs across a packet switched network to appear and function as a single LAN [9]. This is accomplished by incorporating MAC address learning, flooding, and forwarding functions in the context of pseudowires that connect these individual LANs across the packet switched network.
虚拟专用LAN服务(VPLS),也称为透明LAN服务和虚拟专用交换网络服务,是一种有用的服务产品。对于服务提供商的客户来说,虚拟专用LAN(几乎)在所有方面都是以太局域网。然而,在VPLS中,客户并非全部连接到单个LAN;客户可能分布在地铁或广域。本质上,VPLS通过分组交换网络将多个单独的LAN粘合在一起,以作为单个LAN出现和运行[9]。这是通过将MAC地址学习、泛洪和转发功能合并到通过分组交换网络连接这些单独LAN的伪线环境中来实现的。
This document details the functions needed to offer VPLS, and then goes on to describe a mechanism for the auto-discovery of the endpoints of a VPLS as well as for signaling a VPLS. It also describes how VPLS frames are transported over tunnels across a packet switched network. The auto-discovery and signaling mechanism uses BGP as the control plane protocol. This document also briefly discusses deployment options, in particular, the notion of decoupling functions across devices.
本文档详细介绍了提供VPLS所需的功能,然后描述了自动发现VPLS端点以及向VPLS发送信号的机制。它还描述了VPLS帧如何在分组交换网络中通过隧道传输。自动发现和信令机制使用BGP作为控制平面协议。本文档还简要讨论了部署选项,特别是跨设备解耦功能的概念。
Alternative approaches include: [14], which allows one to build a Layer 2 VPN with Ethernet as the interconnect; and [13], which allows one to set up an Ethernet connection across a packet switched network. Both of these, however, offer point-to-point Ethernet services. What distinguishes VPLS from the above two is that a VPLS offers a multipoint service. A mechanism for setting up pseudowires for VPLS using the Label Distribution Protocol (LDP) is defined in [10].
可供选择的方法包括:[14],它允许构建一个以以太网为互连的第2层VPN;和[13],它允许人们通过分组交换网络建立以太网连接。然而,这两种服务都提供点对点以太网服务。VPLS与上述两种服务的区别在于,VPLS提供多点服务。[10]中定义了使用标签分发协议(LDP)为VPL设置伪线的机制。
This document has four major parts: defining a VPLS functional model; defining a control plane for setting up VPLS; defining the data plane for VPLS (encapsulation and forwarding of data); and defining various deployment options.
本文件有四个主要部分:定义VPLS功能模型;定义用于设置VPL的控制平面;为VPLS(数据的封装和转发)定义数据平面;以及定义各种部署选项。
The functional model underlying VPLS is laid out in Section 2. This describes the service being offered, the network components that interact to provide the service, and at a high level their interactions.
第2节介绍了VPLS的功能模型。这描述了所提供的服务、为提供服务而交互的网络组件,以及在较高级别上它们的交互。
The control plane described in this document uses Multiprotocol BGP [4] to establish VPLS service, i.e., for the auto-discovery of VPLS members and for the setup and teardown of the pseudowires that constitute a given VPLS instance. Section 3 focuses on this, and
本文档中描述的控制平面使用多协议BGP[4]来建立VPLS服务,即用于自动发现VPLS成员,以及用于设置和拆除构成给定VPLS实例的伪线。第3节着重于此,以及
also describes how a VPLS that spans Autonomous System boundaries is set up, as well as how multi-homing is handled. Using BGP as the control plane for VPNs is not new (see [14], [6], and [11]): what is described here is based on the mechanisms proposed in [6].
还描述了如何设置跨越自治系统边界的VPLS,以及如何处理多归属。使用BGP作为VPN的控制平面并不是什么新鲜事(参见[14]、[6]和[11]):这里描述的是基于[6]中提出的机制。
The forwarding plane and the actions that a participating Provider Edge (PE) router offering the VPLS service must take is described in Section 4.
第4节描述了提供VPLS服务的参与提供商边缘(PE)路由器必须采取的转发平面和操作。
In Section 5, the notion of 'decoupled' operation is defined, and the interaction of decoupled and non-decoupled PEs is described. Decoupling allows for more flexible deployment of VPLS.
在第5节中,定义了“解耦”操作的概念,并描述了解耦和非解耦PEs的交互作用。解耦允许更灵活地部署VPL。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[1]中所述进行解释。
This will be described with reference to the following figure.
将参考下图对此进行描述。
-----
/ A1 \
---- ____CE1 |
/ \ -------- -------- / | |
| A2 CE2- / \ / PE1 \ /
\ / \ / \___/ | \ -----
---- ---PE2 | \
| | \ -----
| Service Provider Network | \ / \
| | CE5 A5 |
| ___ | / \ /
|----| \ / \ PE4_/ -----
|u-PE|--PE3 / \ /
|----| -------- -------
---- / | ----
/ \/ \ / \ CE = Customer Edge Device
| A3 CE3 --CE4 A4 | PE = Provider Edge Router
\ / \ / u-PE = Layer 2 Aggregation
---- ---- A<n> = Customer site n
-----
/ A1 \
---- ____CE1 |
/ \ -------- -------- / | |
| A2 CE2- / \ / PE1 \ /
\ / \ / \___/ | \ -----
---- ---PE2 | \
| | \ -----
| Service Provider Network | \ / \
| | CE5 A5 |
| ___ | / \ /
|----| \ / \ PE4_/ -----
|u-PE|--PE3 / \ /
|----| -------- -------
---- / | ----
/ \/ \ / \ CE = Customer Edge Device
| A3 CE3 --CE4 A4 | PE = Provider Edge Router
\ / \ / u-PE = Layer 2 Aggregation
---- ---- A<n> = Customer site n
Figure 1: Example of a VPLS
图1:VPLS的示例
Terminology similar to that in [6] is used: a Service Provider (SP) network with P (Provider-only) and PE (Provider Edge) routers, and customers with CE (Customer Edge) devices. Here, however, there is an additional concept, that of a "u-PE", a Layer 2 PE device used for Layer 2 aggregation. The notion of u-PE is described further in Section 5. PE and u-PE devices are "VPLS-aware", which means that they know that a VPLS service is being offered. The term "VE" refers to a VPLS edge device, which could be either a PE or a u-PE.
使用与[6]中类似的术语:具有P(仅提供商)和PE(提供商边缘)路由器的服务提供商(SP)网络,以及具有CE(客户边缘)设备的客户。然而,这里还有一个附加概念,即“u-PE”,用于第2层聚合的第2层PE设备。u-PE的概念将在第5节中进一步描述。PE和u-PE设备具有“VPLS感知”,这意味着它们知道正在提供VPLS服务。术语“VE”是指VPLS边缘设备,可以是PE或u-PE。
In contrast, the CE device (which may be owned and operated by either the SP or the customer) is VPLS-unaware; as far as the CE is concerned, it is connected to the other CEs in the VPLS via a Layer 2 switched network. This means that there should be no changes to a CE device, either to the hardware or the software, in order to offer VPLS.
相反,CE设备(可能由SP或客户拥有和操作)是VPLS不知道的;就CE而言,它通过第2层交换网络连接到VPLS中的其他CE。这意味着不应对CE设备进行任何更改,无论是硬件还是软件,以提供VPL。
A CE device may be connected to a PE or a u-PE via Layer 2 switches that are VPLS-unaware. From a VPLS point of view, such Layer 2 switches are invisible, and hence will not be discussed further. Furthermore, a u-PE may be connected to a PE via Layer 2 and Layer 3 devices; this will be discussed further in a later section.
CE设备可以通过VPL不知道的第2层交换机连接到PE或u-PE。从VPLS的角度来看,这样的第2层交换机是不可见的,因此将不再进一步讨论。此外,u-PE可以经由层2和层3设备连接到PE;这将在后面的章节中进一步讨论。
The term "demultiplexor" refers to an identifier in a data packet that identifies the VPLS to which the packet belongs as well as the ingress PE. In this document, the demultiplexor is an MPLS label.
术语“解复用器”指数据分组中的标识符,该标识符标识分组所属的vpl以及入口PE。在本文档中,解复用器是MPLS标签。
The term "VPLS" will refer to the service as well as a particular instantiation of the service (i.e., an emulated LAN); it should be clear from the context which usage is intended.
术语“VPLS”将指服务以及服务的特定实例(即,模拟LAN);从上下文中应该清楚地知道使用的目的。
The Service Provider Network is a packet switched network. The PEs are assumed to be (logically) fully meshed with tunnels over which packets that belong to a service (such as VPLS) are encapsulated and forwarded. These tunnels can be IP tunnels, such as Generic Routing Encapsulation (GRE), or MPLS tunnels, established by Resource Reservation Protocol - Traffic Engineering (RSVP-TE) or LDP. These tunnels are established independently of the services offered over them; the signaling and establishment of these tunnels are not discussed in this document.
服务提供商网络是分组交换网络。假定PEs(逻辑上)与隧道完全啮合,在隧道上封装和转发属于服务(如VPL)的数据包。这些隧道可以是IP隧道,如通用路由封装(GRE)或MPLS隧道,由资源预留协议-流量工程(RSVP-TE)或LDP建立。这些隧道独立于在其上提供的服务而建立;本文件不讨论这些隧道的信号和建设。
"Flooding" and MAC address "learning" (see Section 4) are an integral part of VPLS. However, these activities are private to an SP device, i.e., in the VPLS described below, no SP device requests another SP device to flood packets or learn MAC addresses on its behalf.
“泛洪”和MAC地址“学习”(见第4节)是VPLS的组成部分。然而,这些活动对于SP设备是私有的,即,在下面描述的VPL中,没有SP设备请求另一个SP设备以其名义洪泛数据包或学习MAC地址。
All the PEs participating in a VPLS are assumed to be fully meshed in the data plane, i.e., there is a bidirectional pseudowire between every pair of PEs participating in that VPLS, and thus every (ingress) PE can send a VPLS packet to the egress PE(s) directly, without the need for an intermediate PE (see Section 4.2.5.) This requires that VPLS PEs are logically fully meshed in the control plane so that a PE can send a message to another PE to set up the necessary pseudowires. See Section 3.6 for a discussion on alternatives to achieve a logical full mesh in the control plane.
