Internet Engineering Task Force (IETF) A. Sajassi, Ed. Request for Comments: 6246 F. Brockners Category: Informational Cisco Systems ISSN: 2070-1721 D. Mohan, Ed. Nortel Y. Serbest AT&T June 2011
Internet Engineering Task Force (IETF) A. Sajassi, Ed. Request for Comments: 6246 F. Brockners Category: Informational Cisco Systems ISSN: 2070-1721 D. Mohan, Ed. Nortel Y. Serbest AT&T June 2011
Virtual Private LAN Service (VPLS) Interoperability with Customer Edge (CE) Bridges
虚拟专用LAN服务(VPLS)与客户边缘(CE)网桥的互操作性
Abstract
摘要
One of the main motivations behind Virtual Private LAN Service (VPLS) is its ability to provide connectivity not only among customer routers and servers/hosts but also among customer IEEE bridges. VPLS is expected to deliver the same level of service that current enterprise users are accustomed to from their own enterprise bridged networks or their Ethernet Service Providers.
虚拟专用LAN服务(VPLS)背后的主要动机之一是它不仅能够在客户路由器和服务器/主机之间提供连接,而且能够在客户IEEE网桥之间提供连接。VPLS预计将提供与当前企业用户习惯于从其自己的企业桥接网络或其以太网服务提供商获得的相同级别的服务。
When customer edge (CE) devices are IEEE bridges, then there are certain issues and challenges that need to be accounted for in a VPLS network. The majority of these issues have been addressed in the IEEE 802.1ad standard for provider bridges and they can be leveraged for VPLS networks. This document extends the provider edge (PE) model described in RFC 4664 based on IEEE 802.1ad bridge module, and it illustrates a clear demarcation between the IEEE bridge module and IETF LAN emulation module. By doing so, it shows that the majority of interoperability issues with CE bridges can be delegated to the 802.1ad bridge module, thus removing the burden on the IETF LAN emulation module within a VPLS PE.
当客户边缘(CE)设备是IEEE网桥时,VPLS网络中需要考虑某些问题和挑战。这些问题中的大多数已在IEEE 802.1ad提供商网桥标准中得到解决,可用于VPLS网络。本文档扩展了RFC 4664中描述的基于IEEE 802.1ad网桥模块的提供商边缘(PE)模型,并阐明了IEEE网桥模块和IETF LAN仿真模块之间的明确划分。这样做表明,CE网桥的大多数互操作性问题可以委托给802.1ad网桥模块,从而消除VPLS PE中IETF LAN仿真模块的负担。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6246.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6246.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Conventions ................................................4 2. Ethernet Service Instance .......................................4 3. VPLS-Capable PE Model with Bridge Module ........................5 4. Mandatory Issues ................................................8 4.1. Service Mapping ............................................8 4.2. CE Bridge Protocol Handling ...............................10 4.3. Partial Mesh of Pseudowires ...............................11 4.4. Multicast Traffic .........................................12 5. Optional Issues ................................................13 5.1. Customer Network Topology Changes .........................13 5.2. Redundancy ................................................15 5.3. MAC Address Learning ......................................16 6. Interoperability with 802.1ad Networks .........................17 7. Acknowledgments ................................................17 8. Security Considerations ........................................17 9. Normative References ...........................................18 10. Informative References ........................................19
1. Introduction ....................................................3 1.1. Conventions ................................................4 2. Ethernet Service Instance .......................................4 3. VPLS-Capable PE Model with Bridge Module ........................5 4. Mandatory Issues ................................................8 4.1. Service Mapping ............................................8 4.2. CE Bridge Protocol Handling ...............................10 4.3. Partial Mesh of Pseudowires ...............................11 4.4. Multicast Traffic .........................................12 5. Optional Issues ................................................13 5.1. Customer Network Topology Changes .........................13 5.2. Redundancy ................................................15 5.3. MAC Address Learning ......................................16 6. Interoperability with 802.1ad Networks .........................17 7. Acknowledgments ................................................17 8. Security Considerations ........................................17 9. Normative References ...........................................18 10. Informative References ........................................19
Virtual Private LAN Service (VPLS) is a LAN emulation service intended for providing connectivity between geographically dispersed customer sites across MANs/WANs (over MPLS/IP), as if they were connected using a LAN. One of the main motivations behind VPLS is its ability to provide connectivity not only among customer routers and servers/hosts but also among IEEE customer bridges. If only connectivity among customer IP routers/hosts is desired, then an IP-only LAN Service [IPLS] solution could be used. The strength of the VPLS solution is that it can provide connectivity to both bridge and non-bridge types of CE devices. VPLS is expected to deliver the same level of service that current enterprise users are accustomed to from their own enterprise bridged networks [802.1D] [802.1Q] today or the same level of service that they receive from their Ethernet Service Providers using IEEE 802.1ad-based networks [802.1ad] (or its predecessor, QinQ-based networks).
虚拟专用LAN服务(VPLS)是一种LAN仿真服务,旨在跨MAN/WAN(通过MPLS/IP)提供地理位置分散的客户站点之间的连接,就像它们使用LAN连接一样。VPLS背后的主要动机之一是它不仅能够在客户路由器和服务器/主机之间提供连接,而且能够在IEEE客户网桥之间提供连接。如果只需要客户IP路由器/主机之间的连接,则可以使用仅IP LAN服务[IPLS]解决方案。VPLS解决方案的优势在于,它可以为桥接和非桥接类型的CE设备提供连接。VPLS有望提供与当前企业用户习惯于使用自己的企业桥接网络[802.1D][802.1Q]相同的服务级别,或提供与使用基于IEEE 802.1ad的网络[802.1ad](或其前身基于QinQ的网络)的以太网服务提供商相同的服务级别。
When CE devices are IEEE bridges, then there are certain issues and challenges that need to be accounted for in a VPLS network. The majority of these issues have been addressed in the IEEE 802.1ad standard for provider bridges and they can be leveraged for VPLS networks. This document extends the PE model described in [RFC4664] based on the IEEE 802.1ad bridge module and illustrates a clear demarcation between IEEE bridge module and IETF LAN emulation module. By doing so, it describes that the majority of interoperability issues with CE bridges can be delegated to the 802.1ad bridge module,
当CE设备是IEEE网桥时,VPLS网络中需要考虑某些问题和挑战。这些问题中的大多数已在IEEE 802.1ad提供商网桥标准中得到解决,可用于VPLS网络。本文件扩展了[RFC4664]中描述的基于IEEE 802.1ad网桥模块的PE模型,并阐明了IEEE网桥模块和IETF LAN仿真模块之间的明确划分。通过这样做,它描述了CE网桥的大多数互操作性问题可以委托给802.1ad网桥模块,
thus removing the burden on the IETF LAN emulation module within a VPLS PE. This document discusses these issues and, wherever possible, suggests areas to be explored in rectifying these issues. The detailed solution specification for these issues is outside of the scope of this document.
从而消除了VPLS PE中IETF LAN仿真模块的负担。本文件讨论了这些问题,并在可能的情况下,提出了纠正这些问题需要探索的领域。这些问题的详细解决方案规范不在本文档范围内。
This document also discusses interoperability issues between VPLS and IEEE 802.1ad networks when the end-to-end service spans across both types of networks, as outlined in [RFC4762].
本文件还讨论了当端到端服务跨越两种类型的网络时,VPLS和IEEE 802.1ad网络之间的互操作性问题,如[RFC4762]所述。
This document categorizes the CE-bridge issues into two groups: 1) mandatory and 2) optional. The issues in group (1) need to be addressed in order to ensure the proper operation of CE bridges. The issues in group (2) would provide additional operational improvement and efficiency and may not be required for interoperability with CE bridges. Sections 5 and 6 discuss these mandatory and optional issues, respectively.
本文档将CE桥接问题分为两组:1)强制性和2)可选。需要解决第(1)组中的问题,以确保CE桥的正常运行。第(2)组中的问题将提供额外的操作改进和效率,并且可能不需要与CE桥接器进行互操作。第5节和第6节分别讨论了这些强制性和可选问题。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Before starting the discussion of bridging issues, it is important to clarify the Ethernet Service definition. The term VPLS has different meanings in different contexts. In general, VPLS is used in the following contexts [RFC6136]: a) as an end-to-end bridged LAN service over one or more networks (one of which is an MPLS/IP network), b) as an MPLS/IP network supporting these bridged LAN services, and c) as (V)LAN emulation. For better clarity, we differentiate between its usage as network versus service by using the terms VPLS network and VPLS instance, respectively. Furthermore, we confine VPLS (both network and service) to only the portion of the end-to-end network that spans an MPLS/IP network. For an end-to-end service (among different sites of a given customer), we use the term "Ethernet Service Instance" or ESI.
