127 results about "MPLS VPN" patented technology

A method, system and gateway for remotely accessing an MPLS VPN are provided. In the method, multiple virtual interfaces are established in an SSL VPN gateway, one virtual interface is bound with one VPN, different VPN users are differentiated according to authentication and authorization information of users, and the authentication and authorization information of the users is respectively bound with corresponding VPNs. When the SSL VPN gateway receives a packet sent by a user, an inner label and an outer label are added to the packet according to a VPN instance bound with the user; when receiving a response packet from a resource server, the SSL VPN gateway searches for a VPN instance according to the VPN label, and forwards the response packet to the user through the SSL connection according to the found VPN instance.

The present invention provides a system and method for forwarding traffic data in a MPLS VPN network within a telecommunications network. The method comprise a technique for gateway selection in the MPLS VPN by using a combination of recursive floating static routes in the PE routers and conditional route advertisements from the gateway CE routers. This method allows for choice of gateway on a per-PE per-VRF basis.

A technique for effectively capturing site-to-site traffic statistic without significantly affecting the performance of a router in an MPLS-VPN service network is disclosed. In one example embodiment, this is accomplished by computing source PE IP and source PE interface from each flow record received at a destination PE router to identify an associated source VPN site.

The embodiments described herein present methods and apparatuses for on-path CAC operations in a MPLS-VPN environment. In an example embodiment, an ingress PE device receives a quality of service (QoS) resource reservation request; constructs an outgoing message that includes information allowing an egress PE device to identify the virtual private network routing and forwarding table (VRF) associated with a resource reservation resulting from the QoS resource reservation request; and transmits the outgoing message to the egress PE device, where the information allowing VRF identification is echoed back by the egress PE device and used by the ingress PE device to identify the VRF associated with the resource reservation resulting from the QoS resource reservation request. Other embodiments are described.

Discovering a network service topology of a virtual private network (VPN) that uses multiprotocol label switching (MPLS) comprises receiving route target values from a virtual private network (VPN) route forwarding table (VRF table) of a networking device; determining and storing in a table one or more link pairs based on the route target values, wherein each of the link pairs indicates a connection between a first site and a second site within the VPN; creating a set of VPN objects based on an association between a first VPN object and the one or more link pairs stored in the table, wherein each of the VPN objects includes information indicating connectivity between a subset of sites from a plurality of sites within the VPN; and determining the topology for the first VPN object based on applying one or more topology rules to the subset of sites within the first VPN object.

The invention discloses a method for realizing rapid rerouting in a multiple protocol label switch virtual private network (MPLS VPN), which comprises the following steps that: two routes acquired by a border router and labels respectively generate a primary label switch path (Label Switch Path, LSP) and a standby LSP; the primary LSP and the standby LSP are handed down to a forwarding table simultaneously; whether the state of the primary LSP is effective is queried; if yes, the primary LSP is used to transmit flow rate; otherwise, the standby LSP is used to transmit flow rate. Accordingly, the invention also discloses route equipment; the method for realizing rapid reroute in MPLS VPN and the equipment can realize the rapid reroute, achieve rapid operation convergence when the equipment has fault and improve the QoS of real-time operation.

A method and apparatus for representing a network and performing operations on the represented network are disclosed. The method comprises the steps of creating at least one configuration non-specific object class associated with components of the network, creating at least one configuration non-specific representation of relationships among associated object classes, representing a behavior relationship among the object classes based on the representations of the relationships among the object classes and analyzing properties of the network based on the behavior relationships. In aspects of the invention, the represented network may be an MPLS network, a VPN or a combined MPLS-VPN.

A method and apparatus for representing a network and performing operations on the represented network are disclosed. The method comprises the steps of creating at least one configuration non-specific object class associated with components of the network, creating at least one configuration non-specific representation of relationships among associated object classes, representing a behavior relationship among the object classes based on the representations of the relationships among the object classes and analyzing properties of the network based on the behavior relationships. In aspects of the invention, the represented network may be an MPLS network, a VPN or a combined MPLS-VPN.

Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP / MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.

