CN108011759A - A kind of VPN management methods, apparatus and system - Google Patents

A kind of VPN management methods, apparatus and system Download PDF

Info

Publication number
CN108011759A
CN108011759A CN201711267327.5A CN201711267327A CN108011759A CN 108011759 A CN108011759 A CN 108011759A CN 201711267327 A CN201711267327 A CN 201711267327A CN 108011759 A CN108011759 A CN 108011759A
Authority
CN
China
Prior art keywords
equipment
vpn
target
management device
centralized management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711267327.5A
Other languages
Chinese (zh)
Other versions
CN108011759B (en
Inventor
黄庆新
林镜华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201711267327.5A priority Critical patent/CN108011759B/en
Publication of CN108011759A publication Critical patent/CN108011759A/en
Application granted granted Critical
Publication of CN108011759B publication Critical patent/CN108011759B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0896Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of VPN management methods, apparatus and system, is related to field of communication technology, can rapid build VPN, and can more neatly manage the business of VPN.The VPN management methods are applied to the centralized management device that VPN management systems include, which further includes:At least two CE equipment, at least two PE equipment and a P equipment, at least two PE equipment are connected with P equipment respectively, form backbone network, a CE equipment at least two CE equipment is connected with a PE equipment, the bandwidth needed at least one VPN is configured at least two PE equipment, at least two CE equipment have public network IP address;The VPN management methods include:Centralized management device receives VPN structure requests, and according to the VPN demands in VPN structure requests, the target CE equipment of the first VPN of structure is determined from least two CE equipment, and send tunnel structure message to target CE equipment, so as to establish tunnel communication between target CE equipment, the first VPN is built.

Description

A kind of VPN management methods, apparatus and system
Technical field
The present embodiments relate to field of communication technology, more particularly to a kind of Virtual Private Network (Virtual Private Network, VPN) management method, apparatus and system.
Background technology
In field of communication technology, can use multiprotocol label switching (Multi Protocol Label Switching, MPLS) technology builds VPN on backbone network (i.e. common network), realizes cross-region, safety, high speed, reliable service communication.
As shown in Figure 1, it is that (wherein, L3VPN is referred to for the networking schematic diagram of currently used MPLS L3 VPN a kind of Layer3VPN, i.e. three-layer VPN), customer edge (Client Edge) equipment shown in Fig. 1, is user network (i.e. VPN) edge Equipment (can be host or router etc.), by Provider Edge (Provider Edge, PE) equipment and operator The network of (Provider, P) equipment composition is backbone network (i.e. above-mentioned common network), and PE equipment all can be road with P equipment By device, and support MPLS functions, PE can be connected with least one CE, structure at least one VPN.
Specifically, by taking VPN 1 as shown in Figure 1 as an example, structure VPN 1 (it can be appreciated that VPN 1 realization or open It is logical) during, some port of PE equipment 1 is connect into CE equipment 1, some port of PE equipment 2 connects CE equipment 2, Ran Houxu P equipment in skeletal framework, PE equipment (including PE equipment 1 and PE equipment 2) are configured, and to the CE equipment in VPN 1 (including CE equipment 1 and CE equipment 2) is configured, for example, MPLS abilities configuration (including the Label Switch Router of P equipment The configuration of the mark (Identity, ID) of (Label Switching Router, LSR) and tag distribution protocol (Label Distribution Protocol, LDP) configuration etc.);The MPLS abilities configuration of PE equipment, VPN route forwarding tables (VPN Routing and Forwarding tables, VRF) configuration, the routing configuration between PE equipment and CE equipment, PE equipment Routing configuration between PE equipment etc.;The Routing Protocol configuration of CE equipment, backbone network is accessed so as to fulfill by the VPN 1 of user Network, and according to the above-mentioned configuration for each equipment, using tunneling technique, realize the user for being located at backbone network both ends in VPN 1 Communication between equipment.
However, in the above method, due to the complexity of backbone network, when building new VPN each time, operator it is multiple Department need to carry out plan-validation, assessment, debugging etc., and the building process of VPN is veryer long, and the service management for VPN by Equipment in backbone network is responsible for, and service management flexibility is poor.
The content of the invention
The embodiment of the present invention provides a kind of VPN management methods, apparatus and system, can rapid build VPN, and can be more Neatly manage the business of VPN.