在开始讨论桥接问题之前,澄清以太网服务定义很重要。VPLS一词在不同的上下文中有不同的含义。通常,VPLS在以下上下文中使用[RFC6136]:a)作为一个或多个网络(其中一个是MPLS/IP网络)上的端到端桥接LAN服务,b)作为支持这些桥接LAN服务的MPLS/IP网络,以及c)作为(V)LAN仿真。为了更清晰,我们分别使用术语VPLS网络和VPLS实例来区分其作为网络和服务的使用。此外,我们将VPL(网络和服务)仅限于跨MPLS/IP网络的端到端网络部分。对于端到端服务(在给定客户的不同站点之间),我们使用术语“以太网服务实例”或ESI。
We define the Ethernet Service Instance (ESI) as an association of two or more Attachment Circuits (ACs) over which an Ethernet service is offered to a given customer. An AC can be either a User-Network Interface (UNI) or a Network-Network Interface (NNI); furthermore, it can be an Ethernet interface or a VLAN, it can be an ATM or Frame Relay Virtual Circuit, or it can be a PPP/HDLC (PPP/High-Level Data
我们将以太网服务实例(ESI)定义为两个或多个连接电路(ACs)的关联,通过这些连接电路向给定客户提供以太网服务。AC可以是用户网络接口(UNI)或网络接口(NNI);此外,它可以是以太网接口或VLAN,也可以是ATM或帧中继虚拟电路,也可以是PPP/HDLC(PPP/High Level Data)
Link Control) interface. If an ESI is associated with more than two ACs, then it is a multipoint ESI. In this document, wherever the keyword ESI is used, it means multipoint ESI unless stated otherwise.
链接控制)接口。如果一个ESI与两个以上的ACs关联,则它是一个多点ESI。在本文件中,如果使用关键词ESI,除非另有说明,否则表示多点ESI。
An ESI can correspond to a VPLS instance if its associated ACs are only connected to a VPLS network, or an ESI can correspond to a Service VLAN if its associated ACs are only connected to a Provider-Bridged network [802.1ad]. Furthermore, an ESI can be associated with both a VPLS instance and a Service VLAN when considering an end-to-end service that spans across both VPLS and Provider-Bridged networks. An ESI can span across different networks (e.g., IEEE 802.1ad and VPLS) belonging to the same or different administrative domains.
如果ESI的关联ACs仅连接到VPLS网络,则ESI可对应于VPLS实例;如果ESI的关联ACs仅连接到提供商桥接网络,则ESI可对应于服务VLAN[802.1ad]。此外,当考虑跨VPLS和提供商桥接网络的端到端服务时,ESI可以与VPLS实例和服务VLAN相关联。ESI可以跨越属于相同或不同管理域的不同网络(例如IEEE 802.1ad和VPLS)。
An ESI most often represents a customer or a specific service requested by a customer. Since traffic isolation among different customers (or their associated services) is of paramount importance in service provider networks, its realization shall be done such that it provides a separate Media Access Control (MAC) address domain and broadcast domain per ESI. A separate MAC address domain is provided by using a separate MAC forwarding table (e.g., Forwarding Information Base (FIB), also known as filtering database [802.1D]) per ESI (for both VPLS and IEEE 802.1ad networks). A separate broadcast domain is provided by using a full mesh of pseudowires per ESI over the IP/MPLS core in a VPLS network and/or a dedicated Service VLAN per ESI in an IEEE 802.1ad network.
ESI通常代表客户或客户要求的特定服务。由于不同客户(或其相关服务)之间的流量隔离在服务提供商网络中至关重要,因此其实现应确保每个ESI提供单独的媒体访问控制(MAC)地址域和广播域。通过每个ESI(对于VPLS和IEEE 802.1ad网络)使用单独的MAC转发表(例如,转发信息库(FIB),也称为过滤数据库[802.1D])来提供单独的MAC地址域。通过在VPLS网络中的IP/MPLS核心上使用每个ESI的完整伪线网和/或在IEEE 802.1ad网络中使用每个ESI的专用服务VLAN,可以提供单独的广播域。
[RFC4664] defines three models for VPLS-capable PE (VPLS-PE), based on the bridging functionality that needs to be supported by the PE. If the CE devices can be routers/hosts or IEEE bridges, the second model from [RFC4664] is the most suitable, and it is both adequate to provide the VPLS level of service and consistent with the IEEE standards for Provider Bridges [802.1ad]. We briefly describe the second model and then expand upon this model to show its sub-components based on the [802.1ad] Provider Bridge model.
[RFC4664]基于PE需要支持的桥接功能,为支持VPLS的PE(VPLS-PE)定义了三种型号。如果CE设备可以是路由器/主机或IEEE网桥,则[RFC4664]中的第二种型号最合适,它既足以提供VPLS服务级别,又符合提供商网桥的IEEE标准[802.1ad]。我们简要描述了第二个模型,然后在此模型上进行扩展,以显示其基于[802.1ad]提供商网桥模型的子组件。
As described in [RFC4664], the second model for VPLS-PE contains a single bridge module supporting all the VPLS instances on that PE , where each VPLS instance is represented by a unique VLAN inside that bridge module (also known as a Service VLAN or S-VLAN). The bridge module has a single "Emulated LAN" interface over which it communicates with all VPLS forwarders, and each VPLS instance is represented by a unique S-VLAN tag. Each VPLS instance can consist of a set of pseudowires, and its associated forwarder can correspond to a single VLAN as depicted in Figure 1 below. Thus, sometimes it is referred to as VLAN emulation.
如[RFC4664]所述,VPLS-PE的第二个模型包含一个网桥模块,支持该PE上的所有VPLS实例,其中每个VPLS实例由该网桥模块内的唯一VLAN(也称为服务VLAN或S-VLAN)表示。网桥模块有一个“模拟LAN”接口,通过该接口与所有VPLS转发器通信,每个VPLS实例由唯一的S-VLAN标记表示。每个VPLS实例可以由一组伪线组成,其关联的转发器可以对应于单个VLAN,如下图1所示。因此,有时它被称为VLAN仿真。
+----------------------------------------+ | VPLS-Capable PE Model | | +---------------+ +------+ | | | | |VPLS-1|------------ | | |=======+ |Fwdr |------------ PWs | | Bridge --------|--- |------------ | | | SVID-1| +------+ | | | Module | | o | | | | | o | | | (802.1ad | | o | | | bridge) | | o | | | | | o | | | | SVID-n| +------+ | | | --------|---VPLS-n|------------- | | |=======+ | Fwdr |------------- PWs | | | ^ | |------------- | +---------------+ | +------+ | | | | +-----------------------|----------------+ | LAN emulation (multi-access) interface
+----------------------------------------+ | VPLS-Capable PE Model | | +---------------+ +------+ | | | | |VPLS-1|------------ | | |=======+ |Fwdr |------------ PWs | | Bridge --------|--- |------------ | | | SVID-1| +------+ | | | Module | | o | | | | | o | | | (802.1ad | | o | | | bridge) | | o | | | | | o | | | | SVID-n| +------+ | | | --------|---VPLS-n|------------- | | |=======+ | Fwdr |------------- PWs | | | ^ | |------------- | +---------------+ | +------+ | | | | +-----------------------|----------------+ | LAN emulation (multi-access) interface
Figure 1. VPLS-Capable PE Model
图1。支持VPLS的PE模型
Customer frames associated with a given ESI carry the S-VLAN ID for that ESI over the LAN emulation interface. The S-VLAN ID is stripped before transmitting the frames over the set of pseudowires (PWs) associated with that VPLS instance (assuming raw mode PWs are used as specified in [RFC4448]).
与给定ESI关联的客户帧通过LAN仿真接口携带该ESI的S-VLAN ID。在通过与该VPLS实例相关联的一组伪线(PW)传输帧之前,剥离S-VLAN ID(假设按照[RFC4448]中的规定使用原始模式PW)。
The bridge module can itself consist of one or two sub-components, depending on the functionality that it needs to perform. Figure 2 depicts the model for the bridge module based on [802.1ad].