The invention discloses a communication method and device for an NVO3 (Network Virtualization Overlays) network and an MPLS (multi-protocol label switching) network and aims to achieve cross-domain communication between the NVO3 network and the MPLS VPN (virtual private network) network. In certain feasible embodiments, the method includes the steps: an ASBR (autonomous system border router) in the NVO3 network acquires an identifier of PE (provider edge) equipment in the MPLS network and an MPLS label which is assigned by the ASBR in the MPLS network and which is used as an outer label for an MPLS packaged message transmitted to the PE equipment by the ASBR in the NVO3 network; in a local address pool, an IP (internet protocol) address is assigned for the MPLS label, and a correspondence between the MPLS label and the assigned IP address is stored; routing information which includes the identifier of the PE equipment and the assigned IP address is sent to an NVE (network virtualization edge), and the assigned IP address is used as an outer target address of a NVO3 packaged message which a TES (tenants terminal system) in the NVO3 network transmits to CE (customer edge) equipment connected with the PE equipment in the MPLS network.

A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

This invention discloses a method for setting up label switch path of MIPLS VPN tunnel including: a label switch router LSR in a network determines the forward equivalence FEC corresponding to the destination IP address of the MPLS VPN tunnel to distribute label to it firstly and set up a binding relation between the FEC and the distributed label and notifies the binding relation with the prior label to its upper reach LSR, which receives the binding relation notified by the lower reach LSR to process the binding relation with the prior label priorly. This invention also discloses a LSP set-up system and a device of the MPLS VPN tunnel.

The invention discloses a discovery method of network topology based on MPLS-VPN, relating to the technical field of network management. The method comprises the steps of: acquiring MPLS-VPN configuration data information in the process of acquiring network information; and drawing an MPLS-VPN topological graph according to the MPLS-VPN configuration data information. On the basis of the method, a system comprises an MPLS-VPN configuration data information acquisition module for acquiring the MPLS-VPN configuration data information in the process of acquiring network information, and an MPLS-VPN topological graph drawing module for drawing the MPLS-VPN topological graph according to the MPLS-VPN configuration data information. The method can automatically discover and generate the topological graph to provide visual VPN information according to the condition of the MPLS-VPN network configuration.

The invention discloses a connectivity detection method of MPLS VPN. Based on the SNMP agreement, a private MIB library is loaded in a PE device, and the SNMP agent process in the PE device conducts operation on the private MIB library, and the steps comprise that : (a) the user set a Ping parameter at the network management client terminal, and the SNMP agent process in the PE device sets the network element MIB library and transmits the Ping parameter to a business execution module; (b) the business execution module starts up the Ping operation according to the Ping parameter and returns the Ping result to the SNMP agent process to store the result in the MIB library; (c) the SNMP management process of the network management terminal returns the Ping result which is taken from the private MIB library to the network client terminal. The method of the invention can enable the user more conveniently to conduct the VPN business connectivity detection in the VPN business management system.

The invention discloses method for implementing multicast in virtual private network of boundary gateway protocol / multiple label switch BGP / MPLS VPN. The method includes steps: (1) finding out periphery routers PE supplied by all service providers in same multicast virtual private network MVPN; (2) building full interlinked virtual circuit PW among found PE, the PW connects to multicast virtual route forwarding table MVRF one-to-one correspondence to MVPN on two ends PE; (3) when multicast packet inside MVPN passes through network of multiple label switch / internet protocol MPLS / IP of service providers, entry PE forwards PW bound to MVRF to exit PE; based on PW of receiving the multicast packet, the exit PE of having received multicast packet determines MVRF the multicast packet belongs to; then the exit PE forwards the multicast packet through MVRF.

The invention provides a VPN (Virtual Private Network) virtualization method and system of visiting a virtual private cloud. The VPN virtualization method comprises the following steps of: pre-allocating a correspondence relationship between a QingQ VLAN (Virtual Local Area Network) and an MPLS (Multi Protocol Label Switch) VPN which are applied by an enterprise user; and transmitting a data stream in the MPLS VPN applied by the enterprise user in a mode of marking a QingQ VLAN label on the data stream of the enterprise user, which is interacted with the virtual private cloud of a data center. According to the VPN virtualization method and system provided by the invention, the purpose of visiting the virtual private clouds by a plurality of enterprise users is achieved just by hiring one MPLS VPN from an operator, so that the occupancy of resources is reduced and the cost is saved; and high QoS (Quality of Service) requirement of the enterprise users can be ensured, the transmission expenditure is saved because encryption is not needed, and in addition, the purpose of communication while opening can be achieved without complex configuration.

