沃尔夫网络 
2003-7-15 
|
6. Maintaining Proper Isolation of VPNs To maintain proper isolation of one VPN from another, it is important tha t no router in the backbone accept a labeled packet from any adjacent non-ba ckbone device unless the following two conditions hold: 1. the label at the top of the label stack was actually distributed by that backbone router to that non-backbone device, and 2. the backbone router can determine that use of that label will cause the packet to leave the backbone before any labels lower in the stack will be inspected, and before the IP header will be inspected. The first condition ensures that any labeled packets received from non-ba ckbone routers have a legitimate and properly assigned label at the top of t he label stack. The second condition ensures that the backbone routers will never look below that top label. Of course, the simplest way to meet these two conditions is just to have the backbone devices refuse to accept labele d packets from non-backbone devices. 7. How PEs Learn Routes from CEs The PE routers which attach to a particular VPN need to know, for each of that VPN's sites, which addresses in that VPN are at each site. In the case where the CE device is a host or a switch, this set of addres ses will generally be configured into the PE router attaching to that device . In the case where the CE device is a router, there are a number of possib le ways that a PE router can obtain this set of addresses. The PE translates these addresses into VPN-IPv4 addresses, using a config ured RD. The PE then treats these VPN-IPv4 routes as input to BGP. Routes from a site are not leaked into the backbone's IGP. Exactly which PE/CE route distribution techniques are possible depends on whether a particular CE is in a "transit VPN" or not. A "transit VPN" is o ne which contains a router that receives routes from a "third party" (i.e., from a router which is not in the VPN, but is not a PE router), and that red istributes those routes to a PE router. A VPN which is not a transit VPN is a "stub VPN". The vast majority of VPNs, including just about all corporat e enterprise networks, would be expected to be "stubs" in this sense. 如果CE设备是一台主机或一个交换机,地址集合一般被配置到连接该设备的PE路由器中 。如果CE设备是一路由器,PE路由器可以通过多种方法获得该地址集合。 PE用设定的RD把这些地址翻译成VPN-IPv4地址,把这些VPN-IPv4路由当作BGP的输入。这 些路由在任何情况下都不会泄露给主干网的IGP。 实际上,PE/CE路由分发技术取决于该CE是否在一个"传输VPN"中。一个"传输VPN"包括一 个从第三方(如,不在同一VPN中的且不是PE的一个路由器)接收路由,并重新分发到一个 PE路由器的路由器。如果不是一个"传输VPN",一个VPN则是一个"叶VPN" stub VPN。在 此意义上,大多数VPN,包括几乎所有企业网络,都希望是后者。 The possible PE/CE distribution techniques are: 1. Static routing (i.e., configuration) may be used. (This is likely to be useful only in stub VPNs.) 2. PE and CE routers may be RIP peers, and the CE may use RIP to tell the PE router the set of address prefixes which are reachable at the CE router's s ite. When RIP is configured in the CE, care must be taken to ensure that address prefixes from other sites (i.e., address prefixes learned by the CE router from the PE router) are never advertised to the PE. More precisely: if a PE router, say PE1, receives a VPN-IPv4 route R1, and as a result dis tributes an IPv4 route R2 to a CE, then R2 must not be distributed back from that CE's site to a PE router, say PE2, (where PE1 and PE2 may be the same router or different routers), unless PE2 maps R2 to a VPN-IPv4 route which is different than (i.e., contains a different RD than) R1. 2. PE和CE路由器可能是RIP对等的,而且CE可以用RIP告诉PE路由器在CE路由器上的站点 的可达地址前缀。当在CE中配置RIP时,要注意确保从其它站点来的地址前缀(如CE路由 器从PE路由器处学习来的地址前缀)不被广告到PE。更确切地说,如果一个PE路由器, 如PE1,接收到了一个VPN-IPv4路由R1,处理后以R2为路由名继续向一个CE分发该IPv4路 由,那么,R2不能被该CE的站点分发至一个PE路由器,如PE2,(这里,PE1和PE2可能是 也可能不是同一路由器),除非PE2将R2映射为一个与R1不同的VPN-IPv4路由。(如,用 一个不同的RD) 3. The PE and CE routers may be OSPF peers. A PE router which is an O SPF peer of a CE router appears, to the CE router, to be an area 0 router. If a PE router is an OSPF peer of CE routers which are in distinct VPNs, the PE must of course be running multiple instances of OSPF. 3. PE和CE路由器可能是OSPF对等的。作为CE的对等体,PE是一在0区的路由器。如果CE 在一个不同的VPN中,PE应运行多个OSPF实例。 IPv4 routes which the PE learns from the CE via OSPF are redistribu ted into BGP as VPN-IPv4 routes. Extended community attributes are used to carry, along with the route, all the information needed to enable the route to be distributed to other CE routers in the VPN in the proper type of OSPF LSA. OSPF route tagging is used to ensure that routes received from the MPLS /BGP backbone are not sent back into the backbone. PE通过OSPF从CE学习到的IPv4路由加入了扩展的集合属性等,作为BGP的输入以VPN-IPv 4形式被重新分发,以OSPF LSA的正确形式被分发到VPN的其它CE路由器中,OSPF路由标 记用于保证从MPLS/BGP主干收到的路由不被送回主干。 Specification of the complete set of procedures for the use of OSPF between PE and CE can be found in [VPN-OSPF]. 4. The PE and CE routers may be BGP peers, and the CE router may use B GP (in particular, EBGP to tell the PE router the set of address prefixes wh ich are at the CE router's site. (This technique can be used in stub VPNs or transit VPNs.) This technique has a number of advantages over the others: a) Unlike the IGP alternatives, this does not require the PE to run multiple routing algorithm instances in order to talk to multiple CEs b) BGP is explicitly designed for just this function: passing ro uting information between systems run by different administrations c) If the site contains "BGP backdoors", i.e., routers with BGP connections to routers other than PE routers, this procedure will work corre ctly in all circumstances. The other procedures may or may not work, depend ing on the precise circumstances. d) Use of BGP makes it easy for the CE to pass attributes of the routes to t he PE. A complete specification of the set of attributes and their use is o utside the scope of this document. However, some examples of the way this m ay be used are the following: - The CE may suggest a particular Route Target for each route, from among th e Route Targets that the PE is authorized to attach to the route. The PE wo uld then attach only the suggested Route Target, rather than the full set. This gives the CE administrator some dynamic control of the distribution of routes from the CE. CE可以为每一路由从PE授权给它的路由目标中建议一个。由PE只为它加上这个路由目标 ,这样CE管理员可以动态地控制CE路由的分发。 - Additional types of Extended Community attributes may be defined, whe re the intention is to have those attributes passed transparently (i.e., wit hout being changed by the PE routers) from CE to CE. This would allow CE ad ministrators to implement additional route filtering, beyond that which is d one by the PEs. This additional filter | |
 相关文章 |
热门文章 |
|
| 个人观点:Cisco认证和Juniper认证的比较 JNCIE考试心得 路由器启动进程及初始配置 Olive完整介绍--权威版 Install IPSO on PC Juniper提升路由器服务功能 RFC2547 BGP/MPLS VPN RFC 2547bis (1) RFC 2547bis (2) RFC 2547bis (4) |
| 文章评论 | |||