假设参与VPLS的所有PE在数据平面中完全啮合,即,参与该VPLS的每对PE之间存在双向伪线,因此每个(入口)PE可以直接向出口PE发送VPLS数据包,而无需中间PE(见第4.2.5节)这要求VPLS PE在控制平面中逻辑上完全啮合,以便一个PE可以向另一个PE发送消息以设置必要的伪线。有关在控制平面中实现逻辑完整网格的替代方案的讨论,请参见第3.6节。
VPLS is a "LAN Service" in that CE devices that belong to a given VPLS instance V can interact through the SP network as if they were connected by a LAN. VPLS is "private" in that CE devices that belong to different VPLSs cannot interact. VPLS is "virtual" in that multiple VPLSs can be offered over a common packet switched network.
VPLS是一种“LAN服务”,因为属于给定VPLS实例V的CE设备可以通过SP网络进行交互,就像它们通过LAN连接一样。VPLS是“专用”的,因为属于不同VPLS的CE设备无法交互。VPLS是“虚拟”的,因为可以通过公共分组交换网络提供多个VPLS。
PE devices interact to "discover" all the other PEs participating in the same VPLS, and to exchange demultiplexors. These interactions are control-driven, not data-driven.
PE设备交互以“发现”参与相同VPL的所有其他PE,并交换解复用器。这些交互是控制驱动的,而不是数据驱动的。
u-PEs interact with PEs to establish connections with remote PEs or u-PEs in the same VPLS. This interaction is control-driven.
u-PEs与PEs交互,以与远程PEs或同一VPL中的u-PEs建立连接。这种交互是控制驱动的。
PE devices can participate simultaneously in both VPLS and IP VPNs [6]. These are independent services, and the information exchanged for each type of service is kept separate as the Network Layer Reachability Information (NLRI) used for this exchange has different Address Family Identifiers (AFIs) and Subsequent Address Family Identifiers (SAFIs). Consequently, an implementation MUST maintain a separate routing storage for each service. However, multiple services can use the same underlying tunnels; the VPLS or VPN label is used to demultiplex the packets belonging to different services.
PE设备可以同时参与VPL和IP VPN[6]。这些是独立的服务,为每种类型的服务交换的信息保持独立,因为用于此交换的网络层可达性信息(NLRI)具有不同的地址族标识符(AFI)和后续地址族标识符(SAFI)。因此,实现必须为每个服务维护单独的路由存储。但是,多个服务可以使用相同的底层隧道;VPLS或VPN标签用于解复用属于不同服务的数据包。
There are two primary functions of the VPLS control plane: auto-discovery, and setup and teardown of the pseudowires that constitute the VPLS, often called signaling. Section 3.1 and Section 3.2 describe these functions. Both of these functions are accomplished with a single BGP Update advertisement; Section 3.3 describes how this is done by detailing BGP protocol operation for VPLS. Section 3.4 describes the setting up of pseudowires that span Autonomous Systems. Section 3.5 describes how multi-homing is handled.
VPLS控制平面有两个主要功能:自动发现,以及设置和拆除构成VPLS的伪线,通常称为信令。第3.1节和第3.2节描述了这些功能。这两个功能都是通过单个BGP更新广告实现的;第3.3节通过详细说明VPL的BGP协议操作来说明如何实现这一点。第3.4节描述了跨越自治系统的伪导线的设置。第3.5节描述了如何处理多归宿。
Discovery refers to the process of finding all the PEs that participate in a given VPLS instance. A PE either can be configured with the identities of all the other PEs in a given VPLS or can use some protocol to discover the other PEs. The latter is called auto-discovery.
发现是指查找参与给定VPLS实例的所有PE的过程。PE可以配置为具有给定VPLS中所有其他PE的标识,也可以使用某些协议来发现其他PE。后者称为自动发现。
The former approach is fairly configuration-intensive, especially since it is required that the PEs participating in a given VPLS are fully meshed (i.e., that every PE in a given VPLS establish pseudowires to every other PE in that VPLS). Furthermore, when the topology of a VPLS changes (i.e., a PE is added to, or removed from, the VPLS), the VPLS configuration on all PEs in that VPLS must be changed.
前一种方法是相当密集的配置,特别是因为要求参与给定VPL的PE完全啮合(即,给定VPL中的每个PE与该VPL中的每个其他PE建立伪线)。此外,当VPLS的拓扑发生变化时(即,将PE添加到VPLS或从VPLS中删除),必须更改该VPLS中所有PE上的VPLS配置。
In the auto-discovery approach, each PE "discovers" which other PEs are part of a given VPLS by means of some protocol, in this case BGP. This allows each PE's configuration to consist only of the identity of the VPLS instance established on this PE, not the identity of every other PE in that VPLS instance -- that is auto-discovered. Moreover, when the topology of a VPLS changes, only the affected PE's configuration changes; other PEs automatically find out about the change and adapt.
在自动发现方法中,每个PE通过某种协议(在本例中为BGP)来“发现”哪些其他PE是给定VPL的一部分。这允许每个PE的配置仅包含在此PE上建立的VPLS实例的标识,而不是该VPLS实例中的每个其他PE的标识——这是自动发现的。此外,当VPLS的拓扑改变时,只有受影响PE的配置改变;其他PE会自动发现变化并进行调整。
A PE that participates in a given VPLS instance V must be able to tell all other PEs in VPLS V that it is also a member of V. A PE must also have a means of declaring that it no longer participates in a VPLS. To do both of these, the PE must have a means of identifying a VPLS and a means by which to communicate to all other PEs.
参与给定VPLS实例V的PE必须能够告知VPLS V中的所有其他PE它也是V的成员。PE还必须具有声明其不再参与VPLS的方法。为了完成这两项工作,PE必须具有识别VPL的方法以及与所有其他PE通信的方法。
U-PE devices also need to know what constitutes a given VPLS; however, they don't need the same level of detail. The PE (or PEs) to which a u-PE is connected gives the u-PE an abstraction of the VPLS; this is described in Section 5.
U-PE设备还需要知道什么构成给定的VPL;但是,它们不需要相同级别的细节。u-PE所连接的PE(或多个PE)为u-PE提供了VPL的抽象;第5节对此进行了描述。
The specific mechanism for auto-discovery described here is based on [14] and [6]; it uses BGP extended communities [5] to identify members of a VPLS, in particular, the Route Target community, whose format is described in [5]. The semantics of the use of Route Targets is described in [6]; their use in VPLS is identical.
此处描述的自动发现的具体机制基于[14]和[6];它使用BGP扩展社区[5]来识别VPL的成员,特别是路由目标社区,其格式如[5]所述。[6]中描述了使用路由目标的语义;它们在VPLS中的使用是相同的。
As it has been assumed that VPLSs are fully meshed, a single Route Target RT suffices for a given VPLS V, and in effect that RT is the identifier for VPLS V.
由于假设VPLS是完全网格化的,单个路由目标RT就足以满足给定VPLS V,实际上RT是VPLS V的标识符。
A PE announces (typically via I-BGP) that it belongs to VPLS V by annotating its NLRIs for V (see next subsection) with Route Target RT, and acts on this by accepting NLRIs from other PEs that have Route Target RT. A PE announces that it no longer participates in V by withdrawing all NLRIs that it had advertised with Route Target RT.
PE(通常通过I-BGP)通过使用路由目标RT为V注释其NLRI(见下一小节)来宣布其属于VPLS V,并通过接受来自具有路由目标RT的其他PE的NLRI来执行此操作。PE通过撤回其使用路由目标RT发布的所有NLRI来宣布其不再参与V。
Once discovery is done, each pair of PEs in a VPLS must be able to establish (and tear down) pseudowires to each other, i.e., exchange (and withdraw) demultiplexors. This process is known as signaling. Signaling is also used to transmit certain characteristics of the pseudowires that a PE sets up for a given VPLS.
一旦发现完成,VPLS中的每对PE必须能够彼此建立(并拆除)伪线,即交换(和收回)解复用器。这个过程称为信号传递。信令还用于传输PE为给定VPL设置的伪线的某些特性。
Recall that a demultiplexor is used to distinguish among several different streams of traffic carried over a tunnel, each stream possibly representing a different service. In the case of VPLS, the demultiplexor not only says to which specific VPLS a packet belongs, but also identifies the ingress PE. The former information is used for forwarding the packet; the latter information is used for learning MAC addresses. The demultiplexor described here is an MPLS label. However, note that the PE-to-PE tunnels need not be MPLS tunnels.
回想一下,解复用器用于区分通过隧道传输的多个不同业务流,每个业务流可能代表不同的服务。在VPLS的情况下,解复用器不仅指出数据包属于哪个特定VPLS,而且还识别入口PE。前一信息用于转发分组;后一种信息用于学习MAC地址。这里描述的解复用器是MPLS标签。但是,请注意,PE到PE隧道不需要是MPLS隧道。
Using a distinct BGP Update message to send a demultiplexor to each remote PE would require the originating PE to send N such messages for N remote PEs. The solution described in this document allows a PE to send a single (common) Update message that contains demultiplexors for all the remote PEs, instead of N individual messages. Doing this reduces the control plane load both on the originating PE as well as on the BGP Route Reflectors that may be involved in distributing this Update to other PEs.
使用不同的BGP更新消息向每个远程PE发送解复用器将需要发起PE为N个远程PE发送N条此类消息。本文档中描述的解决方案允许PE发送一条(通用)更新消息,该消息包含所有远程PE的解复用器,而不是N条单独的消息。这样做可以减少原始PE以及BGP路由反射器上的控制平面负载,这些反射器可能涉及将此更新分发给其他PE。
To accomplish this, we introduce the notion of "label blocks". A label block, defined by a label base LB and a VE block size VBS, is a contiguous set of labels {LB, LB+1, ..., LB+VBS-1}. Here's how label blocks work. All PEs within a given VPLS are assigned unique VE IDs as part of their configuration. A PE X wishing to send a VPLS update sends the same label block information to all other PEs. Each receiving PE infers the label intended for PE X by adding its (unique) VE ID to the label base. In this manner, each receiving PE gets a unique demultiplexor for PE X for that VPLS.
为此,我们引入了“标签块”的概念。标签块由标签基LB和VE块大小VBS定义,是一组连续的标签{LB,LB+1,…,LB+VBS-1}。下面是标签块的工作原理。给定VPL中的所有PE都分配了唯一的VE ID作为其配置的一部分。希望发送VPLS更新的PE X向所有其他PE发送相同的标签块信息。每个接收PE通过将其(唯一的)VE ID添加到标签库中,推断出用于PE X的标签。通过这种方式,每个接收PE为该VPL的PE X获得唯一的解复用器。
This simple notion is enhanced with the concept of a VE block offset VBO. A label block defined by <LB, VBO, VBS> is the set {LB+VBO, LB+VBO+1, ..., LB+VBO+VBS-1}. Thus, instead of a single large label block to cover all VE IDs in a VPLS, one can have several label blocks, each with a different label base. This makes label block management easier, and also allows PE X to cater gracefully to a PE joining a VPLS with a VE ID that is not covered by the set of label blocks that PE X has already advertised.