桥接模块本身可以由一个或两个子组件组成,具体取决于它需要执行的功能。图2描述了基于[802.1ad]的网桥模块模型。
+-------------------------------+ | 802.1ad Bridge Module Model | | | +---+ AC | +------+ +-----------+ | |CE |---------|C-VLAN|------| | | +---+ | |bridge|------| | | | +------+ | | | | o | S-VLAN | | | o | | | ---> to VPLS Fwdr | o | Bridge | | +---+ AC | +------+ | | | |CE |---------|C-VLAN|------| | | +---+ | |bridge|------| | | | +------+ | | | +---+ AC | | | | |CE |-----------------------| | | +---+ | +-----------+ | +-------------------------------+
+-------------------------------+ | 802.1ad Bridge Module Model | | | +---+ AC | +------+ +-----------+ | |CE |---------|C-VLAN|------| | | +---+ | |bridge|------| | | | +------+ | | | | o | S-VLAN | | | o | | | ---> to VPLS Fwdr | o | Bridge | | +---+ AC | +------+ | | | |CE |---------|C-VLAN|------| | | +---+ | |bridge|------| | | | +------+ | | | +---+ AC | | | | |CE |-----------------------| | | +---+ | +-----------+ | +-------------------------------+
Figure 2. Model of the 802.1ad Bridge Module
图2。802.1ad网桥模块的模型
The S-VLAN bridge component is always required and it is responsible for tagging customer frames with S-VLAN tags in the ingress direction (from customer UNIs) and removing S-VLAN tags in the egress direction (toward customer UNIs). It is also responsible for running the provider's bridge protocol -- such as Rapid Spanning Tree Protocol (RSTP), Multiple Spanning Tree Protocol (MSTP), Generic VLAN Registration Protocol (GVRP), GARP Multicast Registration Protocol (GMRP), etc. -- among provider bridges within a single administrative domain.
始终需要S-VLAN网桥组件,它负责在入口方向(从客户UNIs)用S-VLAN标记标记客户帧,并在出口方向(朝向客户UNIs)移除S-VLAN标记。它还负责在单个管理域内的提供商网桥之间运行提供商的网桥协议,如快速生成树协议(RSTP)、多生成树协议(MSTP)、通用VLAN注册协议(GVRP)、GARP多播注册协议(GMRP)等。
The customer VLAN (C-VLAN) bridge component is required when the customer Attachment Circuits are VLANs (aka C-VLANs). In such cases, the VPLS-capable PE needs to participate in some of the customer's bridging protocol such as RSTP and MSTP. Such participation is required because a C-VLAN at one site can be mapped into a different C-VLAN at a different site or, in case of asymmetric mapping, a customer Ethernet port at one site can be mapped into a C-VLAN (or group of C-VLANs) at a different site.
当客户连接电路为VLAN(又名C-VLAN)时,需要客户VLAN(C-VLAN)网桥组件。在这种情况下,支持VPLS的PE需要参与一些客户的桥接协议,如RSTP和MSTP。这种参与是必需的,因为一个站点的C-VLAN可以映射到不同站点的不同C-VLAN,或者在不对称映射的情况下,一个站点的客户以太网端口可以映射到不同站点的C-VLAN(或一组C-VLAN)。
The C-VLAN bridge component does service selection and identification based on C-VLAN tags. Each frame from the customer device is assigned to a C-VLAN and presented at one or more internal port-based interfaces, each supporting a single service instance that the customer desires to carry that C-VLAN. Similarly, frames from the provider network are assigned to an internal interface or 'LAN' (e.g, between C-VLAN and S-VLAN components) on the basis of the S-VLAN tag. Since each internal interface supports a single service instance, the
C-VLAN网桥组件根据C-VLAN标记进行服务选择和标识。来自客户设备的每个帧被分配给一个C-VLAN,并在一个或多个基于端口的内部接口上呈现,每个帧支持客户希望承载该C-VLAN的单个服务实例。类似地,基于S-VLAN标签将来自提供商网络的帧分配给内部接口或“LAN”(例如,在C-VLAN和S-VLAN组件之间)。由于每个内部接口都支持单个服务实例,因此
S-VLAN tag can be, and is, removed at this interface by the S-VLAN bridge component. If multiple C-VLANs are supported by this service instance (e.g., via VLAN bundling or port-based service), then the frames will have already been tagged with C-VLAN tags. If a single C-VLAN is supported by this service instance (e.g., VLAN-based), then the frames will not have been tagged with a C-VLAN tag since C-VLAN can be derived from the S-VLAN (e.g., one-to-one mapping). The C-VLAN-aware bridge component applies a port VLAN ID (PVID) to untagged frames received on each internal 'LAN', allowing full control over the delivery of frames for each C-VLAN through the Customer UNI Port.
S-VLAN网桥组件可以在该接口上删除S-VLAN标记。如果此服务实例支持多个C-VLAN(例如,通过VLAN绑定或基于端口的服务),则帧将已经使用C-VLAN标记进行标记。如果此服务实例支持单个C-VLAN(例如,基于VLAN),则帧将不会使用C-VLAN标记进行标记,因为C-VLAN可以从S-VLAN派生(例如,一对一映射)。感知C-VLAN的网桥组件将端口VLAN ID(PVID)应用于每个内部“LAN”上接收的未标记帧,允许通过客户UNI端口完全控制每个C-VLAN的帧交付。
Different Ethernet AC types can be associated with a single Ethernet Service Instance (ESI). For example, an ESI can be associated with only physical Ethernet ports, VLANs, or a combination of the two (e.g., one end of the service could be associated with physical Ethernet ports and the other end could be associated with VLANs). In [RFC4762], unqualified and qualified learning are used to refer to port-based and VLAN-based operation, respectively. [RFC4762] does not describe the possible mappings between different types of Ethernet ACs (e.g., 802.1D, 802.1Q, or 802.1ad frames). In general, the mapping of a customer port or VLAN to a given service instance is a local function performed by the local PE, and the service provisioning shall accommodate it. In other words, there is no reason to restrict and limit an ESI to have only port-based ACs or to have only VLAN-based ACs. [802.1ad] allows for each customer AC (either a physical port, a VLAN, or a group of VLANs) to be mapped independently to an ESI that provides better service offerings to enterprise customers. For better and more flexible service offerings and for interoperability purposes between VPLS and 802.1ad networks, it is imperative that both networks offer the same capabilities in terms of customer ACs mapping to the customer service instance.
不同的以太网AC类型可以与单个以太网服务实例(ESI)相关联。例如,ESI可以仅与物理以太网端口、VLAN或两者的组合相关联(例如,服务的一端可以与物理以太网端口相关联,而另一端可以与VLAN相关联)。在[RFC4762]中,不合格和合格学习分别用于表示基于端口和基于VLAN的操作。[RFC4762]未描述不同类型以太网ACs(例如802.1D、802.1Q或802.1ad帧)之间可能的映射。一般来说,客户端口或VLAN到给定服务实例的映射是由本地PE执行的本地功能,服务提供应适应该功能。换句话说,没有理由限制ESI仅具有基于端口的ACs或仅具有基于VLAN的ACs。[802.1ad]允许每个客户AC(一个物理端口、一个VLAN或一组VLAN)独立映射到为企业客户提供更好服务的ESI。为了提供更好、更灵活的服务,以及为了VPLS和802.1ad网络之间的互操作性,两个网络必须在客户ACs映射到客户服务实例方面提供相同的功能。
The following table lists possible mappings that can exist between customer ACs and their associated ESIs. As can be seen, there are several possible ways to perform such mappings. In the first scenario, it is assumed that an Ethernet physical port only carries untagged traffic and all traffic is mapped to the corresponding service instance or ESI. This is referred to as "port-based with untagged traffic". In the second scenario, it is assumed that an Ethernet physical port carries both tagged and untagged traffic and all that traffic is mapped to the corresponding service instance or ESI. This is referred to as "port-based with tagged and untagged traffic". In the third scenario, it is assumed that only a single
下表列出了客户ACs与其关联的ESI之间可能存在的映射。可以看出,有几种可能的方法来执行这种映射。在第一个场景中,假设以太网物理端口仅承载未标记的流量,并且所有流量都映射到相应的服务实例或ESI。这被称为“基于端口的未标记流量”。在第二个场景中,假设以太网物理端口承载标记和未标记的流量,并且所有这些流量都映射到相应的服务实例或ESI。这被称为“基于标记和未标记流量的端口”。在第三个场景中,假设只有一个
VLAN is mapped to the corresponding service instance or ESI. This is referred to as "VLAN-based". Finally, in the fourth scenario, it is assumed that a group of VLANs from the Ethernet physical interface is mapped to the corresponding service instance or ESI. This is referred to as "VLAN bundling".