Techniques and apparatus that allow for accurate determination of network topology utilizing multicast groups are provided. A multicast group may be established that contains a set of VPN endpoints to be monitored. By sending ping packets from each provider edge endpoint to the multicast group, ping responses (with unicast addresses for responders) may be collected and analyzed to determine reachability of the endpoints.

A mechanism for ASBRs to identify the originating node, or router, in an LSP conversant autonomous system (AS), such as an MPLS VPN environment, maintains the identity of the originating node and successive nodes in subsequent autonomous systems along the path to the node to be pinged. The identity of the transporting nodes is stored in a stack or other object associated with the ping request (ping), such that the pinged node may employ the stored identity as a set of return path routing information. Successive ASBRs store their identity on the stack, in an ordered manner, along the path to the destination. Upon reaching the destination (ping) node, the destination node employs the identity of the first node on the stack to send the acknowledgment, or ping response. Each successive ASBR, therefore, pops (retrieves) the next node identity from the stack and redirects (sends) the ping response to the retrieved node.

A network grouping method based on the gate way of virtual private network with multiprotocol label exchange includes setting up one set or multiset of gate way for virtual private network (MPLS VPN)with multiprotocol label exchange between the network of local internet inserting service person (ISP) and one level higher ISP network or other ISP network, connecting MPLS VPN gate way with the local ISP network according to the network technical conformation, connecting MPLS VPN gate way with one level higher or other ISP network, and at the same time, connecting MPLS VPN gate way with the equipment of the client edge router (CE) in the client network, and at least invocating the corresponding functions of MPLS VPN gate way to provide MPLS VPN service.

The invention discloses method of communication between sites in Virtual Private Network (VPN) across border gateway protocol (BGP) of mixing network in Internet protocol version 4 (IPv4) / IPv6 of multiple autonomous system (AS) / multiple protocol label switch (MPLS). The method includes steps: label switch path (LSP) is built between periphery equipment (PE) of service provider at exit of source VPN site and PE at entry of destination VPN site; based on obtained path information of destination VPN site, source VPN site sends VPN traffic flow to destination VPN site so as to realize communication. The invention implements communication between VPN sites when VPN sites are in IPv4 / IPv6 mixing network, and backbone network of VPN is BGP / MPLS. Through improving current equipment simply, the invention can provide BGP / MPLS VPN value added service in period of transition from IPv4 to IPv6.

The invention provides a fault detection method and business provider edge (PE) equipment, applied in a multi-protocol label switching virtual private network (MPLS VPN). The method comprises the following steps: an opposite-end PE periodically transmits a destination IP address through a private network interface of a VPN (Virtual Private Network) example to serve as the bidirectional forwarding detection (BFD) message of a private network interface address of a local-end PE, and determines that a fault occurs on an opposite-end private access link or a public network link of the VPN example if the local-end PE does not receive the BFD message in the set time period. Accordingly, the local-end PE can know that a fault occurs in the opposite-end private network access link so as to start a backup link in time to obviate the business interruption of the corresponding VPN example.

The invention discloses a method and a system for monitoring flow in an MPLS-VPN (Multiple Protocol Label Switching-Virtual Private Network) and relates to the technical field of network information. The method for monitoring flow in the MPLS-VPN provided by the embodiment of the invention can automatically learn according to data, intelligently adjust a monitoring threshold and realize a flexible flow monitoring solution. The MPLS-VPN can be dynamically monitored through a base line, the manual configuration of the monitoring threshold by a network administrator can be reduced, and a software program can dynamically generate the monitoring threshold according to historical flow data. Not only can the labor input be greatly reduced, but also the flow monitoring of the MPLS-VPN can be more properly realized. The method and the system can be continuously improved and upgraded with service environments; since the new service environment and the network environment increasingly become complex and the situations of network environment change and network recombination become more and more, aiming at different service environments, the monitoring demand can be quickly satisfied.