VE块偏移VBO的概念增强了这个简单的概念。由<LB,VBO,VBS>定义的标签块是集合{LB+VBO,LB+VBO+1,…,LB+VBO+VBS-1}。因此,与覆盖VPLS中所有VE ID的单个大标签块不同,可以有多个标签块,每个标签块具有不同的标签基。这使得标签块管理更容易,并且还允许PE X优雅地迎合加入VPLS的PE,该VPLS具有PE X已经公布的标签块集合未涵盖的VE ID。
When a PE starts up, or is configured with a new VPLS instance, the BGP process may wish to wait to receive several advertisements for that VPLS instance from other PEs to improve the efficiency of label block allocation.
当PE启动或配置了新的VPLS实例时,BGP进程可能希望等待从其他PE接收该VPLS实例的多个播发,以提高标签块分配的效率。
The VPLS BGP NLRI described below, with a new AFI and SAFI (see [4]) is used to exchange VPLS membership and demultiplexors.
下文所述的VPLS BGP NLRI以及新的AFI和SAFI(见[4])用于交换VPLS成员资格和解复用器。
A VPLS BGP NLRI has the following information elements: a VE ID, a VE Block Offset, a VE Block Size, and a label base. The format of the VPLS NLRI is given below. The AFI is the L2VPN AFI (25), and the SAFI is the VPLS SAFI (65). The Length field is in octets.
VPLS BGP NLRI具有以下信息元素:VE ID、VE块偏移量、VE块大小和标签基。VPLS NLRI的格式如下所示。AFI是L2VPN AFI(25),SAFI是VPLS SAFI(65)。长度字段以八位字节为单位。
+------------------------------------+
| Length (2 octets) |
+------------------------------------+
| Route Distinguisher (8 octets) |
+------------------------------------+
| VE ID (2 octets) |
+------------------------------------+
| VE Block Offset (2 octets) |
+------------------------------------+
| VE Block Size (2 octets) |
+------------------------------------+
| Label Base (3 octets) |
+------------------------------------+
+------------------------------------+
| Length (2 octets) |
+------------------------------------+
| Route Distinguisher (8 octets) |
+------------------------------------+
| VE ID (2 octets) |
+------------------------------------+
| VE Block Offset (2 octets) |
+------------------------------------+
| VE Block Size (2 octets) |
+------------------------------------+
| Label Base (3 octets) |
+------------------------------------+
Figure 2: BGP NLRI for VPLS Information
图2:VPLS信息的BGP NLRI
A PE participating in a VPLS must have at least one VE ID. If the PE is the VE, it typically has one VE ID. If the PE is connected to several u-PEs, it has a distinct VE ID for each u-PE. It may additionally have a VE ID for itself, if it itself acts as a VE for that VPLS. In what follows, we will call the PE announcing the VPLS NLRI PE-a, and we will assume that PE-a owns VE ID V (either belonging to PE-a itself or to a u-PE connected to PE-a).
参与VPLS的PE必须至少有一个VE ID。如果PE是VE,则通常有一个VE ID。如果PE连接到多个u-PE,则每个u-PE都有一个不同的VE ID。如果它本身充当该VPL的VE,则它本身可能还有一个VE ID。在下面的内容中,我们将给宣布VPLS NLRI PE-a的PE打电话,并假设PE-a拥有VE ID V(属于PE-a本身或连接到PE-a的u-PE)。
VE IDs are typically assigned by the network administrator. Their scope is local to a VPLS. A given VE ID should belong to only one PE, unless a CE is multi-homed (see Section 3.5).
VE ID通常由网络管理员分配。它们的范围是VPLS的本地范围。一个给定的VE ID应该只属于一个PE,除非CE是多宿的(参见第3.5节)。
A label block is a set of demultiplexor labels used to reach a given VE ID. A VPLS BGP NLRI with VE ID V, VE Block Offset VBO, VE Block Size VBS, and label base LB communicates to its peers the following:
标签块是一组用于到达给定VE ID的解复用器标签。具有VE ID V、VE块偏移量VBO、VE块大小VBS和标签基LB的VPLS BGP NLRI与其对等方进行以下通信:
label block for V: labels from LB to (LB + VBS - 1), and
label block for V: labels from LB to (LB + VBS - 1), and
remote VE set for V: from VBO to (VBO + VBS - 1).
V的远程VE设置:从VBO到(VBO+VBS-1)。
There is a one-to-one correspondence between the remote VE set and the label block: VE ID (VBO + n) corresponds to label (LB + n).
远程VE集合和标签块之间存在一对一的对应关系:VE ID(VBO+n)对应于标签(LB+n)。
Suppose PE-a is part of VPLS foo and makes an announcement with VE ID V, VE Block Offset VBO, VE Block Size VBS, and label base LB. If PE-b is also part of VPLS foo and has VE ID W, PE-b does the following:
假设PE-a是VPLS foo的一部分,并使用VE ID V、VE块偏移量VBO、VE块大小VBS和标签基LB发布公告。如果PE-b也是VPLS foo的一部分且具有VE ID W,则PE-b执行以下操作:
1. checks if W is part of PE-a's 'remote VE set': if VBO <= W < VBO + VBS, then W is part of PE-a's remote VE set. If not, PE-b ignores this message, and skips the rest of this procedure.
1. 检查W是否是PE-a的“远程VE集”的一部分:如果VBO<=W<VBO+VBS,则W是PE-a的远程VE集的一部分。否则,PE-b将忽略此消息,并跳过此过程的其余部分。
2. sets up a PW to PE-a: the demultiplexor label to send traffic from PE-b to PE-a is computed as (LB + W - VBO).
2. 将PW设置为PE-a:将流量从PE-b发送到PE-a的解复用器标签计算为(LB+W-VBO)。
3. checks if V is part of any 'remote VE set' that PE-b announced, i.e., PE-b checks if V belongs to some remote VE set that PE-b announced, say with VE Block Offset VBO', VE Block Size VBS', and label base LB'. If not, PE-b MUST make a new announcement as described in Section 3.3.
3. 检查V是否是PE-b宣布的任何“远程VE集”的一部分,即,PE-b检查V是否属于PE-b宣布的某个远程VE集,例如,带有VE块偏移VBO、“VE块大小VBS”和标签“基本LB”。如果没有,PE-b必须按照第3.3节所述发布新公告。
4. sets up a PW from PE-a: the demultiplexor label over which PE-b should expect traffic from PE-a is computed as: (LB' + V - VBO').
4. 设置来自PE-a的PW:PE-b应该期望来自PE-a的流量的解复用器标签计算为:(LB'+V-VBO')。
If Y withdraws an NLRI for V that X was using, then X MUST tear down its ends of the pseudowire between X and Y.
若Y提取X正在使用的V的NLRI,那个么X必须撕掉X和Y之间伪线的末端。
The following extended attribute, the "Layer2 Info Extended Community", is used to signal control information about the pseudowires to be setup for a given VPLS. The extended community value is to be allocated by IANA (currently used value is 0x800A). This information includes the Encaps Type (type of encapsulation on
以下扩展属性“Layer2 Info extended Community”用于向给定VPL发送有关要设置的伪导线的控制信息。扩展社区值由IANA分配(当前使用的值为0x800A)。此信息包括封装类型(上的封装类型)
the pseudowires), Control Flags (control information regarding the pseudowires), and the Maximum Transmission Unit (MTU) to be used on the pseudowires.
伪线)、控制标志(关于伪线的控制信息)和要在伪线上使用的最大传输单元(MTU)。
The Encaps Type for VPLS is 19.
VPLS的封装类型为19。
+------------------------------------+
| Extended community type (2 octets) |
+------------------------------------+
| Encaps Type (1 octet) |
+------------------------------------+
| Control Flags (1 octet) |
+------------------------------------+
| Layer-2 MTU (2 octet) |
+------------------------------------+
| Reserved (2 octets) |
+------------------------------------+
+------------------------------------+
| Extended community type (2 octets) |
+------------------------------------+
| Encaps Type (1 octet) |
+------------------------------------+
| Control Flags (1 octet) |
+------------------------------------+
| Layer-2 MTU (2 octet) |
+------------------------------------+
| Reserved (2 octets) |
+------------------------------------+
Figure 3: Layer2 Info Extended Community
图3:Layer2信息扩展社区
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| MBZ |C|S| (MBZ = MUST Be Zero)
+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| MBZ |C|S| (MBZ = MUST Be Zero)
+-+-+-+-+-+-+-+-+
Figure 4: Control Flags Bit Vector
图4:控制标志位向量
With reference to Figure 4, the following bits in the Control Flags are defined; the remaining bits, designated MBZ, MUST be set to zero when sending and MUST be ignored when receiving this community.
参考图4,定义了控制标志中的以下位;剩余的位(指定为MBZ)在发送时必须设置为零,在接收此社区时必须忽略。
Name Meaning
名称含义
C A Control word [7] MUST or MUST NOT be present when sending VPLS packets to this PE, depending on whether C is 1 or 0, respectively
C向该PE发送VPLS数据包时,控制字[7]必须存在或不存在,具体取决于C分别是1还是0
S Sequenced delivery of frames MUST or MUST NOT be used when sending VPLS packets to this PE, depending on whether S is 1 or 0, respectively
向该PE发送VPLS数据包时,必须使用或不得使用S帧的顺序传递,具体取决于S分别是1还是0
To create a new VPLS, say VPLS foo, a network administrator must pick an RT for VPLS foo, say RT-foo. This will be used by all PEs that serve VPLS foo. To configure a given PE, say PE-a, to be part of VPLS foo, the network administrator only has to choose a VE ID V for
要创建一个新的VPLS,比如说VPLS foo,网络管理员必须为VPLS foo,比如说RT foo选择一个RT。这将由所有提供VPLS foo的PE使用。要将给定的PE(例如PE-a)配置为VPLS foo的一部分,网络管理员只需为V选择一个VE ID
PE-a. (If PE-a is connected to u-PEs, PE-a may be configured with more than one VE ID; in that case, the following is done for each VE ID). The PE may also be configured with a Route Distinguisher (RD); if not, it generates a unique RD for VPLS foo. Say the RD is RD-foo-a. PE-a then generates an initial label block and a remote VE set for V, defined by VE Block Offset VBO, VE Block Size VBS, and label base LB. These may be empty.