VLAN映射到相应的服务实例或ESI。这被称为“基于VLAN”。最后,在第四个场景中,假设来自以太网物理接口的一组VLAN映射到相应的服务实例或ESI。这称为“VLAN绑定”。
=================================================================== Ethernet I/F & Associated Service Instance(s) ------------------------------------------------------------------- Port-based Port-based VLAN-based VLAN untagged tagged & bundling untagged ------------------------------------------------------------------- Port-based Y N Y(Note-1) N untagged
=================================================================== Ethernet I/F & Associated Service Instance(s) ------------------------------------------------------------------- Port-based Port-based VLAN-based VLAN untagged tagged & bundling untagged ------------------------------------------------------------------- Port-based Y N Y(Note-1) N untagged
Port-based N Y Y(Note-2) Y tagged & untagged
基于端口的N Y Y Y(注2)Y标记和未标记
VLAN-based Y(Note-1) Y(Note-2) Y Y(Note-3)
VLAN-based Y(Note-1) Y(Note-2) Y Y(Note-3)
VLAN N Y Y(Note-3) Y Bundling ===================================================================
VLAN N Y Y(Note-3) Y Bundling ===================================================================
Note-1: In this asymmetric mapping scenario, it is assumed that the CE device with "VLAN-based" AC is capable of supporting [802.1Q] frame format.
注1:在这种不对称映射场景中,假设具有“基于VLAN”AC的CE设备能够支持[802.1Q]帧格式。
Note-2: In this asymmetric mapping scenario, it is assumed that the CE device with "VLAN-based" AC can support [802.1ad] frame format because it will receive Ethernet frames with two tags, where the outer tag is an S-VLAN and the inner tag is a C-VLAN received from "port-based" AC. One application example for such CE device is in a Broadband Remote Access Server (BRAS) for DSL aggregation over a Metro Ethernet network.
注2:在这种不对称映射场景中,假设具有“基于VLAN”AC的CE设备可以支持[802.1ad]帧格式,因为它将接收具有两个标签的以太网帧,其中外部标签是S-VLAN,内部标签是从“基于端口”接收的C-VLANAC.此类CE设备的一个应用示例是在宽带远程接入服务器(BRAS)中,用于通过城域以太网进行DSL聚合。
Note-3: In this asymmetric mapping scenario, it is assumed that the CE device with "VLAN-based" AC can support the [802.1ad] frame format because it will receive Ethernet frames with two tags, where the outer tag is an S-VLAN and the inner tag is a C-VLAN received from "VLAN bundling" AC.
注3:在此不对称映射场景中,假设具有“基于VLAN”AC的CE设备可以支持[802.1ad]帧格式,因为它将接收具有两个标签的以太网帧,其中外部标签是S-VLAN,内部标签是从“VLAN绑定”AC接收的C-VLAN。
If a PE uses an S-VLAN tag for a given ESI (either by adding an S-VLAN tag to customer traffic or by replacing a C-VLAN tag with a S-VLAN tag), then the frame format and EtherType for S-VLAN SHALL adhere to [802.1ad].
如果PE对给定ESI使用S-VLAN标记(通过向客户流量添加S-VLAN标记或用S-VLAN标记替换C-VLAN标记),则S-VLAN的帧格式和以太网类型应符合[802.1ad]。
As mentioned before, the mapping function between the customer AC and its associated ESI is a local function; thus, when the AC is a single customer VLAN, it is possible to map different customer VLANs at different sites to a single ESI without coordination among those sites.
如前所述,客户AC与其相关联的ESI之间的映射函数是本地函数;因此,当AC是单个客户VLAN时,可以将不同站点上的不同客户VLAN映射到单个ESI,而无需这些站点之间的协调。
When a port-based mapping or a VLAN-bundling mapping is used, then the PE may use an additional S-VLAN tag to mark the customer traffic received over that AC as belonging to a given ESI. If the PE uses the additional S-VLAN tag, then in the opposite direction the PE SHALL strip the S-VLAN tag before sending the customer frames over the same AC. However, when VLAN-mapping mode is used at an AC and if the PE uses the S-VLAN tag locally, then if the Ethernet interface is a UNI, the tagged frames over this interface SHALL have a frame format based on [802.1Q]. In such a case, the PE SHALL translate the customer tag (C-VLAN) into the provider tag (S-VLAN) upon receiving a frame from the customer. In the opposite direction, the PE SHALL translate from provider frame format (802.1ad) back to customer frame format (802.1Q).
当使用基于端口的映射或VLAN绑定映射时,PE可以使用附加的S-VLAN标签来将通过该AC接收的客户流量标记为属于给定ESI。如果PE使用附加的S-VLAN标记,则在相反方向上,PE应在通过相同AC发送客户帧之前剥离S-VLAN标记。但是,当在AC使用VLAN映射模式时,如果PE在本地使用S-VLAN标记,则如果以太网接口为UNI,该接口上的标记帧应具有基于[802.1Q]的帧格式。在这种情况下,PE应在收到来自客户的帧时将客户标签(C-VLAN)转换为提供商标签(S-VLAN)。相反,PE应从提供商帧格式(802.1ad)转换回客户帧格式(802.1Q)。
All the above asymmetric services can be supported via the PE model with the bridge module depicted in Figure 2 (based on [802.1ad]).
所有上述非对称服务都可以通过PE模型以及图2中所示的网桥模块(基于[802.1ad])来支持。
When a VPLS-capable PE is connected to a CE bridge, then -- depending on the type of Attachment Circuit -- different protocol handling may be required by the bridge module of the PE. [802.1ad] states that when a PE is connected to a CE bridge, then the service offered by the PE may appear to specific customer protocols running on the CE in one of the four ways:
当支持VPLS的PE连接到CE网桥时,根据连接电路的类型,PE的网桥模块可能需要不同的协议处理。[802.1ad]指出,当PE连接到CE网桥时,PE提供的服务可能会以以下四种方式之一出现在CE上运行的特定客户协议上:
a) Transparent to the operation of the protocol among CEs of different sites using the service provided, appearing as an individual LAN without bridges;
a) 对使用所提供服务的不同站点的CE之间的协议操作透明,表现为没有网桥的单独LAN;
b) Discarding frames, acting as a non-participating barrier to the operation of the protocol;
b) 丢弃帧,作为协议操作的非参与障碍;
c) Peering, with a local protocol entity at the point of provider ingress and egress, participating in and terminating the operation of the protocol; or
c) 在提供者入口和出口处与本地协议实体进行对等,参与并终止协议的操作;或
d) Participation in individual instances of customer protocols.
d) 参与客户协议的各个实例。
All the above CE bridge protocol handling can be supported via the PE model with the bridge module depicted in Figure 2 (based on [802.1ad]). For example, when an Attachment Circuit is port-based, then the bridge module of the PE can operate transparently with respect to the CE's RSTPs or MSTPs (and thus no C-VLAN component is required for that customer UNI). However, when an Attachment Circuit is VLAN-based (either VLAN-based or VLAN bundling), then the bridge module of the PE needs to peer with the RSTPs or MSTPs running on the CE (and thus the C-VLAN bridge component is required). In other words, when the AC is VLAN-based, then protocol peering between CE and PE devices may be needed. There are also protocols that require peering but are independent from the type of Attachment Circuit. An example of such protocol is the link aggregation protocol [802.1AX]; however, this is a media-dependent protocol as its name implies.
以上所有CE网桥协议处理都可以通过PE模型和图2所示的网桥模块(基于[802.1ad])来支持。例如,当连接电路基于端口时,则PE的桥接模块可以相对于CE的RSTPs或MSTPs透明地操作(因此该客户UNI不需要C-VLAN组件)。然而,当连接电路基于VLAN(基于VLAN或VLAN绑定)时,PE的网桥模块需要与CE上运行的RSTPs或MSTPs对等(因此需要C-VLAN网桥组件)。换句话说,当AC基于VLAN时,可能需要CE和PE设备之间的协议对等。还有一些协议需要对等,但独立于连接电路的类型。这种协议的一个例子是链路聚合协议[802.1AX];然而,顾名思义,这是一个依赖于媒体的协议。
[802.1ad] reserves a block of 16 MAC addresses for the operation of C-VLAN and S-VLAN bridge components. Also, it shows which of these reserved MAC addresses are only for C-VLAN bridge components, which are only for S-VLAN bridge components, and which apply to both C-VLAN and S-VLAN components.