To reach above-mentioned purpose, the embodiment of the present invention adopts the following technical scheme that:
First aspect, there is provided a kind of VPN management methods, the centralized management device included applied to VPN management systems should VPN management systems can also include at least two CE equipment, at least two PE equipment and a P equipment, which sets Back-up is not connected with P equipment, composition backbone network, a CE equipment and at least two PE equipment at least two CE equipment In the connection of a corresponding PE equipment, the bandwidth needed at least one VPN is configured at least two PE equipment, this at least two CE equipment has public network IP address, which can include:VPN structure requests are received, are wrapped in VPN structure requests Include VPN demands;And according to the VPN demands, determine to build the target CE equipment of the first VPN from least two CE equipment;With And tunnel structure message is sent to target CE equipment according to the VPN demands, so as to establish tunnel communication, structure between target CE equipment Build the first VPN.
Second aspect, there is provided a kind of VPN management methods, at least two CE equipment included applied to VPN management systems Build the target CE equipment of the first VPN, the VPN management systems can also include centralized management device, at least two PE equipment and One P equipment, at least two PE equipment are connected with P equipment respectively, composition backbone network, one at least two CE equipment A CE equipment PE equipment corresponding with least two PE equipment connects, and at least one is configured at least two PE equipment Bandwidth needed for a VPN, at least two CE equipment have public network IP address, which can include:First CE is set The standby tunnel structure message for receiving centralized management device and sending, the first CE equipment is a CE equipment in target CE equipment; And tunnel communication is established with other CE equipment in target CE equipment, to build the first VPN.
The third aspect, there is provided a kind of VPN managing devices, the centralized management device included applied to VPN management systems should VPN management systems further include at least two CE equipment, at least two PE equipment and a P equipment, at least two PE equipment point Be not connected with P equipment, form backbone network, a CE equipment at least two CE equipment with it is right at least two PE equipment The PE equipment answered connects, and the bandwidth needed at least one VPN is configured at least two PE equipment, which sets It is standby that there is public network IP address;The VPN managing devices include receiving module, determining module and sending module.Wherein, receiving module can For receiving VPN structure requests, VPN structure requests include VPN demands;Determining module can be used for according to VPN demands, The target CE equipment of the first VPN of structure is determined from above-mentioned at least two CE equipment;Sending module can be used for according to VPN demands Tunnel structure message is sent to target CE equipment, so as to establish tunnel communication between target CE equipment, builds the first VPN.
Fourth aspect, there is provided a kind of VPN managing devices, at least two CE equipment included applied to VPN management systems The target CE equipment of the first VPN is built, which further includes centralized management device, at least two PE equipment and a P Equipment, at least two PE equipment are connected with P equipment respectively, composition backbone network, and a CE at least two CE equipment is set A standby PE equipment corresponding with least two PE equipment connects, and at least one VPN is configured at least two PE equipment Required bandwidth, at least two CE equipment have public network IP address;The VPN managing devices can include receiving module and structure Module.Wherein, receiving module can be used for receiving the tunnel structure message that centralized management device is sent;Structure module can be used for Tunnel communication is established between other CE equipment in target CE equipment, to build the first VPN.
5th aspect, there is provided a kind of VPN managing devices, the centralized management device included applied to VPN management systems, the collection Middle control device can include processor and the memory being of coupled connections with the processor.The memory can be used for storage and calculate Machine instructs.When the centralized management device is run, which performs the computer instruction of the memory storage, so that should Centralized management device performs the VPN management methods described in above-mentioned first aspect.
6th aspect, there is provided a kind of computer-readable recording medium, including computer instruction, when the computer instruction is collecting When being run on middle control device so that the centralized management device performs the VPN management methods described in above-mentioned first aspect.
7th aspect, there is provided a kind of computer program product including computer instruction, when the computer program product exists During the upper operation of centralized management device so that the VPN management methods described in the above-mentioned first aspect of execution of the centralized management device.
Eighth aspect, there is provided a kind of VPN managing devices, at least two CE equipment included applied to VPN management systems Build the target CE equipment of the first VPN, the target CE equipment where the VPN managing devices can include processor and with the processing The memory that device is of coupled connections.The memory can be used for storing computer instruction.Target CE where the VPN managing devices When equipment is run, which performs the computer instruction of the memory storage, so that the mesh where the VPN managing devices Mark the VPN management methods described in the above-mentioned second aspect of CE equipment execution.
9th aspect, there is provided a kind of computer-readable recording medium, including computer instruction, when the computer instruction is in CE When being run in equipment so that the CE equipment performs the VPN management methods described in above-mentioned second aspect.
Tenth aspect, there is provided a kind of computer program product including computer instruction, when the computer program product exists During the upper operation of CE equipment so that the VPN management methods described in the above-mentioned second aspect of execution of the CE equipment.