PE-a。(如果PE-a连接到u-PEs,PE-a可以配置多个VE ID;在这种情况下,对每个VE ID执行以下操作)。PE还可以配置有路由识别器(RD);如果没有,它将为VPLS foo生成唯一的RD。假设RD是RD-foo-a。PE-a然后为V生成初始标签块和远程VE集,由VE块偏移VBO、VE块大小VBS和标签基LB定义。这些可能为空。
PE-a then creates a VPLS BGP NLRI with RD RD-foo-a, VE ID V, VE Block Offset VBO, VE Block Size VBS and label base LB. To this, it attaches a Layer2 Info Extended Community and an RT, RT-foo. It sets the BGP Next Hop for this NLRI as itself, and announces this NLRI to its peers. The Network Layer protocol associated with the Network Address of the Next Hop for the combination <AFI=L2VPN AFI, SAFI=VPLS SAFI> is IP; this association is required by [4], Section 5. If the value of the Length of the Next Hop field is 4, then the Next Hop contains an IPv4 address. If this value is 16, then the Next Hop contains an IPv6 address.
PE-a然后创建一个带有RD-RD-foo-a、VE ID V、VE块偏移量VBO、VE块大小VBS和标签基LB的VPLS BGP NLRI。在此基础上,它附加一个Layer2信息扩展社区和一个RT、RT foo。它将此NLRI的BGP下一跳设置为自身,并向其对等方宣布此NLRI。与组合<AFI=L2VPN AFI,SAFI=VPLS SAFI>的下一跳的网络地址相关联的网络层协议为IP;[4]第5节要求该关联。如果下一个跃点字段的长度值为4,则下一个跃点包含IPv4地址。如果此值为16,则下一个跃点包含IPv6地址。
If PE-a hears from another PE, say PE-b, a VPLS BGP announcement with RT-foo and VE ID W, then PE-a knows that PE-b is a member of the same VPLS (auto-discovery). PE-a then has to set up its part of a VPLS pseudowire between PE-a and PE-b, using the mechanisms in Section 3.2. Similarly, PE-b will have discovered that PE-a is in the same VPLS, and PE-b must set up its part of the VPLS pseudowire. Thus, signaling and pseudowire setup is also achieved with the same Update message.
如果PE-a从另一个PE(例如PE-b)那里听到一个带有RT foo和VE ID W的VPLS BGP公告,则PE-a知道PE-b是同一个VPLS(自动发现)的成员。然后,PE-a必须使用第3.2节中的机制在PE-a和PE-b之间设置VPLS伪线的一部分。类似地,PE-b将发现PE-a位于相同的VPLS中,并且PE-b必须设置其VPLS伪线的一部分。因此,也可以使用相同的更新消息来实现信令和伪线设置。
If W is not in any remote VE set that PE-a announced for VE ID V in VPLS foo, PE-b will not be able to set up its part of the pseudowire to PE-a. To address this, PE-a can choose to withdraw the old announcement(s) it made for VPLS foo, and announce a new Update with a larger remote VE set and corresponding label block that covers all VE IDs that are in VPLS foo. This, however, may cause some service disruption. An alternative for PE-a is to create a new remote VE set and corresponding label block, and announce them in a new Update, without withdrawing previous announcements.
如果W不在PE-a为VPLS foo中的VE ID V宣布的任何远程VE集中,则PE-b将无法设置其到PE-a的伪线部分。为了解决这个问题,PE-a可以选择撤销它为VPLS foo所做的旧公告,并宣布一个新的更新,其中包含一个更大的远程VE集合和相应的标签块,该标签块覆盖VPLS foo中的所有VE ID。但是,这可能会导致某些服务中断。PE-a的另一种选择是创建一个新的远程VE集和相应的标签块,并在新的更新中宣布它们,而不撤销以前的公告。
If PE-a's configuration is changed to remove VE ID V from VPLS foo, then PE-a MUST withdraw all its announcements for VPLS foo that contain VE ID V. If all of PE-a's links to its CEs in VPLS foo go down, then PE-a SHOULD either withdraw all its NLRIs for VPLS foo or let other PEs in the VPLS foo know in some way that PE-a is no longer connected to its CEs.
如果PE-a的配置更改为从VPLS foo中删除VE ID V,则PE-a必须撤回其包含VE ID V的VPLS foo的所有公告。如果PE-a在VPLS foo中与其CE的所有链接都关闭,然后PE-a应撤销其VPLS foo的所有NLRI,或以某种方式让VPLS foo中的其他PE知道PE-a不再连接到其CE。
As in [14] and [6], the above auto-discovery and signaling functions are typically announced via I-BGP. This assumes that all the sites in a VPLS are connected to PEs in a single Autonomous System (AS).
如[14]和[6]所述,上述自动发现和信令功能通常通过I-BGP发布。这假设VPLS中的所有站点都连接到单个自治系统(AS)中的PEs。
However, sites in a VPLS may connect to PEs in different ASes. This leads to two issues: 1) there would not be an I-BGP connection between those PEs, so some means of signaling across ASes is needed; and 2) there may not be PE-to-PE tunnels between the ASes.
然而,VPLS中的站点可以连接到不同ASE中的PEs。这导致了两个问题:1)这些PE之间不存在I-BGP连接,因此需要一些跨ASE的信令方式;2)ASE之间可能没有PE到PE隧道。
A similar problem is solved in [6], Section 10. Three methods are suggested to address issue (1); all these methods have analogs in multi-AS VPLS.
[6]第10节解决了类似问题。提出了三种解决问题的方法(1);所有这些方法在多个方面都有相似之处。
Here is a diagram for reference:
以下是一张供参考的图表:
__________ ____________ ____________ __________
/ \ / \ / \ / \
\___/ AS 1 \ / AS 2 \___/
\ /
+-----+ +-------+ | +-------+ +-----+
| PE1 | ---...--- | ASBR1 | ======= | ASBR2 | ---...--- | PE2 |
+-----+ +-------+ | +-------+ +-----+
___ / \ ___
/ \ / \ / \
\__________/ \____________/ \____________/ \__________/
__________ ____________ ____________ __________
/ \ / \ / \ / \
\___/ AS 1 \ / AS 2 \___/
\ /
+-----+ +-------+ | +-------+ +-----+
| PE1 | ---...--- | ASBR1 | ======= | ASBR2 | ---...--- | PE2 |
+-----+ +-------+ | +-------+ +-----+
___ / \ ___
/ \ / \ / \
\__________/ \____________/ \____________/ \__________/
Figure 5: Inter-AS VPLS
图5:Inter AS VPL
As in the above reference, three methods for signaling inter-provider VPLS are given; these are presented in order of increasing scalability. Method (a) is the easiest to understand conceptually, and the easiest to deploy; however, it requires an Ethernet interconnect between the ASes, and both VPLS control and data plane state on the AS border routers (ASBRs). Method (b) requires VPLS control plane state on the ASBRs and MPLS on the AS-AS interconnect (which need not be Ethernet). Method (c) requires MPLS on the AS-AS interconnect, but no VPLS state of any kind on the ASBRs.
如上述参考文献中所述,给出了三种用于信令提供商间VPLS的方法;这些都是为了提高可伸缩性而提出的。方法(a)在概念上最容易理解,也最容易部署;但是,它需要ASE之间的以太网互连,以及AS边界路由器(ASBR)上的VPLS控制和数据平面状态。方法(b)要求ASBR上的VPLS控制平面状态和AS-AS互连(不需要是以太网)上的MPLS状态。方法(c)要求AS-AS互连上有MPLS,但ASBR上没有任何类型的VPLS状态。
In this method, an AS Border Router (ASBR1) acts as a PE for all VPLSs that span AS1 and an AS to which ASBR1 is connected, such as AS2 here. The ASBR on the neighboring AS (ASBR2) is viewed by ASBR1 as a CE for the VPLSs that span AS1 and AS2; similarly, ASBR2 acts as a PE for this VPLS from AS2's point of view, and views ASBR1 as a CE.
在这种方法中,AS边界路由器(ASBR1)充当跨越AS1和ASBR1所连接的AS(如此处的AS2)的所有VPL的PE。ASBR1将相邻AS(ASBR2)上的ASBR视为跨越AS1和AS2的VPLS的CE;同样,从AS2的角度来看,ASBR2充当此VPL的PE,并将ASBR1视为CE。
This method does not require MPLS on the ASBR1-ASBR2 link, but does require that this link carry Ethernet traffic and that there be a separate VLAN sub-interface for each VPLS traversing this link. It further requires that ASBR1 does the PE operations (discovery, signaling, MAC address learning, flooding, encapsulation, etc.) for all VPLSs that traverse ASBR1. This imposes a significant burden on ASBR1, both on the control plane and the data plane, which limits the number of multi-AS VPLSs.
该方法不需要ASBR1-ASBR2链路上的MPLS,但需要该链路承载以太网通信量,并且每个通过该链路的VPL都有一个单独的VLAN子接口。它还要求ASBR1为所有穿越ASBR1的VPL执行PE操作(发现、信令、MAC地址学习、泛洪、封装等)。这在控制平面和数据平面上给ASBR1带来了巨大的负担,从而限制了多AS VPL的数量。
Note that in general, there will be multiple connections between a pair of ASes, for redundancy. In this case, the Spanning Tree Protocol (STP) [15], or some other means of loop detection and prevention, must be run on each VPLS that spans these ASes, so that a loop-free topology can be constructed in each VPLS. This imposes a further burden on the ASBRs and PEs participating in those VPLSs, as these devices would need to run a loop detection algorithm for each such VPLS. How this may be achieved is outside the scope of this document.
请注意,通常,一对ASE之间会有多个连接,以实现冗余。在这种情况下,必须在跨越这些ASE的每个VPL上运行生成树协议(STP)[15]或一些其他环路检测和预防方法,以便在每个VPL中构建无环路拓扑。这给参与这些VPL的ASBR和PE带来了进一步的负担,因为这些设备需要为每个这样的VPL运行环路检测算法。如何实现这一点超出了本文件的范围。
3.4.2. Method (b): EBGP Redistribution of VPLS Information between ASBRs
3.4.2. 方法(b):EBGP在ASBR之间重新分配VPLS信息
This method requires I-BGP peerings between the PEs in AS1 and ASBR1 in AS1 (perhaps via route reflectors), an E-BGP peering between ASBR1 and ASBR2 in AS2, and I-BGP peerings between ASBR2 and the PEs in AS2. In the above example, PE1 sends a VPLS NLRI to ASBR1 with a label block and itself as the BGP nexthop; ASBR1 sends the NLRI to ASBR2 with new labels and itself as the BGP nexthop; and ASBR2 sends the NLRI to PE2 with new labels and itself as the nexthop. Correspondingly, there are three tunnels: T1 from PE1 to ASBR1, T2 from ASBR1 to ASBR2, and T3 from ASBR2 to PE2. Within each tunnel, the VPLS label to be used is determined by the receiving device; e.g., the VPLS label within T1 is a label from the label block that ASBR1 sent to PE1. The ASBRs are responsible for receiving VPLS packets encapsulated in a tunnel and performing the appropriate label swap operations described next so that the next receiving device can correctly identify and forward the packet.