[802.1ad]为C-VLAN和S-VLAN网桥组件的操作保留16个MAC地址块。此外,它还显示了这些保留MAC地址中的哪些仅用于C-VLAN网桥组件,哪些仅用于S-VLAN网桥组件,哪些同时适用于C-VLAN和S-VLAN组件。
A VPLS service depends on a full mesh of pseudowires, so a pseudowire failure reduces the underlying connectivity to a partial mesh, which can have adverse effects on the VPLS service. If the CE devices belonging to an ESI are routers running link state routing protocols that use LAN procedures over that ESI, then a partial mesh of PWs can result in "black holing" traffic among the selected set of routers. And if the CE devices belonging to an ESI are IEEE bridges, then a partial mesh of PWs can cause broadcast storms in the customer and provider networks. Furthermore, it can cause multiple copies of a single frame to be received by the CE and/or PE devices. Therefore, it is of paramount importance to be able to detect PW failure and to take corrective action to prevent creation of partial mesh of PWs.
VPLS服务依赖于完整的伪线网格,因此伪线故障会降低到部分网格的基础连接,这可能会对VPLS服务产生不利影响。如果属于ESI的CE设备是在该ESI上运行使用LAN过程的链路状态路由协议的路由器,则pw的部分网格可导致所选路由器集合之间的“黑洞”通信。如果属于ESI的CE设备是IEEE网桥,那么PWs的部分网格可能会在客户和提供商网络中引起广播风暴。此外,它可以导致CE和/或PE设备接收单个帧的多个副本。因此,能够检测PW故障并采取纠正措施以防止PWs部分网格的形成至关重要。
When the PE model depicted in Figure 2 is used, then [802.1ag] procedures could be used for detection of partial mesh of PWs. [802.1ag] defines a set of procedures for fault detection, verification, isolation, and notification per ESI.
当使用图2所示的PE模型时,可使用[802.1ag]程序检测PWs的部分网格。[802.1ag]根据ESI定义了一套故障检测、验证、隔离和通知程序。
The fault detection mechanism of [802.1ag] can be used to perform connectivity check among PEs belonging to a given VPLS instance. It checks the integrity of a service instance end-to-end within an administrative domain, e.g., from one AC at one end of the network to another AC at the other end of the network. Therefore, its path
[802.1ag]的故障检测机制可用于在属于给定VPLS实例的PE之间执行连接检查。它在管理域内端到端检查服务实例的完整性,例如,从网络一端的一个AC到网络另一端的另一个AC。因此,它的路径
coverage includes the bridge module within a PE and it is not limited to just PWs. Furthermore, [802.1ag] operates transparently over the full mesh of PWs for a given service instance since it operates at the Ethernet level (and not at the PW level). It should be noted that since a PW consists of two unidirectional Label Switched Paths (LSPs), then one direction can fail independently of the other. Even in this case, the procedures of [802.1ag] can provide a consistent view of the full mesh to the participating PEs by relying on remote defect indication (RDI).
覆盖范围包括PE中的桥接模块,而不仅仅限于PWs。此外,[802.1ag]在给定服务实例的整个PWs网格上透明地运行,因为它在以太网级别(而不是PW级别)上运行。应该注意的是,由于PW由两个单向标签交换路径(LSP)组成,因此一个方向可以独立于另一个方向发生故障。即使在这种情况下,[802.1ag]的程序也可以通过依赖远程缺陷指示(RDI)向参与的PE提供完整网状结构的一致视图。
Another, less preferred, option is to define a procedure for detection of partial mesh; in this procedure, each PE keeps track of the status of its PW Endpoint Entities (EEs, e.g., VPLS forwarders) as well as the EEs reported by other PEs. Therefore, upon a PW failure, the PE that detects the failure not only takes notice locally but also notifies other PEs belonging to that service instance so that all the participant PEs have a consistent view of the PW mesh. Such a procedure is for the detection of partial mesh per service instance, and in turn it relies on additional procedure for PW failure detection such as Bidirectional Forward Detection (BFD) or Virtual Circuit Connectivity Verification (VCCV). Given that there can be tens (or even hundreds) of thousands of PWs in a PE, there can be scalability issues with such fault detection/notification procedures.
另一个不太优选的选项是定义用于检测部分网格的程序;在此过程中,每个PE跟踪其PW端点实体(EE,例如VPLS转发器)以及其他PE报告的EE的状态。因此,在PW故障时,检测到故障的PE不仅在本地发出通知,而且还通知属于该服务实例的其他PE,以便所有参与PE都具有PW网格的一致视图。这样的程序用于检测每个服务实例的部分网格,反过来,它依赖于PW故障检测的附加程序,例如双向正向检测(BFD)或虚拟电路连接验证(VCCV)。鉴于PE中可能有数十(甚至数百)个PW,此类故障检测/通知过程可能存在可伸缩性问题。
VPLS follows a centralized model for multicast replication within an ESI. VPLS relies on ingress replication. The ingress PE replicates the multicast packet for each egress PE and sends it to the egress PE using point-to-point PW over a unicast tunnel. VPLS operates on an overlay topology formed by the full mesh of pseudo-wires. Thus, depending on the underlying topology, the same datagram can be sent multiple times down the same physical link. VPLS currently does not offer any mechanisms to restrict the distribution of multicast or broadcast traffic of an ESI throughout the network, which causes an additional burden on the ingress PE through unnecessary packet replication. This in turn causes additional load on the MPLS core network and additional processing at the receiving PE where extraneous multicast packets are discarded.
VPLS遵循ESI内多播复制的集中式模型。VPLS依赖入口复制。入口PE为每个出口PE复制多播分组,并通过单播隧道使用点对点PW将其发送到出口PE。VPLS在伪导线的全网格形成的覆盖拓扑上运行。因此,根据底层拓扑,同一数据报可以在同一物理链路上发送多次。VPLS目前不提供任何机制来限制ESI的多播或广播流量在整个网络中的分布,这会通过不必要的数据包复制对入口PE造成额外负担。这进而导致MPLS核心网络上的额外负载和接收PE上的额外处理,在接收PE中丢弃无关的多播分组。
One possible approach to delivering multicast more efficiently over a VPLS network is to include the use of IGMP snooping in order to send the packet only to the PEs that have receivers for that traffic, rather than to all the PEs in the VPLS instance. If the customer bridge or its network has dual-home connectivity, then -- for proper operation of IGMP snooping -- the PE must generate a "General Query" over that customer's UNIs upon receiving a customer topology change
在VPLS网络上更有效地传送多播的一种可能方法是包括使用IGMP窥探,以便仅将分组发送到具有该流量接收器的PEs,而不是发送到VPLS实例中的所有PEs。如果客户网桥或其网络具有双家庭连接,则为了正确操作IGMP窥探,PE必须在收到客户拓扑更改时通过该客户的UNI生成“一般查询”
notification as described in [RFC4541]. A "General Query" by the PE results the customer multicast MAC address(es) being properly registered at the PE when there are customer topology changes. It should be noted that IGMP snooping provides a solution for IP multicast packets and is not applicable to general multicast data.
[RFC4541]中所述的通知。当客户拓扑发生变化时,PE的“常规查询”会导致客户多播MAC地址在PE上正确注册。应该注意的是,IGMP侦听为IP多播数据包提供了解决方案,不适用于一般多播数据。
Using the IGMP snooping as described, the ingress PE can select a subset of PWs for packet replication, thus avoiding sending multicast packets to the egress PEs that don't need them. However, the replication is still performed by the ingress PE. In order to avoid replication at the ingress PE, one may want to use multicast distribution trees (MDTs) in the provider core network; however, this brings some potential pitfalls. If the MDT is used for all multicast traffic of a given customer, then this results in customer multicast and unicast traffic being forwarded on different PWs and even on a different physical topology within the provider network. This is a serious issue for customer bridges because customer Bridge Protocol Data Units (BPDUs), which are multicast data, can take a different path through the network than the unicast data. Situations might arise where either unicast OR multicast connectivity is lost. If unicast connectivity is lost but multicast forwarding continues to work, the customer spanning tree would not take notice which results in loss of its unicast traffic. Similarly, if multicast connectivity is lost, but unicast is working, then the customer spanning tree will activate the blocked port, which may result in a loop within the customer network. Therefore, the MDT cannot be used for both customer multicast control and data traffic. If it is used, it should only be limited to customer data traffic. However, there can be a potential issue even when it is used for customer data traffic since the MDT doesn't fit the PE model described in Figure 1 (it operates independently from the full mesh of PWs that correspond to an S-VLAN). It is also not clear how connectivity fault management (CFM) procedures (802.1ag) used for the ESI integrity check (e.g., per service instance) can be applied to check the integrity of the customer multicast traffic over the provider MDT. Because of these potential issues, the specific applications of the provider MDT to customer multicast traffic shall be documented and its limitations be clearly specified.