Tenth on the one hand, there is provided a kind of VPN management systems, the VPN management systems include centralized management device, at least two CE equipment, at least two PE equipment and a P equipment, the centralized management device include the VPN management described in the above-mentioned third aspect Device, being used to building the target CE equipment of the first VPN at least two CE equipment includes VPN pipes described in above-mentioned fourth aspect Device is managed, at least two PE equipment are connected with P equipment respectively, composition backbone network, and a CE at least two CE equipment is set A standby PE equipment with least two PE equipment is connected, and is configured at least two PE equipment needed at least one VPN Bandwidth, which has public network IP address.
The embodiment of the present invention provides a kind of VPN management methods, apparatus and system, in VPN management systems, due to backbone network In at least two PE equipment on configure bandwidth needed at least one VPN, at least two CE equipment in backbone network have extremely The public network IP address of a few VPN, therefore, when building a VPN, the centralized management device in the VPN management systems receives When building request to VPN, the structure demand that can be built according to VPN in request determines structure first from least two CE equipment The target CE equipment of VPN, and according to VPN demands to target CE equipment send tunnel structure message so that target CE equipment it Between establish tunnel communication, build the first VPN.Compared with prior art, during VPN is built, without passing through existing skill again Long-term, the complicated building process of art, so can be so as to rapid build VPN.
Further, since centralized management device can be at least one target CE equipment sending strategy information, with adjustment The strategy of VPN, and centralized management device can receive the network traffics and link exception that at least one target CE equipment is sent Notification message, to monitor the network traffics of VPN, updates routing configuration information, in this way, the business of VPN can be managed more neatly.
Brief description of the drawings
Fig. 1 is a kind of VPN management systems configuration diagram one provided in an embodiment of the present invention;
Fig. 2 is a kind of hardware schematic of the server of carrying SDN controllers provided in an embodiment of the present invention;
Fig. 3 is a kind of hardware schematic of router provided in an embodiment of the present invention;
Fig. 4 is a kind of VPN management systems configuration diagram two provided in an embodiment of the present invention;
Fig. 5 is a kind of VPN management methods schematic diagram one provided in an embodiment of the present invention;
Fig. 6 is a kind of VPN management methods schematic diagram two provided in an embodiment of the present invention;
Fig. 7 is a kind of structure diagram of VPN managing devices provided in an embodiment of the present invention;
Fig. 8 is the structure diagram of another kind VPN managing devices provided in an embodiment of the present invention.
Embodiment
VPN management methods provided in an embodiment of the present invention, apparatus and system are described in detail below in conjunction with the accompanying drawings.
In embodiments of the present invention, " exemplary " or " such as " etc. word make example, illustration or explanation for expression.This Be described as in inventive embodiments " exemplary " or " such as " any embodiment or designing scheme be not necessarily to be construed as comparing Other embodiments or designing scheme more preferably or more advantage.Specifically, use " exemplary " or " such as " etc. word purport Related notion is being presented in a concrete fashion.
In the description of the embodiment of the present invention, unless otherwise indicated, the implication of " multiple " refers to two or more.Example Such as, multiple processing units refer to two or more processing units;Multiple systems refer to two or more systems.
In addition, the term " comprising " and " having " being previously mentioned in description of the invention and their any deformation, it is intended that It is to cover non-exclusive include.Such as process, method, system, product or the equipment for containing series of steps or unit do not have The step of having listed or unit are defined in, but alternatively further includes the step of other are not listed or unit, or alternatively Further include for the intrinsic other steps of these processes, method, product or equipment or unit.
First, some concepts involved in the embodiment of the present invention are illustrated.
Backbone network:The express network in multiple regions or area is for connection to, backbone network is typically all wide area network, it is covered Scope be owned by the backbone network of oneself from tens kilometers to thousands of kilometers, different Network Provider, be located to connect it The network of different zones.
MPLS:Be a new generation high-speed backbone network exchange standard, fast exchange and route for data packet.MPLS is Data forwarding is carried out using label (label).To be that it distributes the short mark of regular length when data message enters network Label, i.e., be the mark with regular length by Internet protocol (Internet Protocol, IP) address of cache of data message Label, and the label is packaged together with data message, during data message forwarding, switching equipment can be according to datagram The label of text is forwarded to.
VPN:Refer in common network (i.e. backbone network), Virtual Private Network is established without the equipment in region.It is different Connection between any two equipment in region does not have the physical link end to end needed for traditional private network, but framework is in public affairs The logical network on the network platform provided with Internet service provider, user data transmit in logical links.Different zones Equipment between can employ tunneling technique, encryption and decryption technology, key management technology etc. and realize data transfer.