此方法需要AS1中的PEs和AS1中的ASBR1之间的I-BGP对等(可能通过路由反射器),AS2中的ASBR1和ASBR2之间的E-BGP对等,以及ASBR2和AS2中的PEs之间的I-BGP对等。在上面的示例中,PE1向ASBR1发送一个VPLS NLRI,该VPLS NLRI带有一个标签块,其本身作为BGP nexthop;ASBR1将NLRI与新标签一起发送给ASBR2,并将其自身作为BGP nexthop;ASBR2将NLRI与新标签一起发送给PE2,并将其自身作为下一个标签。相应地,有三条隧道:T1从PE1到ASBR1,T2从ASBR1到ASBR2,T3从ASBR2到PE2。在每个隧道内,要使用的VPLS标签由接收设备确定;e、 例如,T1中的VPLS标签是ASBR1发送给PE1的标签块中的标签。ASBR负责接收封装在隧道中的VPLS数据包,并执行下面描述的适当标签交换操作,以便下一个接收设备能够正确识别和转发数据包。
The VPLS NLRI that ASBR1 sends to ASBR2 (and the NLRI that ASBR2 sends to PE2) is identical to the VPLS NLRI that PE1 sends to ASBR1, except for the label block. To be precise, the Length, the Route Distinguisher, the VE ID, the VE Block Offset, and the VE Block Size MUST be the same; the Label Base may be different. Furthermore, ASBR1 must also update its forwarding path as follows: if the Label Base sent by PE1 is L1, the Label-block Size is N, the Label Base sent by ASBR1 is L2, and the tunnel label from ASBR1 to PE1 is T, then ASBR1 must install the following in the forwarding path:
除标签块外,ASBR1发送给ASBR2的VPLS NLRI(以及ASBR2发送给PE2的NLRI)与PE1发送给ASBR1的VPLS NLRI相同。精确地说,长度、路由标识符、VE ID、VE块偏移量和VE块大小必须相同;标签底座可能不同。此外,ASBR1还必须更新其转发路径,如下所示:如果PE1发送的标签基为L1,标签块大小为N,ASBR1发送的标签基为L2,从ASBR1到PE1的隧道标签为T,则ASBR1必须在转发路径中安装以下组件:
swap L2 with L1 and push T,
将L2与L1交换并推送T,
swap L2+1 with L1+1 and push T, ...
用L1+1交换L2+1,然后按T。。。
swap L2+N-1 with L1+N-1 and push T.
将L2+N-1与L1+N-1交换,然后按T键。
ASBR2 must act similarly, except that it may not need a tunnel label if it is directly connected with ASBR1.
ASBR2必须采取类似的行动,但如果它与ASBR1直接连接,则可能不需要隧道标签。
When PE2 wants to send a VPLS packet to PE1, PE2 uses its VE ID to get the right VPLS label from ASBR2's label block for PE1, and uses a tunnel label to reach ASBR2. ASBR2 swaps the VPLS label with the label from ASBR1; ASBR1 then swaps the VPLS label with the label from PE1, and pushes a tunnel label to reach PE1.
当PE2想要向PE1发送VPLS数据包时,PE2使用其VE ID从ASBR2的PE1标签块中获取正确的VPLS标签,并使用隧道标签到达ASBR2。ASBR2将VPLS标签与来自ASBR1的标签交换;ASBR1然后将VPLS标签与PE1中的标签交换,并推动隧道标签到达PE1。
In this method, one needs MPLS on the ASBR1-ASBR2 interface, but there is no requirement that the link layer be Ethernet. Furthermore, the ASBRs take part in distributing VPLS information. However, the data plane requirements of the ASBRs are much simpler than in method (a), being limited to label operations. Finally, the construction of loop-free VPLS topologies is done by routing decisions, viz. BGP path and nexthop selection, so there is no need to run the Spanning Tree Protocol on a per-VPLS basis. Thus, this method is considerably more scalable than method (a).
在这种方法中,需要在ASBR1-ASBR2接口上使用MPLS,但不要求链路层是以太网。此外,ASBR还参与分发VPLS信息。然而,ASBR的数据平面要求比方法(a)简单得多,仅限于标签操作。最后,无环路VPLS拓扑的构建是通过路由决策完成的,即。BGP路径和nexthop选择,因此无需在每个VPLS的基础上运行生成树协议。因此,该方法比方法(a)具有更大的可伸缩性。
3.4.3. Method (c): Multi-Hop EBGP Redistribution of VPLS Information between ASes
3.4.3. 方法(c):ASE之间VPLS信息的多跳EBGP再分配
In this method, there is a multi-hop E-BGP peering between the PEs (or preferably, a Route Reflector) in AS1 and the PEs (or Route Reflector) in AS2. PE1 sends a VPLS NLRI with labels and nexthop self to PE2; if this is via route reflectors, the BGP nexthop is not changed. This requires that there be a tunnel LSP from PE1 to PE2. This tunnel LSP can be created exactly as in [6], Section 10 (c), for example using E-BGP to exchange labeled IPv4 routes for the PE loopbacks.
在该方法中,在AS1中的PEs(或优选路由反射器)和AS2中的PEs(或路由反射器)之间存在多跳E-BGP对等。PE1向PE2发送带有标签和nexthop self的VPLS NLRI;如果是通过路由反射器,则BGP nexthop不会更改。这要求从PE1到PE2有一个隧道LSP。该隧道LSP可以完全按照[6]第10(c)节的要求创建,例如使用E-BGP为PE环回交换标记的IPv4路由。
When PE1 wants to send a VPLS packet to PE2, it pushes the VPLS label corresponding to its own VE ID onto the packet. It then pushes the tunnel label(s) to reach PE2.
当PE1想要向PE2发送VPLS数据包时,它会将与自己的VE ID对应的VPLS标签推送到数据包上。然后推动通道标签到达PE2。
This method requires no VPLS information (in either the control or the data plane) on the ASBRs. The ASBRs only need to set up PE-to-PE tunnel LSPs in the control plane, and do label operations in the data plane. Again, as in the case of method (b), the construction of loop-free VPLS topologies is done by routing decisions, i.e., BGP
此方法不需要ASBR上的VPLS信息(在控件或数据平面中)。ASBR只需要在控制平面中设置PE到PE隧道LSP,并在数据平面中执行标签操作。同样,与方法(b)的情况一样,无环路VPLS拓扑的构建是通过路由决策(即BGP)完成的
path and nexthop selection, so there is no need to run the Spanning Tree Protocol on a per-VPLS basis. This option is likely to be the most scalable of the three methods presented here.
path和nexthop选择,因此无需在每个VPLS的基础上运行生成树协议。此选项可能是本文介绍的三种方法中最具可扩展性的。
In order to ease the allocation of VE IDs for a VPLS that spans multiple ASes, one can allocate ranges for each AS. For example, AS1 uses VE IDs in the range 1 to 100, AS2 from 101 to 200, etc. If there are 10 sites attached to AS1 and 20 to AS2, the allocated VE IDs could be 1-10 and 101 to 120. This minimizes the number of VPLS NLRIs that are exchanged while ensuring that VE IDs are kept unique.
为了简化跨多个AS的VPL的VE ID分配,可以为每个AS分配范围。例如,AS1使用范围为1到100的VE ID,AS2使用范围为101到200的VE ID,等等。如果有10个站点连接到AS1,20个站点连接到AS2,则分配的VE ID可以是1-10和101到120。这将最小化交换的VPLS NLRI数量,同时确保VE ID保持唯一。
In the above example, if AS1 needed more than 100 sites, then another range can be allocated to AS1. The only caveat is that there be no overlap between VE ID ranges among ASes. The exception to this rule is multi-homing, which is dealt with below.
在上面的示例中,如果AS1需要100多个站点,那么可以为AS1分配另一个范围。唯一需要注意的是,ASE之间的VE ID范围没有重叠。这条规则的例外是多重归宿,下文将对此进行讨论。
It is often desired to multi-home a VPLS site, i.e., to connect it to multiple PEs, perhaps even in different ASes. In such a case, the PEs connected to the same site can be configured either with the same VE ID or with different VE IDs. In the latter case, it is mandatory to run STP on the CE device, and possibly on the PEs, to construct a loop-free VPLS topology. How this can be accomplished is outside the scope of this document; however, the rest of this section will describe in some detail the former case. Note that multi-homing by the SP and STP on the CEs can co-exist; thus, it is recommended that the VPLS customer run STP if the CEs are able to.
通常需要多个VPLS站点,即将其连接到多个PE,甚至可能在不同的ASE中。在这种情况下,可以使用相同的VE ID或不同的VE ID配置连接到同一站点的PE。在后一种情况下,必须在CE设备上运行STP,也可能在PEs上运行STP,以构建无环路VPLS拓扑。如何实现这一点超出了本文件的范围;然而,本节的其余部分将详细描述前一种情况。注意,SP和STP在CEs上的多归宿可以共存;因此,如果CEs能够运行,建议VPLS客户运行STP。
In the case where the PEs connected to the same site are assigned the same VE ID, a loop-free topology is constructed by routing mechanisms, in particular, by BGP path selection. When a BGP speaker receives two equivalent NLRIs (see below for the definition), it applies standard path selection criteria such as Local Preference and AS Path Length to determine which NLRI to choose; it MUST pick only one. If the chosen NLRI is subsequently withdrawn, the BGP speaker applies path selection to the remaining equivalent VPLS NLRIs to pick another; if none remain, the forwarding information associated with that NLRI is removed.
在连接到同一站点的PEs被分配相同的VE ID的情况下,通过路由机制,特别是通过BGP路径选择来构造无环拓扑。当BGP扬声器接收到两个等效NLRI(定义见下文)时,它应用标准路径选择标准,如本地首选项和路径长度,以确定选择哪个NLRI;它必须只选择一个。如果选择的NLRI随后被撤回,则BGP扬声器将路径选择应用于剩余的等效VPLS NLRI以拾取另一个;如果没有保留,则删除与该NLRI关联的转发信息。
Two VPLS NLRIs are considered equivalent from a path selection point of view if the Route Distinguisher, the VE ID, and the VE Block Offset are the same. If two PEs are assigned the same VE ID in a given VPLS, they MUST use the same Route Distinguisher, and they SHOULD announce the same VE Block Size for a given VE Offset.