使用如上所述的IGMP窥探,入口PE可以选择pw的子集进行分组复制,从而避免向不需要它们的出口PE发送多播分组。但是,复制仍由入口PE执行。为了避免在入口PE处的复制,可能希望在提供商核心网络中使用多播分发树(MDT);然而,这带来了一些潜在的陷阱。如果MDT用于给定客户的所有多播流量,则这将导致客户多播和单播流量在不同的PW上转发,甚至在提供商网络内的不同物理拓扑上转发。这对于客户网桥来说是一个严重的问题,因为作为多播数据的客户网桥协议数据单元(BPDU)可以在网络中采用与单播数据不同的路径。可能出现单播或多播连接丢失的情况。如果单播连接丢失,但多播转发继续工作,客户生成树将不会注意到这会导致其单播流量丢失。类似地,如果多播连接丢失,但单播正在工作,则客户生成树将激活阻塞的端口,这可能导致客户网络中出现循环。因此,MDT不能同时用于客户多播控制和数据通信。如果使用,则应仅限于客户数据流量。然而,由于MDT不符合图1中描述的PE模型(它独立于对应于S-VLAN的PWs的完整网格运行),因此即使将其用于客户数据通信,也可能存在潜在问题。还不清楚用于ESI完整性检查(例如,每个服务实例)的连接故障管理(CFM)程序(802.1ag)如何应用于检查通过提供商MDT的客户多播流量的完整性。由于这些潜在问题,应记录提供商MDT对客户多播流量的具体应用,并明确规定其限制。
A single CE or a customer network can be connected to a provider network using more than one User-Network Interface (UNI). Furthermore, a single CE or a customer network can be connected to more than one provider network. [RFC4665] provides some examples of such customer network connectivity; they are depicted in Figure 3
单个CE或客户网络可以使用多个用户网络接口(UNI)连接到提供商网络。此外,单个CE或客户网络可以连接到多个提供商网络。[RFC4665]提供了此类客户网络连接的一些示例;它们如图3所示
below. Such network topologies are designed to protect against the failure or removal of network components from the customer network, and it is assumed that the customer leverages the spanning tree protocol to protect against these cases. Therefore, in such scenarios, it is important to flush customer MAC addresses in the provider network upon the customer topology change in order to avoid black-holing of customer frames.
在下面此类网络拓扑设计用于防止网络组件从客户网络中发生故障或移除,并且假设客户利用生成树协议来防止这些情况。因此,在这种情况下,重要的是在客户拓扑发生变化时刷新提供商网络中的客户MAC地址,以避免客户帧的黑洞。
+----------- +--------------- | | +------+ +------+ +------+ +------+ | CE |-----| PE | | CE |-----| PE | |device| |device| |device| |device| SP network +------+\ +------+ +------+\ +------+ | \ | | \ | |Back \ | |Back \ +--------------- |door \ | SP network |door \ +--------------- |link \ | |link \ | +------+ +------+ +------+ +------+ | CE | | PE | | CE | | PE | |device|-----|device| |device|-----|device| SP network +------+ +------+ +------+ +------+ | | +------------ +--------------- (a) (b)
+----------- +--------------- | | +------+ +------+ +------+ +------+ | CE |-----| PE | | CE |-----| PE | |device| |device| |device| |device| SP network +------+\ +------+ +------+\ +------+ | \ | | \ | |Back \ | |Back \ +--------------- |door \ | SP network |door \ +--------------- |link \ | |link \ | +------+ +------+ +------+ +------+ | CE | | PE | | CE | | PE | |device|-----|device| |device|-----|device| SP network +------+ +------+ +------+ +------+ | | +------------ +--------------- (a) (b)
Figure 3. Combination of Dual-Homing and Backdoor Links for CE Devices
图3。CE设备的双归位和后门链接组合
The customer networks use their own instances of the spanning tree protocol to configure and partition their active topology so that the provider connectivity doesn't result in a data loop. Reconfiguration of a customer's active topology can result in the apparent movement of customer end stations from the point of view of the PEs. There are two methods for addressing this issue based on the provider bridge model depicted in Figure 1. In the first method, the Topology Change Notification (TCN) message received from the CE device is translated into one or more out-of-band "MAC Address Withdrawal" messages as specified in [RFC4762]. In the second method, the TCN message received from the CE device is translated into one or more in-band "Flush" messages per [p802.1Qbe]. The second method is recommended because of ease of interoperability between the bridge and LAN emulation modules of the PE.
客户网络使用其自己的生成树协议实例来配置和划分其活动拓扑,以便提供商连接不会导致数据循环。从PEs的角度来看,重新配置客户的活动拓扑可能导致客户端站的明显移动。基于图1所示的提供者桥模型,有两种方法可以解决这个问题。在第一种方法中,从CE设备接收的拓扑改变通知(TCN)消息被转换为一个或多个带外“MAC地址撤回”消息,如[RFC4762]中所指定。在第二种方法中,根据[p802.1Qbe],从CE设备接收的TCN消息被翻译成一个或多个带内“刷新”消息。建议使用第二种方法,因为PE的网桥和LAN仿真模块之间易于互操作。
[RFC4762] talks about dual-homing of a given Multi-Tenant Unit switch (MTU-s) to two PEs over a provider MPLS access network to provide protection against link and node failure. For example, in case the primary PE fails or the connection to it fails, then the MTU-s uses the backup PWs to reroute the traffic to the backup PE. Furthermore, it discusses the provision of redundancy when a provider Ethernet access network is used and how any arbitrary access network topology (not just hub-and-spoke) can be supported using the provider's MSTP protocol. It also discusses how the provider MSTP for a given access network can be confined to that access network and operate independently from MSTP protocols running in other access networks.
[RFC4762]讨论通过提供商MPLS接入网络将给定的多租户单元交换机(MTU-s)双归宿到两个PE,以提供链路和节点故障保护。例如,如果主PE出现故障或与主PE的连接出现故障,则MTU-s使用备份PWs将流量重新路由到备份PE。此外,还讨论了在使用提供商以太网接入网络时提供冗余,以及如何使用提供商的MSTP协议支持任何任意接入网络拓扑(不仅仅是集线器和辐条)。它还讨论了给定接入网络的提供商MSTP如何被限制在该接入网络中,并独立于在其他接入网络中运行的MSTP协议进行操作。
In both types of redundancy mechanism (Ethernet and MPLS access networks), only one PE is active for a given VPLS instance at any time. In case of an Ethernet access network, core-facing PWs (for a VPLS instance) at the PE are blocked by the MSTP; whereas, in case of a MPLS access network, the access-facing PW is blocked at the MTU-s for a given VPLS instance.
