A Virtual Private Network (VPN) is a network design that provides a logically isolated connection for devices through an unsecured or public network, such as the Internet. Typically the information sent over the VPN is encrypted, resulting in a “virtual network” that is private and allows users to share confidential information over the unsecured network. For example, a company with offices in different cities can create a VPN within the Internet to merge the devices in each office into one private virtual network. The offices can then share corporate and confidential information via the secure VPN.
Simple Network Management Protocol (SNMP) messages are used to obtain performance and configuration information for routers 102, 104, 106. Because the service provider operating in provider network 100 does not have SNMP access to customer edge routers 112, 114, provider edge routers 104, 106 must be queried in order to learn whether one or both edge routers 104, 106 connect to one or more VPNs. Affirmative messages generated in response to each query include information about each VPN, and these messages are returned to the device that initiated the query. VPN 120 is discovered when routers 104 and 106 are queried.
The need to query each device increases the burden placed on network devices because each query must be processed by each device and a response formulated and transmitted from each device. Moreover, the amount of time needed to send and receive queries increases as the number of devices in a network increase. For example, a network with a thousand routers results in at least one thousand queries and at least one thousand responses. And since devices are polled periodically, such as every five minutes, any activity that occurs between polling periods may be invisible to the operator. Consequently, topology information cannot be tracked in real time, which results in network management systems containing stale topology information.
In accordance with the invention, a method and system for discovering and updating VPN topologies in near real-time are provided. Each provider edge router in a provider network connected to one or more VPNs is identified. Each identified provider edge router is then queried to obtain VPN configuration and VPN policy information for each VPN configured on that edge router. Routing protocol messages, such as, for example, Border Gateway Protocol/Multiprotocol Label Switching (BGP/MPLS) and Interior Gateway Protocol (IGP) messages, are then collected from the provider network. Using the discovered policies and topology information, VPN routing information carried in the routing protocol messages can be used to update VPN topology and status information in near real-time.
The following description is presented to enable embodiments of the invention to be made and used, and is provided in the context of a patent application and its requirements. Various modifications to the disclosed embodiments in accordance with the invention will be readily apparent, and the generic principles herein may be applied to other embodiments. Thus, the invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the appended claims and with the principles and features described herein.
With reference to the figures and in particular with reference to
P routers 202, 204 and PE routers 206, 208 support VPN SNMP MIBS in an embodiment in accordance with the invention. A MIB is a Management Information Base that can be queried to identify which routers are provider routers and provider edge routers along with any VPN configuration and policy. This information is used to begin a topology map and to filter routing announcements based on router policy.
VPN 224 is created using the Border Gateway Protocol/Multiprotocol Label Switching (BGP/MPLS) VPN standard described in RFC 2547bis in an embodiment in accordance with the invention. BGP/MPLS transmits VPN routing information via extensions to the BGP protocol. Multi-protocol BGP is used to exchange external routing information in the embodiment of
P routers 202, 204 in network 200 are provider owned BGP speaking routers that do not serve as an entrance or exit point for a VPN. PE routers 206, 208 are provider owned BGP speaking routers that serve as either entrance, exit, or both an entrance and an exit for a VPN. Router 214 in customer site 212 and router 220 in customer site 218 are customer owned routers that serve as an entrance, exit, or both an entrance and an exit point to customer sites 212, 218, respectively.
As discussed earlier, routers 202, 204, 206, 208 are BGP peers in network 200. Thus, each router 202, 204, 206, 208 receives routing messages from the other routers. Network monitoring unit 210 discovers and monitors in near real-time the VPN topology of network 200 in an embodiment in accordance with the invention. Network monitoring unit 210 is implemented as a computer or server in an embodiment in accordance with the invention. In other embodiments in accordance with the invention, network monitoring unit is implemented as a purpose-built hardware, such as, for example, an application specific integrated circuit, a field programmable gate array, network processors, or some combination of these devices.
Network monitoring unit 210 maintains a near real-time view of network 200 and the VLANS it supports by establishing peering sessions with routers 202, 204, 206, 208, to receive the advertised routing information. By peering with routers 202, 204, 206, 208, network monitoring unit 210 is provided with the complete VPN information to construct and update a topology database or map using the advertised routing information messages. Because routing updates occur as changes happen, the topology database or map constructed by network monitoring unit 210 provides a near real-time representation of the network state and operational VPN paths.
In other embodiments in accordance with the invention, the VPN topology of network 200 can be determined and monitored using other techniques. One such technique includes peering with a route reflector as described in more detail in conjunction with
Next, at block 302, the P and PE routers are identified. Techniques for identifying the P and PE routers are described in more detail in conjunction with
mplsVpnVrfName
mplsVpnVrfDescription
mplsVpnVrfRouteDistinguisher
mplsVpnVrfOperStatus
mplsVpnVrfActivelnterfaces
mplsVpnVrfAssociatedlnterfaces
These MIBs identify which VPNs are carried by which PE routers.
After one or more VPNs are identified, the routes in each VPN and the routing policy for each VPN are identified (block 306). Each route advertised in a VPN includes a route target field identifying the route target value associated with the VPN. The routing policy is obtained by querying each PE router with the “MplsVpnVrfRouteTargetType” SNMP query in an embodiment in accordance with the invention. A routing table, topology map, or topology database is then created for each VPN at block 308 in an embodiment in accordance with the invention.
Referring to
Referring to
If there are no routers in the same AS peering with the BGP seed router, the process ends. If there are one or more routers in the same AS peering with the BGP router, the routers are identified at block 504. The BGP MIB for an identified router in the same AS is then queried (block 506) and a determination made as to which routers are peering with the identified router (block 508). If other routers in the same AS are peering with the identified router the process returns to block 504 and repeats until the peering routers are identified.
Once all of the peering routers are identified, a determination is made at block 510 as to whether there is another identified router in the same AS that has not been queried. If so, the method returns to block 506 and repeats until all of the peering routers in the same AS are known. Next, at block 512, the BGP routers in the same AS are determined by comparing the AS numbers for all of the identified BGP routers. Routers with the same AS number are in the same autonomous system, and the P and PE routers are contained in the AS in an embodiment in accordance with the invention.
A determination is then made at block 602 as to whether there are any configured VPNs carried by the queried router. If there are one or more VPNs, the router is then identified as a PE router (block 604) and each configured VPN carried by the PE router identified (block 606). The VPNs are identified using the mplsVpnVrfTable in an embodiment in accordance with the invention. A determination is then made at block 608 as to whether there are any more BGP routers to be queried. If so, the method returns to block 600 and repeats until there are no more BGP routers to be queried.
The topology information obtained in blocks 602 and 604 includes the name and description of each VPN carried by a PE router and a route distinguisher for each particular VPN. The number of interfaces and the status of the interfaces (i.e., operational or non-operational) for each VPN are also obtained. The route distinguisher is used later when identifying the routes associated with each VPN (see block 306 in
Referring to
Referring to
Route reflector 902 selects the best route to customer site 212 and advertises the selected route to routers 204, 206, 208 unless the selected route originated from one of these routers. Consequently, network monitoring unit 210 only has knowledge of one of the available routes to customer site 212 at a time because only the best route selected by the route reflector will be advertised to the network monitoring unit 210. The topology information discovered using the embodiments of
For example, if route 904 is selected by route reflector 902 as the best route, routers 204, 208 include only route 904 in their routing tables, while router 206 would include both routes 904, 906 in its routing table. Route reflector 902 includes both routes 904, 906 in its routing table but will only advertise route 904. Using the method of