如果路由标识符、VE ID和VE块偏移相同,则从路径选择的角度来看,两个VPL NLRI被认为是等效的。如果两个PE在给定的VPL中分配了相同的VE ID,则它们必须使用相同的路由标识符,并且它们应该为给定的VE偏移量宣布相同的VE块大小。
This section discusses how one can scale the VPLS control plane when using BGP. There are at least three aspects of scaling the control plane:
本节讨论如何在使用BGP时缩放VPLS控制平面。缩放控制平面至少有三个方面:
1. alleviating the full mesh connectivity requirement among VPLS BGP speakers;
1. 减轻VPLS BGP扬声器之间的全网状连接要求;
2. limiting BGP VPLS message passing to just the interested speakers rather than all BGP speakers; and
2. 限制只将BGP VPLS消息传递给感兴趣的发言人,而不是所有BGP发言人;和
3. simplifying the addition and deletion of BGP speakers, whether for VPLS or other applications.
3. 简化BGP扬声器的添加和删除,无论是用于VPL还是其他应用。
Fortunately, the use of BGP for Internet routing as well as for IP VPNs has yielded several good solutions for all these problems. The basic technique is hierarchy, using BGP Route Reflectors (RRs) [8]. The idea is to designate a small set of Route Reflectors that are themselves fully meshed, and then establish a BGP session between each BGP speaker and one or more RRs. In this way, there is no need for direct full mesh connectivity among all the BGP speakers. If the particular scaling needs of a provider require a large number of RRs, then this technique can be applied recursively: the full mesh connectivity among the RRs can be brokered by yet another level of RRs. The use of RRs solves problems 1 and 3 above.
幸运的是,将BGP用于Internet路由和IP VPN已经为所有这些问题提供了一些很好的解决方案。基本技术是层次结构,使用BGP路由反射器(RRs)[8]。其想法是指定一小组自身完全啮合的路由反射器,然后在每个BGP扬声器和一个或多个RRs之间建立BGP会话。这样,所有BGP扬声器之间就不需要直接的全网状连接。如果提供商的特定扩展需求需要大量RRs,那么可以递归地应用此技术:RRs之间的完整网状连接可以由另一级别的RRs代理。RRs的使用解决了上述问题1和3。
It is important to note that RRs, as used for VPLS and VPNs, are purely a control plane technique. The use of RRs introduces no data plane state and no data plane forwarding requirements on the RRs, and does not in any way change the forwarding path of VPLS traffic. This is in contrast to the technique of Hierarchical VPLS defined in [10].
需要注意的是,用于VPLS和VPN的RRs纯粹是一种控制平面技术。RRs的使用不会对RRs引入任何数据平面状态和数据平面转发要求,并且不会以任何方式改变VPLS流量的转发路径。这与[10]中定义的分层VPL技术形成对比。
Another consequence of this approach is that it is not required that one set of RRs handles all BGP messages, or that a particular RR handle all messages from a given PE. One can define several sets of RRs, for example, a set to handle VPLS, another to handle IP VPNs, and another for Internet routing. Another partitioning could be to have some subset of VPLSs and IP VPNs handled by one set of RRs, and another subset of VPLSs and IP VPNs handled by another set of RRs; the use of Route Target Filtering (RTF), described in [12], can make this simpler and more effective.
这种方法的另一个结果是,不要求一组RRs处理所有BGP消息,也不要求特定RR处理来自给定PE的所有消息。可以定义多组RRs,例如,一组用于处理VPL,另一组用于处理IP VPN,另一组用于Internet路由。另一个分区可以是由一组RRs处理VPLSs和IP VPN的子集,由另一组RRs处理VPLSs和IP VPN的另一子集;[12]中描述的路由目标过滤(RTF)的使用可以使其更简单、更有效。
Finally, problem 2 (that of limiting BGP VPLS message passing to just the interested BGP speakers) is addressed by the use of RTF. This technique is orthogonal to the use of RRs, but works well in conjunction with RRs. RTF is also very effective in inter-AS VPLS; more details on how RTF works and its benefits are provided in [12].
最后,通过使用RTF解决了问题2(限制BGP VPLS消息只传递给感兴趣的BGP扬声器的问题)。该技术与RRs的使用是正交的,但与RRs结合使用效果良好。RTF在内部AS VPL中也非常有效;[12]中提供了有关RTF工作原理及其优点的更多详细信息。
It is worth mentioning an aspect of the control plane that is often a source of confusion. No MAC addresses are exchanged via BGP. All MAC address learning and aging is done in the data plane individually by each PE. The only task of BGP VPLS message exchange is auto-discovery and label exchange.
值得一提的是,控制平面的一个方面经常引起混淆。没有通过BGP交换MAC地址。所有MAC地址学习和老化都由每个PE在数据平面中单独完成。BGP VPLS消息交换的唯一任务是自动发现和标签交换。
Thus, BGP processing for VPLS occurs when
因此,VPL的BGP处理在以下情况下发生:
1. a PE joins or leaves a VPLS; or
1. PE加入或离开VPLS;或
2. a failure occurs in the network, bringing down a PE-PE tunnel or a PE-CE link.
2. 网络中发生故障,导致PE-PE隧道或PE-CE链路中断。
These events are relatively rare, and typically, each such event causes one BGP update to be generated. Coupled with BGP's messaging efficiency when used for signaling VPLS, these observations lead to the conclusion that BGP as a control plane for VPLS will scale quite well in terms of both processing and memory requirements.
这些事件相对较少,通常,每个此类事件都会导致生成一个BGP更新。再加上BGP在为VPL发送信号时的消息传递效率,这些观察结果得出结论,BGP作为VPL的控制平面,在处理和内存需求方面都可以很好地扩展。
This section discusses two aspects of the data plane for PEs and u-PEs implementing VPLS: encapsulation and forwarding.
本节讨论实现VPLS的PEs和u-PEs数据平面的两个方面:封装和转发。
Ethernet frames received from CE devices are encapsulated for transmission over the packet switched network connecting the PEs. The encapsulation is as in [7].
从CE设备接收的以太网帧被封装,以便通过连接PEs的分组交换网络进行传输。封装如[7]所示。
VPLS packets are classified as belonging to a given service instance and associated forwarding table based on the interface over which the packet is received. Packets are forwarded in the context of the service instance based on the destination MAC address. The former mapping is determined by configuration. The latter is the focus of this section.
VPLS数据包根据接收数据包的接口被分类为属于给定的服务实例和相关的转发表。数据包在服务实例的上下文中根据目标MAC地址转发。前一个映射由配置决定。后者是本节的重点。
As was mentioned earlier, the key distinguishing feature of VPLS is that it is a multipoint service. This means that the entire Service Provider network should appear as a single logical learning bridge for each VPLS that the SP network supports. The logical ports for the SP "bridge" are the customer ports as well as the pseudowires on a VE. Just as a learning bridge learns MAC addresses on its ports, the SP bridge must learn MAC addresses at its VEs.
如前所述,VPLS的关键区别在于它是一种多点服务。这意味着,对于SP网络支持的每个VPL,整个服务提供商网络应显示为单个逻辑学习网桥。SP“网桥”的逻辑端口是客户端口以及VE上的伪线。正如学习网桥在其端口上学习MAC地址一样,SP网桥必须在其VEs上学习MAC地址。
Learning consists of associating source MAC addresses of packets with the (logical) ports on which they arrive; this association is the Forwarding Information Base (FIB). The FIB is used for forwarding packets. For example, suppose the bridge receives a packet with source MAC address S on (logical) port P. If subsequently, the bridge receives a packet with destination MAC address S, it knows that it should send the packet out on port P.
学习包括将数据包的源MAC地址与数据包到达的(逻辑)端口相关联;此关联是转发信息库(FIB)。FIB用于转发数据包。例如,假设网桥在(逻辑)端口P上接收到源MAC地址为S的数据包。如果随后网桥接收到目标MAC地址为S的数据包,它知道它应该在端口P上发送数据包。
If a VE learns a source MAC address S on logical port P, then later sees S on a different port P', then the VE MUST update its FIB to reflect the new port P'. A VE MAY implement a mechanism to damp flapping of source ports for a given MAC address.
如果VE在逻辑端口P上识别到源MAC地址S,然后在不同端口P'上看到S,则VE必须更新其FIB以反映新端口P'。VE可以实现一种机制来抑制给定MAC地址的源端口摆动。
VPLS PEs SHOULD have an aging mechanism to remove a MAC address associated with a logical port, much the same as learning bridges do. This is required so that a MAC address can be relearned if it "moves" from a logical port to another logical port, either because the station to which that MAC address belongs really has moved or because of a topology change in the LAN that causes this MAC address to arrive on a new port. In addition, aging reduces the size of a VPLS MAC table to just the active MAC addresses, rather than all MAC addresses in that VPLS.
VPLS PEs应该有一个老化机制来删除与逻辑端口相关联的MAC地址,这与学习网桥非常相似。这是必需的,这样,如果MAC地址从一个逻辑端口“移动”到另一个逻辑端口,则可以重新学习该MAC地址,这可能是因为该MAC地址所属的站点确实已移动,也可能是因为LAN中的拓扑变化导致该MAC地址到达一个新端口。此外,老化将VPLS MAC表的大小减少为仅活动MAC地址,而不是该VPLS中的所有MAC地址。
The "age" of a source MAC address S on a logical port P is the time since it was last seen as a source MAC on port P. If the age exceeds the aging time T, S MUST be flushed from the FIB. This of course means that every time S is seen as a source MAC address on port P, S's age is reset.
逻辑端口P上源MAC地址S的“期限”是自上次在端口P上被视为源MAC以来的时间。如果期限超过期限时间T,则必须从FIB刷新S。这当然意味着,每当S被视为端口P上的源MAC地址时,S的年龄就会被重置。
An implementation SHOULD provide a configurable knob to set the aging time T on a per-VPLS basis. In addition, an implementation MAY accelerate aging of all MAC addresses in a VPLS if it detects certain situations, such as a Spanning Tree topology change in that VPLS.
实施应提供一个可配置旋钮,以根据每个VPLS设置老化时间T。此外,如果一个实现检测到某些情况,例如VPLS中的生成树拓扑变化,它可能会加速VPLS中所有MAC地址的老化。
When a bridge receives a packet to a destination that is not in its FIB, it floods the packet on all the other ports. Similarly, a VE will flood packets to an unknown destination to all other VEs in the VPLS.