在这两种类型的冗余机制(以太网和MPLS接入网络)中,对于给定的VPLS实例,在任何时候只有一个PE处于活动状态。在以太网接入网络的情况下,PE处面向核心的PW(对于VPLS实例)被MSTP阻塞;然而,在MPLS接入网络的情况下,对于给定的VPLS实例,面向接入的PW在MTU-s处被阻断。
------------------------+ Provider +----------------------- . Core . +------+ . . +------+ | PE |======================| PE | Provider | (P) |---------\ /-------| (P) | Provider Access +------+ . \ / . +------+ Access Network . \/ . Network (1) +------+ . /\ . +------+ (2) | PE |----------/ \--------| PE | | (B) |----------------------| (B) | +------+ . . +------+ . . ------------------------+ +-----------------------
------------------------+ Provider +----------------------- . Core . +------+ . . +------+ | PE |======================| PE | Provider | (P) |---------\ /-------| (P) | Provider Access +------+ . \ / . +------+ Access Network . \/ . Network (1) +------+ . /\ . +------+ (2) | PE |----------/ \--------| PE | | (B) |----------------------| (B) | +------+ . . +------+ . . ------------------------+ +-----------------------
Figure 4. Bridge Module Model
图4。桥接模块模型
Figure 4 shows two provider access networks each with two PEs that are connected via a full mesh of PWs for a given VPLS instance. As shown in the figure, only one PE in each access network serves as a Primary PE (P) for that VPLS instance and the other PE serves as the backup PE (B). In this figure, each primary PE has two active PWs originating from it. Therefore, when a multicast, broadcast, and unknown unicast frame arrives at the primary PE from the access network side, the PE replicates the frame over both PWs in the core even though it only needs to send the frame over a single PW (shown with "==" in Figure 4) to the primary PE on the other side. This is an unnecessary replication of the customer frames and consumes core-
图4显示了两个提供商接入网络,每个网络都有两个PE,它们通过给定VPLS实例的完整PWs网格连接。如图所示,每个接入网络中只有一个PE用作该VPLS实例的主PE(P),另一个PE用作备份PE(B)。在该图中,每个主PE有两个源自它的活动PW。因此,当多播、广播和未知单播帧从接入网络侧到达主PE时,PE通过核心中的两个PW复制该帧,即使它只需要通过单个PW(图4中用“=”表示)将该帧发送到另一侧的主PE。这是对客户帧的不必要复制,并且会消耗核心资源-
network bandwidth (half of the frames get discarded at the receiving PE). This issue is aggravated when there are more than two PEs per provider access network -- e.g., if there are three PEs or four PEs per access network, then 67% or 75%, respectively, of core-network bandwidth for multicast, broadcast, and unknown unicast are respectively wasted.
网络带宽(一半的帧在接收PE时被丢弃)。当每个提供商接入网络有两个以上的PE时,这个问题就会加剧——例如,如果每个接入网络有三个PE或四个PE,那么多播、广播和未知单播的核心网络带宽分别浪费了67%或75%。
Therefore, it is recommended to have a protocol among PEs that can disseminate the status of PWs (active or blocked) among themselves. Furthermore, it is recommended to have the protocol tied up with the redundancy mechanism such that (per VPLS instance) the status of active/backup PE gets reflected on the corresponding PWs emanating from that PE.
因此,建议在PEs之间制定一个协议,该协议可以在PEs之间传播PWs(活动或被阻止)的状态。此外,建议将协议与冗余机制绑定,以便(每个VPLS实例)活动/备份PE的状态反映在该PE发出的相应PW上。
The above discussion was centered on the inefficiency regarding packet replication over MPLS core networks for current VPLS redundancy mechanism. Another important issue to consider is the interaction between customer and service provider redundancy mechanisms, especially when customer devices are IEEE bridges. If CEs are IEEE bridges, then they can run RSTPs or MSTPs. RSTP convergence and detection time is much faster than its predecessor (IEEE 802.1D STP, which is obsolete). Therefore, if the provider network offers a VPLS redundancy mechanism, then it should provide transparency to the customer's network during a failure within its network, e.g., the failure detection and recovery time within the service provider network should be less than the one in the customer network. If this is not the case, then a failure within the provider network can result in unnecessary switch-over and temporary flooding/loop within the customer's network that is dual-homed.
上面的讨论集中于当前VPLS冗余机制在MPLS核心网络上的数据包复制效率低下。另一个需要考虑的重要问题是客户和服务提供商冗余机制之间的交互,特别是当客户设备是IEEE桥时。如果CE是IEEE网桥,那么它们可以运行RSTPs或MSTPs。RSTP收敛和检测时间比其前身(IEEE 802.1D STP,已过时)快得多。因此,如果提供商网络提供VPLS冗余机制,则在其网络内发生故障时,应向客户网络提供透明度,例如,服务提供商网络内的故障检测和恢复时间应小于客户网络内的故障检测和恢复时间。如果情况并非如此,则提供商网络内的故障可能会导致不必要的切换,并在双宿客户网络内造成临时泛洪/环路。
When customer devices are routers, servers, or hosts, then the number of MAC addresses per customer sites is very limited (most often one MAC address per CE). However, when CEs are bridges, then there can be many customer MAC addresses (e.g., hundreds of MAC addresses) associated with each CE.
当客户设备是路由器、服务器或主机时,每个客户站点的MAC地址数量非常有限(通常每个CE一个MAC地址)。但是,当CE是网桥时,可能有许多客户MAC地址(例如,数百个MAC地址)与每个CE关联。
[802.1ad] has devised a mechanism to alleviate MAC address learning within provider Ethernet networks that can equally be applied to VPLS networks. This mechanism calls for disabling MAC address learning for an S-VLAN (or a service instance) within a provider bridge (or PE) when there is only one ingress and one egress port associated with that service instance on that PE. In such cases, there is no need to learn customer MAC addresses on that PE since the path through that PE for that service instance is fixed. For example, if a service instance is associated with four CEs at four different sites, then the maximum number of provider bridges (or PEs) that need
[802.1ad]设计了一种机制,以减轻供应商以太网中的MAC地址学习,该机制同样适用于VPLS网络。此机制要求在提供商网桥(或PE)中只有一个入口和一个出口端口与该PE上的服务实例关联时,禁用S-VLAN(或服务实例)的MAC地址学习。在这种情况下,不需要了解该PE上的客户MAC地址,因为该服务实例通过该PE的路径是固定的。例如,如果一个服务实例与四个不同站点上的四个CE关联,则需要的最大提供商网桥(或PE)数
to participate in that customer MAC address learning is only three, regardless of how many PEs are in the path of that service instance. This mechanism can reduce the number of MAC addresses learned in a hierarchical VPLS (H-VPLS) with QinQ access configuration.
无论该服务实例的路径中有多少个PE,参与该客户MAC地址学习的时间只有三个。这种机制可以减少在具有QinQ访问配置的分层VPLS(H-VPLS)中学习的MAC地址的数量。
If the provider access network is of type Ethernet (e.g., IEEE 802.1ad-based network), then the MSTP can be used to partition the access network into several loop-free spanning tree topologies where Ethernet service instances (S-VLANs) are distributed among these tree topologies. Furthermore, GVRP can be used to limit the scope of each service instance to a subset of its associated tree topology (thus limiting the scope of customer MAC address learning to that sub-tree). Finally, the MAC address disabling mechanism (described above) can be applied to that sub-tree to further limit the number of nodes (PEs) on that sub-tree that need to learn customer MAC addresses for that service instance.
如果提供商接入网络为以太网类型(例如,基于IEEE 802.1ad的网络),则MSTP可用于将接入网络划分为多个无环路生成树拓扑,其中以太网服务实例(S-VLAN)分布在这些树拓扑中。此外,GVRP可用于将每个服务实例的范围限制为其关联树拓扑的子集(从而将客户MAC地址学习的范围限制为该子树)。最后,MAC地址禁用机制(如上所述)可应用于该子树以进一步限制该子树上需要学习该服务实例的客户MAC地址的节点(pe)的数量。
Furthermore, [802.1ah] provides the capability of encapsulating customers' MAC addresses within the provider MAC header. A MTU-s capable of this functionality can significantly reduce the number of MAC addresses learned within the provider network for H-VPLS with QinQ access, as well as H-VPLS with MPLS access.
此外,[802.1ah]还提供了将客户的MAC地址封装在提供商MAC报头中的功能。具有此功能的MTU-s可以显著减少在提供商网络中为具有QinQ访问的H-VPL以及具有MPLS访问的H-VPL学习的MAC地址的数量。
[RFC4762] discusses H-VPLS provider-network topologies with both Ethernet [802.1ad] and MPLS access networks. Therefore, it is important to ensure seamless interoperability between these two types of networks.
[RFC4762]讨论了以太网[802.1ad]和MPLS接入网络的H-VPLS提供商网络拓扑。因此,确保这两种网络之间的无缝互操作性非常重要。
Provider bridges as specified in [802.1ad] are intended to operate seamlessly with customer bridges and provide the required services. Therefore, if a PE is modeled based on Figures 1 and 2, which include a [802.1ad] bridge module, then it should operate seamlessly with Provider Bridges given that the issues discussed in this document have been taken into account.
[802.1ad]中规定的提供商网桥旨在与客户网桥无缝运行,并提供所需的服务。因此,如果PE是基于图1和图2建模的,其中包括[802.1ad]网桥模块,那么考虑到本文档中讨论的问题,它应该与提供商网桥无缝运行。
The authors would like to thank Norm Finn and Samer Salam for their comments and valuable feedback.