The invention discloses a method and a device for the failure diagnosis of a multi-protocol label switching virtual private network (MPLS VPN). The method comprises the following steps of: selecting source equipment and destination equipment between which communication is interrupted, and determining a link connection relationship between the source equipment and the destination equipment; determining a network layer and equipment with a communication failure according to the link connection relationship between the source equipment and the destination equipment; and displaying the network layer and the equipment with the communication failure in a topology way. By the method and the device in the embodiment of the invention, a VPN communication failure can be directly and rapidly positioned, and communication failure diagnosis efficiency can be greatly improved.

The invention discloses method and system for rapidly rerouting an MPLS VPN (Multi-Protocol Label Switching Virtual Private Network). The rapid rerouting method comprises the following steps of: when detecting that a communicated link of user edge equipment (CE-A) at the target end is in failure, activating VPN v4 routing of standby backbone network edge equipment (PE-B) at the target end; packaging a new inner-layer label Li2 and an outer-layer label on the received database and transmitting the database to the standby backbone network edge equipment (PE-B) at the target end by using main backbone network edge equipment (PE-A) at the target end, wherein the next jump indication of the main backbone network edge equipment (PE-A) is used as a last-ump main backbone network core router (P-C) of the main backbone network edge equipment (PE-A) at the target end; and transmitting the database along an LSP (Label Switching Path) between the main backbone network edge equipment (PE-A) and the standby backbone network edge equipment (PE-B) at the target end at the moment.

This application discloses a method for transmitting traffic-guiding routing information. The method is applied to a cleaning apparatus in a multi-protocol label switching virtual private network (MPLS VPN) so as to solve the problem of incapability of effectively defending attack traffic in a multi-protocol label switching virtual private network (MPLS VPN) scene existing in an existing traffic cleaning scheme. The method includes the following steps that: the cleaning apparatus generates traffic-guiding routing information, wherein the traffic-guiding routing information carries an autonomous system (AS) number and the IP address of a protected node, wherein the autonomous system (AS) number is an autonomous system (AS) number of a first custom edge (CE) router connected with a network section to which the protected node belongs; and the cleaning apparatus transmits the traffic-guiding routing information to the first custom edge (CE) router and a second custom edge (CE) router, and therefore, the first custom edge (CE) router can be made to discard the traffic-guiding routing information according to the autonomous system (AS) number and an external border gateway protocol (EBGP) loop-prevention mechanism, and the second custom edge (CE) router can be made to save the traffic-guiding routing information according to the autonomous system (AS) number and the external border gateway protocol (EBGP) loop-prevention mechanism. The invention also discloses a cleaning apparatus.

An MPLS-VPN (MultiProtocol Label Switching-Virtual Private Network) service network of the present invention includes an interface identifying device. The Interface identifying device includes a virtual router belonging to a preselected VPN and an MPLS label operating section for stacking or removing MPLS labels on or from an IP packet received from the virtual router. The label operating section is made up of a first-stage label operating section for stacking on an IP packet received from a customer an MPLS label for transferring the packet over the network and a second-stage MPLS label operating section for executing label operation for identifying a virtual interface. The network constructs a virtual interface at each virtual router for allowing a routing protocol to operate between user sites that belong to the same VPN.

The invention provides a message forwarding method and service provider edge (PE) equipment for a multi-protocol label switching virtual private network (MPLS VPN). Corresponding relationships between IPsec strategies and VPN instances are configured in advance in the PE equipment in the MPLS VPN, so that data messages can be decapsulated by MPLS, encrypted by directly using corresponding IPsec strategies and forwarded by a customer edge (CE) equipment side physical interface; or after being received from the CE equipment side physical interface, the data messages are decrypted by the IPsec strategies, correspondingly decapsulated by the MPLS and forwarded by a P router side interface. The method and the PE equipment are realized more simply and conveniently without performing complex tunnel interface configuration and occupying an additional Internet protocol (IP) address.