当网桥接收到不在其FIB中的目的地的数据包时,它会在所有其他端口上溢出该数据包。类似地,VE将向VPLS中的所有其他VE发送到未知目的地的数据包。
In Figure 1 above, if CE2 sent an Ethernet frame to PE2, and the destination MAC address on the frame was not in PE2's FIB (for that VPLS), then PE2 would be responsible for flooding that frame to every
在上面的图1中,如果CE2向PE2发送了一个以太网帧,并且帧上的目标MAC地址不在PE2的FIB中(对于该VPL),那么PE2将负责将该帧洪泛到每个端口
other PE in the same VPLS. On receiving that frame, PE1 would be responsible for further flooding the frame to CE1 and CE5 (unless PE1 knew which CE "owned" that MAC address).
同一VPL中的其他PE。在接收到该帧时,PE1将负责将该帧进一步泛洪到CE1和CE5(除非PE1知道哪个CE“拥有”该MAC地址)。
On the other hand, if PE3 received the frame, it could delegate further flooding of the frame to its u-PE. If PE3 was connected to two u-PEs, it would announce that it has two u-PEs. PE3 could either announce that it is incapable of flooding, in which case it would receive two frames, one for each u-PE, or it could announce that it is capable of flooding, in which case it would receive one copy of the frame, which it would then send to both u-PEs.
另一方面,如果PE3接收到帧,它可以将帧的进一步泛洪委托给其u-PE。如果PE3连接到两个u-PE,它将宣布它有两个u-PE。PE3可以宣布它不能泛洪,在这种情况下,它将接收两个帧,每个u-PE一个,或者它可以宣布它能够泛洪,在这种情况下,它将接收一个帧副本,然后发送给两个u-PE。
There is a well-known broadcast MAC address. An Ethernet frame whose destination MAC address is the broadcast MAC address must be sent to all stations in that VPLS. This can be accomplished by the same means that is used for flooding.
有一个众所周知的广播MAC地址。目标MAC地址为广播MAC地址的以太网帧必须发送到该VPLS中的所有站点。这可以通过与洪水相同的方法实现。
There is also an easily recognized set of "multicast" MAC addresses. Ethernet frames with a destination multicast MAC address MAY be broadcast to all stations; a VE MAY also use certain techniques to restrict transmission of multicast frames to a smaller set of receivers, those that have indicated interest in the corresponding multicast group. Discussion of this is outside the scope of this document.
还有一组易于识别的“多播”MAC地址。具有目的地多播MAC地址的以太网帧可以广播到所有站点;VE还可以使用某些技术将多播帧的传输限制到较小的接收机集合,这些接收机已经表示对相应的多播组感兴趣。对此的讨论超出了本文件的范围。
When a PE capable of flooding (say PEx) receives a broadcast Ethernet frame, or one with an unknown destination MAC address, it must flood the frame. If the frame arrived from an attached CE, PEx must send a copy of the frame to every other attached CE, as well as to all other PEs participating in the VPLS. If, on the other hand, the frame arrived from another PE (say PEy), PEx must send a copy of the packet only to attached CEs. PEx MUST NOT send the frame to other PEs, since PEy would have already done so. This notion has been termed "split horizon" forwarding and is a consequence of the PEs being logically fully meshed for VPLS.
当能够泛洪的PE(比如PEx)接收到广播以太网帧或具有未知目标MAC地址的帧时,它必须泛洪该帧。如果帧来自连接的CE,PEx必须向每个其他连接的CE以及参与VPL的所有其他PE发送帧副本。另一方面,如果帧来自另一个PE(比如PEy),则PEx必须仅向附加的CE发送数据包的副本。PEx不得将帧发送给其他PE,因为PEy已经这样做了。这一概念被称为“分割地平线”转发,是PEs在逻辑上为VPL完全啮合的结果。
Split horizon forwarding rules apply to broadcast and multicast packets, as well as packets to an unknown MAC address.
拆分地平线转发规则适用于广播和多播数据包,以及发送到未知MAC地址的数据包。
The key for normal Ethernet MAC learning is usually just the (6-octet) MAC address. This is called "unqualified learning". However, it is also possible that the key for learning includes the VLAN tag when present; this is called "qualified learning".
正常以太网MAC学习的关键通常只是(6-octet)MAC地址。这被称为“不合格学习”。然而,当存在时,用于学习的密钥也可能包括VLAN标签;这被称为“合格学习”。
In the case of VPLS, learning is done in the context of a VPLS instance, which typically corresponds to a customer. If the customer uses VLAN tags, one can make the same distinctions of qualified and unqualified learning. If the key for learning within a VPLS is just the MAC address, then this VPLS is operating under unqualified learning. If the key for learning is (customer VLAN tag + MAC address), then this VPLS is operating under qualified learning.
对于VPLS,学习是在VPLS实例的上下文中完成的,该实例通常对应于客户。如果客户使用VLAN标记,则可以对合格和不合格学习进行相同的区分。如果VPLS内的学习密钥仅为MAC地址,则该VPLS在非限定学习下运行。如果学习的关键是(客户VLAN标签+MAC地址),则此VPLS在合格学习下运行。
Choosing between qualified and unqualified learning involves several factors, the most important of which is whether one wants a single global broadcast domain (unqualified) or a broadcast domain per VLAN (qualified). The latter makes flooding and broadcasting more efficient, but requires larger MAC tables. These considerations apply equally to normal Ethernet forwarding and to VPLS.
在合格和不合格学习之间进行选择涉及多个因素,其中最重要的因素是想要单个全局广播域(不合格)还是每个VLAN的广播域(合格)。后者使泛洪和广播更有效,但需要更大的MAC表。这些注意事项同样适用于普通以太网转发和VPL。
In order to offer different Classes of Service within a VPLS, an implementation MAY choose to map 802.1p bits in a customer Ethernet frame with a VLAN tag to an appropriate setting of EXP bits in the pseudowire and/or tunnel label, allowing for differential treatment of VPLS frames in the packet switched network.
为了在VPLS内提供不同类别的服务,实现可以选择将具有VLAN标签的客户以太网帧中的802.1p比特映射到伪线和/或隧道标签中的EXP比特的适当设置,从而允许在分组交换网络中对VPLS帧进行差分处理。
To be useful, an implementation SHOULD allow this mapping function to be different for each VPLS, as each VPLS customer may have its own view of the required behavior for a given setting of 802.1p bits.
为了有用,实现应该允许每个VPLS的映射功能不同,因为每个VPLS客户可能对给定的802.1p位设置的所需行为有自己的看法。
In deploying a network that supports VPLS, the SP must decide what functions the VPLS-aware device closest to the customer (the VE) supports. The default case described in this document is that the VE is a PE. However, there are a number of reasons that the VE might be a device that does all the Layer 2 functions (such as MAC address learning and flooding), and a limited set of Layer 3 functions (such as communicating to its PE), but, for example, doesn't do full-fledged discovery and PE-to-PE signaling. Such a device is called a "u-PE".
在部署支持VPLS的网络时,SP必须决定最靠近客户(VE)的支持VPLS的设备支持哪些功能。本文档中描述的默认情况是VE是PE。然而,VE可能是执行所有第2层功能(例如MAC地址学习和泛洪)和有限的第3层功能集(例如与其PE通信)的设备的原因有很多,但是,例如,不执行完整的发现和PE到PE信令。这种装置称为“u-PE”。
As both of these cases have benefits, one would like to be able to "mix and match" these scenarios. The signaling mechanism presented here allows this. For example, in a given provider network, one PE may be directly connected to CE devices, another may be connected to u-PEs that are connected to CEs, and a third may be connected directly to a customer over some interfaces and to u-PEs over others. All these PEs perform discovery and signaling in the same manner. How they do learning and forwarding depends on whether or not there is a u-PE; however, this is a local matter, and is not signaled. However, the details of the operation of a u-PE and its interactions with PEs and other u-PEs are beyond the scope of this document.
由于这两种情况都有好处,我们希望能够“混合并匹配”这些场景。这里介绍的信号机制允许这一点。例如,在给定的提供商网络中,一个PE可以直接连接到CE设备,另一个PE可以连接到连接到CE的u-PE,第三个PE可以通过一些接口直接连接到客户,通过其他接口直接连接到u-PE。所有这些PE都以相同的方式执行发现和信令。他们如何学习和转发取决于是否有u-PE;然而,这是一个局部问题,没有发出信号。然而,u-PE的操作细节及其与PEs和其他u-PE的互动超出了本文件的范围。
The focus in Virtual Private LAN Service is the privacy of data, i.e., that data in a VPLS is only distributed to other nodes in that VPLS and not to any external agent or other VPLS. Note that VPLS does not offer confidentiality, integrity, or authentication: VPLS packets are sent in the clear in the packet switched network, and a man-in-the-middle can eavesdrop, and may be able to inject packets into the data stream. If security is desired, the PE-to-PE tunnels can be IPsec tunnels. For more security, the end systems in the VPLS sites can use appropriate means of encryption to secure their data even before it enters the Service Provider network.
虚拟专用LAN服务的重点是数据的隐私性,即VPLS中的数据仅分发给该VPLS中的其他节点,而不分发给任何外部代理或其他VPLS。请注意,VPLS不提供机密性、完整性或身份验证:VPLS数据包在分组交换网络中以明文形式发送,中间人可以窃听,并且可以将数据包注入数据流。如果需要安全性,PE到PE隧道可以是IPsec隧道。为了提高安全性,VPLS站点中的终端系统可以使用适当的加密方式来保护其数据,甚至在数据进入服务提供商网络之前。
There are two aspects to achieving data privacy in a VPLS: securing the control plane and protecting the forwarding path. Compromise of the control plane could result in a PE sending data belonging to some VPLS to another VPLS, or blackholing VPLS data, or even sending it to an eavesdropper; none of which are acceptable from a data privacy point of view. Since all control plane exchanges are via BGP, techniques such as in [2] help authenticate BGP messages, making it harder to spoof updates (which can be used to divert VPLS traffic to the wrong VPLS) or withdraws (denial-of-service attacks). In the multi-AS methods (b) and (c) described in Section 3, this also means protecting the inter-AS BGP sessions, between the ASBRs, the PEs, or the Route Reflectors. One can also use the techniques described in Section 10 (b) and (c) of [6], both for the control plane and the data plane. Note that [2] will not help in keeping VPLS labels private -- knowing the labels, one can eavesdrop on VPLS traffic. However, this requires access to the data path within a Service Provider network.