作者要感谢Norm Finn和Samer Salam的评论和宝贵的反馈。
In addition to the security issues described in [RFC4762], the following considerations apply:
除了[RFC4762]中描述的安全问题外,还应考虑以下事项:
- When a CE that is a customer bridge is connected to the VPLS network, it may be desirable to secure the end-to-end communication between the customer bridge nodes across the VPLS network. This can be accomplished by running [802.1AE] MAC security between the C-VLAN components of the customer bridges. In this case, the VPLS PEs must ensure transparent delivery of the encryption/security protocol datagrams using the Bridge Group Address [802.1ad].
- 当作为客户网桥的CE连接到VPLS网络时,可能需要跨VPLS网络保护客户网桥节点之间的端到端通信。这可以通过在客户网桥的C-VLAN组件之间运行[802.1AE]MAC安全性来实现。在这种情况下,VPLS PEs必须确保使用网桥组地址[802.1ad]透明地传送加密/安全协议数据报。
- When a CE that is a customer bridge is connected to the VPLS network, it may be desirable to secure the communication between the customer bridge and its directly connected PE. If the PE is modeled to include a [802.1ad] bridge module, then this can be achieved by running MAC security between the customer bridge and the S-VLAN component of the VPLS PE as described in Section 7.7.2 of [802.1AX].
- 当作为客户网桥的CE连接到VPLS网络时,可能需要保护客户网桥与其直接连接的PE之间的通信。如果PE建模为包括[802.1ad]网桥模块,则可通过在客户网桥和VPLS PE的S-VLAN组件之间运行MAC安全性来实现,如[802.1AX]第7.7.2节所述。
- When an 802.1ad network is connected to a VPLS network, it is possible to secure the NNI between the two networks using the procedures of [802.1AE] and [802.1AX] between the S-VLAN components of the Provider Edge Bridge and the attached VPLS PE, as long as the PE is modeled to include an [802.1ad] bridge module.
- 当802.1ad网络连接到VPLS网络时,可以使用提供商边缘网桥的S-VLAN组件和连接的VPLS PE之间的[802.1AE]和[802.1AX]过程来保护两个网络之间的NNI,只要PE建模为包括[802.1ad]网桥模块。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4762] Lasserre, M., Ed., and V. Kompella, Ed., "Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling", RFC 4762, January 2007.
[RFC4762]Lasserre,M.,Ed.,和V.Kompella,Ed.,“使用标签分发协议(LDP)信令的虚拟专用LAN服务(VPLS)”,RFC 4762,2007年1月。
[802.1ad] IEEE 802.1ad-2005, "Amendment to IEEE 802.1Q-2005. IEEE Standard for Local and Metropolitan Area Networks - Virtual Bridged Local Area Networks Revision-Amendment 4: Provider Bridges".
[802.1ad]IEEE 802.1ad-2005,“对IEEE 802.1Q-2005的修订。局域网和城域网IEEE标准-虚拟桥接局域网修订版4:提供商网桥”。
[802.1AE] IEEE 802.1AE-2006, "IEEE Standard for Local and Metropolitan Area Networks - Media Access Control (MAC) Security".
[802.1AE]IEEE 802.1AE-2006,“局域网和城域网的IEEE标准-媒体访问控制(MAC)安全性”。
[802.1ag] IEEE 802.1ag-2007, "IEEE Standard for Local and Metropolitan Area Networks - Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management".
[802.1ag]IEEE 802.1ag-2007,“局域网和城域网IEEE标准-虚拟桥接局域网修改件5:连接故障管理”。
[802.1ah] IEEE 802.1ah-2008, "IEEE Standard for Local and Metropolitan Area Networks - Virtual Bridged Local Area Networks Amendment 7: Provider Backbone Bridges".
[802.1ah]IEEE 802.1ah-2008,“局域网和城域网IEEE标准-虚拟桥接局域网修改件7:提供商主干网桥”。
[802.1AX] IEEE 802.1AX-2008 "IEEE Standard for Local and Metropolitan Area Networks - Link Aggregation".
[802.1AX]IEEE 802.1AX-2008“局域网和城域网的IEEE标准-链路聚合”。
[IPLS] Shah, H., Rosen, E., Le Faucheur, F., and G. Heron, "IP-Only LAN Service (IPLS)", Work in Progress, February 2010.
[IPLS]Shah,H.,Rosen,E.,Le Faucheur,F.,和G.Heron,“仅IP局域网服务(IPLS)”,正在进行的工作,2010年2月。
[RFC4448] Martini, L., Ed., Rosen, E., El-Aawar, N., and G. Heron, "Encapsulation Methods for Transport of Ethernet over MPLS Networks", RFC 4448, April 2006.
[RFC4448]Martini,L.,Ed.,Rosen,E.,El Aawar,N.,和G.Heron,“通过MPLS网络传输以太网的封装方法”,RFC 4448,2006年4月。
[RFC4541] Christensen, M., Kimball, K., and F. Solensky, "Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches", RFC 4541, May 2006.
[RFC4541]Christensen,M.,Kimball,K.,和F.Solensky,“互联网组管理协议(IGMP)和多播侦听器发现(MLD)窥探交换机的注意事项”,RFC 4541,2006年5月。
[RFC4664] Andersson, L., Ed., and E. Rosen, Ed., "Framework for Layer 2 Virtual Private Networks (L2VPNs)", RFC 4664, September 2006.
[RFC4664]Andersson,L.,Ed.,和E.Rosen,Ed.,“第二层虚拟专用网络(L2VPN)框架”,RFC 4664,2006年9月。
[RFC4665] Augustyn, W., Ed., and Y. Serbest, Ed., "Service Requirements for Layer 2 Provider-Provisioned Virtual Private Networks", RFC 4665, September 2006.
[RFC4665]Augustyn,W.,Ed.,和Y.Serbest,Ed.,“第2层提供商提供的虚拟专用网络的服务要求”,RFC 46652006年9月。
[RFC6136] Sajassi, A., Ed., and D. Mohan, Ed., "Layer 2 Virtual Private Network (L2VPN) Operations, Administration, and Maintenance (OAM) Requirements and Framework", RFC 6136, March 2011.
[RFC6136]Sajassi,A.,Ed.,和D.Mohan,Ed.,“第二层虚拟专用网络(L2VPN)运营、管理和维护(OAM)要求和框架”,RFC 61362011年3月。
[802.1D] IEEE 802.1D-2004, "IEEE Standard for Local and Metropolitan Area Networks - Media access control (MAC) Bridges (Incorporates IEEE 802.1t-2001 and IEEE 802.1w)".
[802.1D]IEEE 802.1D-2004,“局域网和城域网的IEEE标准-媒体访问控制(MAC)网桥(包括IEEE 802.1t-2001和IEEE 802.1w)”。
[802.1Q] IEEE Std. 802.1Q-2003 "Virtual Bridged Local Area Networks".
[802.1Q]IEEE标准802.1Q-2003“虚拟桥接局域网”。
[p802.1Qbe] IEEE Draft Standard P802.1Qbe, "IEEE Draft Standard for Local and Metropolitan Area Networks -- Virtual Bridged Local Area Networks Amendment: Multiple I-SID Registration Protocol".
[p802.1Qbe]IEEE标准草案p802.1Qbe,“IEEE局域网和城域网标准草案——虚拟桥接局域网修正案:多I-SID注册协议”。
Authors' Addresses
作者地址
Ali Sajassi (editor) Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 EMail: sajassi@cisco.com
Ali Sajassi(编辑)Cisco Systems,Inc.位于加利福尼亚州圣何塞市西塔斯曼大道170号,邮编95134电子邮件:sajassi@cisco.com
Frank Brockners Cisco Systems, Inc. Hansaallee 249 40549 Duesseldorf Germany EMail: fbrockne@cisco.com
Frank Brockners Cisco Systems,Inc.Hansaallee 249 40549 Duesseldorf Germany电子邮件:fbrockne@cisco.com
Dinesh Mohan (editor) Nortel Ottawa, ON K2K3E5 EMail: dinmohan@hotmail.com
Dinesh Mohan(编辑)渥太华北电,K2K3E5电子邮件:dinmohan@hotmail.com
Yetik Serbest AT&T Labs 9505 Arboretum Blvd. Austin, TX 78759 EMail: yetik_serbest@labs.att.com
Yetik Serbest AT&T实验室植物园大道9505号。德克萨斯州奥斯汀78759电子邮件:yetik_serbest@labs.att.com