在VPLS中实现数据隐私有两个方面:保护控制平面和保护转发路径。控制平面的泄露可能导致PE将属于某些VPL的数据发送给另一个VPL,或对VPLS数据进行加密,甚至将其发送给窃听者;从数据隐私的角度来看,这些都是不可接受的。由于所有控制平面交换都是通过BGP进行的,因此[2]中的技术有助于验证BGP消息,从而使欺骗更新(可用于将VPLS流量转移到错误的VPL)或撤回(拒绝服务攻击)变得更加困难。在第3节中描述的多AS方法(b)和(c)中,这也意味着保护ASBR、PEs或路由反射器之间的AS间BGP会话。对于控制平面和数据平面,也可以使用[6]第10(b)和(c)节中描述的技术。请注意,[2]将无助于保持VPLS标签的私密性——知道这些标签,就可以窃听VPLS流量。但是,这需要访问服务提供商网络中的数据路径。
There can also be misconfiguration leading to unintentional connection of CEs in different VPLSs. This can be caused, for example, by associating the wrong Route Target with a VPLS instance. This problem, shared by [6], is for further study.
还可能存在错误配置,导致不同VPLS中的CE意外连接。例如,这可能是由于将错误的路由目标与VPLS实例关联所致。这个问题与[6]相同,有待进一步研究。
Protecting the data plane requires ensuring that PE-to-PE tunnels are well-behaved (this is outside the scope of this document), and that VPLS labels are accepted only from valid interfaces. For a PE, valid interfaces comprise links from P routers. For an ASBR, a valid interface is a link from an ASBR in an AS that is part of a given VPLS. It is especially important in the case of multi-AS VPLSs that one accept VPLS packets only from valid interfaces.
保护数据平面需要确保PE-to-PE隧道的性能良好(这超出了本文档的范围),并且只能从有效接口接受VPLS标签。对于PE,有效接口包括来自P路由器的链路。对于ASBR,有效接口是来自AS中ASBR的链接,该ASBR是给定VPLS的一部分。在多AS VPLS的情况下,仅接受来自有效接口的VPLS数据包尤为重要。
MPLS-in-IP and MPLS-in-GRE tunneling are specified in [3]. If it is desired to use such tunnels to carry VPLS packets, then the security considerations described in Section 8 of that document must be fully understood. Any implementation of VPLS that allows VPLS packets to be tunneled as described in that document MUST contain an implementation of IPsec that can be used as therein described. If the tunnel is not secured by IPsec, then the technique of IP address filtering at the border routers, described in Section 8.2 of that document, is the only means of ensuring that a packet that exits the tunnel at a particular egress PE was actually placed in the tunnel by the proper tunnel head node (i.e., that the packet does not have a spoofed source address). Since border routers frequently filter only source addresses, packet filtering may not be effective unless the egress PE can check the IP source address of any tunneled packet it receives, and compare it to a list of IP addresses that are valid tunnel head addresses. Any implementation that allows MPLS-in-IP and/or MPLS-in-GRE tunneling to be used without IPsec MUST allow the egress PE to validate in this manner the IP source address of any tunneled packet that it receives.
[3]中规定了IP中的MPLS和GRE隧道中的MPLS。如果希望使用此类隧道来承载VPLS数据包,则必须充分理解该文件第8节中描述的安全注意事项。允许按照该文档中所述对VPLS数据包进行隧道传输的任何VPLS实现必须包含可按照其中所述使用的IPsec实现。如果隧道不受IPsec保护,则该文件第8.2节所述的边界路由器IP地址过滤技术是确保在特定出口PE处退出隧道的数据包由适当的隧道头节点实际放置在隧道中的唯一方法(即,数据包没有伪造的源地址)。由于边界路由器经常只过滤源地址,除非出口PE能够检查其接收的任何隧道数据包的IP源地址,并将其与有效隧道头地址的IP地址列表进行比较,否则数据包过滤可能无效。允许IP中的MPLS和/或GRE隧道中的MPLS的任何实现都是有效的没有IPsec的ed必须允许出口PE以这种方式验证其接收的任何隧道数据包的IP源地址。
IANA allocated value (25) for AFI for L2VPN information. This should be the same as the AFI requested by [11].
IANA为L2VPN信息的AFI分配了值(25)。这应与[11]要求的AFI相同。
IANA allocated an extended community value (0x800a) for the Layer2 Info Extended Community.
IANA为Layer2信息扩展社区分配了扩展社区值(0x800a)。
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, August 1998.
[2] Heffernan,A.,“通过TCP MD5签名选项保护BGP会话”,RFC 2385,1998年8月。
[3] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 4023, March 2005.
[3] Worster,T.,Rekhter,Y.,和E.Rosen,“在IP或通用路由封装(GRE)中封装MPLS”,RFC4023,2005年3月。
[4] Bates, T., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, January 2007.
[4] Bates,T.,Katz,D.,和Y.Rekhter,“BGP-4的多协议扩展”,RFC 4760,2007年1月。
[5] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended Communities Attribute", RFC 4360, February 2006.
[5] Sangli,S.,Tappan,D.和Y.Rekhter,“BGP扩展社区属性”,RFC 4360,2006年2月。
[6] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private Networks (VPNs)", RFC 4364, February 2006.
[6] Rosen,E.和Y.Rekhter,“BGP/MPLS IP虚拟专用网络(VPN)”,RFC 4364,2006年2月。
[7] Martini, L., Rosen, E., El-Aawar, N., and G. Heron, "Encapsulation Methods for Transport of Ethernet over MPLS Networks", RFC 4448, April 2006.
[7] Martini,L.,Rosen,E.,El Aawar,N.,和G.Heron,“通过MPLS网络传输以太网的封装方法”,RFC 4448,2006年4月。
[8] Bates, T., Chen, E., and R. Chandra, "BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP)", RFC 4456, April 2006.
[8] Bates,T.,Chen,E.,和R.Chandra,“BGP路由反射:全网格内部BGP(IBGP)的替代方案”,RFC 4456,2006年4月。
[9] Andersson, L. and E. Rosen, "Framework for Layer 2 Virtual Private Networks (L2VPNs)", RFC 4664, September 2006.
[9] Andersson,L.和E.Rosen,“第二层虚拟专用网络(L2VPN)框架”,RFC 4664,2006年9月。
[10] Lasserre, M., Ed. and V. Kompella, Ed., "Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling", RFC 4762, January 2007.
[10] Lasserre,M.,Ed.和V.Kompella,Ed.,“使用标签分发协议(LDP)信令的虚拟专用LAN服务(VPLS)”,RFC 4762,2007年1月。
[11] Ould-Brahim, H., "Using BGP as an Auto-Discovery Mechanism for VR-based Layer-3 VPNs", Work in Progress, April 2006.
[11] Ould Brahim,H.,“使用BGP作为基于虚拟现实的第3层VPN的自动发现机制”,正在进行的工作,2006年4月。
[12] Marques, P., "Constrained VPN Route Distribution", Work in Progress, June 2005.
[12] Marques,P.,“受限VPN路由分配”,正在进行的工作,2005年6月。
[13] Martini, L., Rosen, E., El-Aawar, N., Smith, T., and G. Heron, "Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP)", RFC 4447, April 2006.
[13] Martini,L.,Rosen,E.,El Aawar,N.,Smith,T.,和G.Heron,“使用标签分发协议(LDP)的伪线设置和维护”,RFC 4447,2006年4月。
[14] Kompella, K., "Layer 2 VPNs Over Tunnels", Work in Progress, January 2006.
[14] Kompella,K.,“隧道上的第2层VPN”,正在进行的工作,2006年1月。
[15] Institute of Electrical and Electronics Engineers, "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Media Access Control (MAC) Bridges: Revision. This is a revision of ISO/IEC 10038: 1993, 802.1j-1992 and 802.6k-1992. It incorporates P802.11c, P802.1p and P802.12e. ISO/IEC 15802-3: 1998.", IEEE Standard 802.1D, July 1998.
[15] 电气和电子工程师学会,“信息技术.系统间电信和信息交换.局域网和城域网.通用规范.第3部分:媒体访问控制(MAC)桥接器:修订版。这是ISO/IEC 10038:1993、802.1j-1992和802.6k-1992的修订版。它包含P802.11c、P802.1p和P802.12e。ISO/IEC 15802-3:1998。”,IEEE标准802.1D,1998年7月。
The following contributed to this document:
以下是对本文件的贡献:
Javier Achirica, Telefonica Loa Andersson, Acreo Giles Heron, Tellabs Sunil Khandekar, Alcatel-Lucent Chaitanya Kodeboyina, Nuova Systems Vach Kompella, Alcatel-Lucent Marc Lasserre, Alcatel-Lucent Pierre Lin Pascal Menezes Ashwin Moranganti, Appian Hamid Ould-Brahim, Nortel Seo Yeong-il, Korea Tel
哈维尔·阿奇里卡、埃弗尼卡·洛亚·安德森、阿雷奥·吉尔斯·赫隆、泰拉布拉斯·苏尼尔·汉德卡尔、阿尔卡特·朗讯柴坦尼亚·柯德博伊纳、诺瓦系统公司瓦赫·科佩拉、阿尔卡特·朗讯公司马克·拉塞尔、阿尔卡特·朗讯公司皮埃尔·林·帕斯卡·梅内泽斯·阿什温·莫兰甘蒂、阿皮安·哈米德·乌尔德·卜拉欣、北电公司Seo Yeong il、韩国电话公司
Thanks to Joe Regan and Alfred Nothaft for their contributions. Many thanks too to Eric Ji, Chaitanya Kodeboyina, Mike Loomis, and Elwyn Davies for their detailed reviews.
感谢乔·里根和阿尔弗雷德·诺萨福特的贡献。非常感谢Eric Ji、Chaitanya Kodeboyina、Mike Loomis和Elwyn Davies的详细评论。
Editors' Addresses
编辑地址
Kireeti Kompella Juniper Networks 1194 N. Mathilda Ave. Sunnyvale, CA 94089 US
Kireeti Kompella Juniper Networks 1194 N.Mathilda Ave.Sunnyvale,加利福尼亚州,美国94089
EMail: kireeti@juniper.net
EMail: kireeti@juniper.net
Yakov Rekhter Juniper Networks 1194 N. Mathilda Ave. Sunnyvale, CA 94089 US
美国加利福尼亚州桑尼维尔马蒂尔达大道北1194号雅科夫·雷克特·朱尼珀网络公司,邮编94089
EMail: yakov@juniper.net
EMail: yakov@juniper.net
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。