Tunneling technique:Tunnel can be understood as the interface channel of point-to-point, and the essence of tunneling technique is to use tunnel protocol, Another network layer protocol is transmitted with a kind of agreement of network layer, realizes the secure communication between two nodes, that is, make number Transmitted according to message in the dedicated tunnel on public network.For example, the node (node 1) of VPN one end using tunnel protocol by its The data message of his agreement is re-packaged into the data message of another agreement, and the data message Resealed can be at two Another node (node 2) of VPN is transmitted in tunnel between node, then, node 2 uses same tunnel protocol, will Its data message received decapsulates, so as to complete the transmission of data message.
Based on background technology there are the problem of, VPN management methods provided in an embodiment of the present invention, apparatus and system, pass through The bandwidth of good at least one VPN (VPN built may be needed in following a period of time) is configured in the PE equipment of backbone network, and And the public network IP address of the CE equipment of the good at least one VPN of configuration, so that centralized management device can realize the quick structure of VPN Build, and after VPN structures are completed, can more neatly manage the business of VPN.
VPN management systems provided in an embodiment of the present invention can be set including centralized management device, CE equipment, PE equipment and P It is standby, it will in detail be introduced for VPN management systems provided by the invention, the VPN managed in the following embodiments below The structure of each equipment involved in system carries out exemplary description.
In the embodiment of the present invention, the centralized management device of VPN management systems can be physics control device, also be virtual pipe Device is controlled, with the fast development of the communication technology, in order to save hardware cost and resource, physical equipment is virtually turned to software should With increasingly common, the embodiment of the present invention is by taking centralized management device is virtual control device as an example, the virtual control device Can be software defined network (Software Defined Network, SDN) controller, SDN controllers are based on such as open flows (OpenFlow) etc. agreement is, it is specified that neatly processing data packets specification, can control management connected switching equipment or Routing device, such as control switching equipment is according to forwarding rule forwarding data packet or data message etc..
Above-mentioned SDN controllers are a kind of software application, it can be carried in the server, to realize the SDN controllers Function.Each constituting portion of the server provided in an embodiment of the present invention for carrying SDN controllers is specifically introduced with reference to Fig. 2 Part.As shown in Fig. 2, the server can include:Processor 10, memory 11 and communication interface 12 etc..
Processor 10:It is the core component of server, for the application in the operating system and server of runtime server Program (including system application and third party application, such as SDN controllers).
In the embodiment of the present invention, processor 10 be specifically as follows central processing unit (Central Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, transistor logic, hardware component or Its any combination of person, it can realize or perform and patrol with reference to content disclosed by the embodiments of the present invention is described various exemplary Collect square frame, module and circuit;Processor can also be the combination for realizing computing function, such as include one or more microprocessors Combination, combination of DSP and microprocessor etc..
Memory 11:Available for storage software program and module, processor 10 is stored in memory 11 by operation Software program and module so that the various function application of execute server and data processing.Memory 11 can include one A or multiple computer-readable recording mediums.Memory 11 includes storing program area and storage data field, wherein, storing program area Can storage program area, application program needed at least one function etc., storage data field can the data that create of storage server Deng, in the embodiment of the present invention, the application program of SDN controllers can be included in memory 11, by run SDN controllers should With program to control the other equipment (such as core switch and calculate node) in service chaining topological structure, realize that core exchanges Equipment is drained to each service node.
In the embodiment of the present invention, memory 11 can specifically include volatile memory (Volatile Memory), such as Random access memory (Random-Access Memory, RAM);The memory can also include nonvolatile memory (Non-Volatile Memory), such as read-only storage (Read-Only Memory, ROM), flash memory (Flash Memory), hard disk (Hard Disk Drive, HDD) or solid state hard disc (Solid-State Drive, SSD);The memory is also It can include the combination of the memory of mentioned kind.
Communication interface 12:The interface circuit to communicate for server with other equipment, communication interface can be transmitting-receiving Device, transmission circuit etc. have the structure of transmission-receiving function, and communication interface includes serial communication interface and parallel communication interface.
Optionally, above-mentioned communication interface 12 can also include user interface, and the user's interface can realize server (carrying The server of SDN controllers) interacting between user, such as receive user and build instruction of VPN etc..
In the embodiment of the present invention, the CE equipment in above-mentioned VPN management systems can be host or routing device, be set with route The standby explanation exemplary for the hardware configuration progress to routing device exemplified by router.Fig. 3 is road provided in an embodiment of the present invention By the hardware schematic of device, as shown in figure 3, router provided in an embodiment of the present invention includes:Processor 20, memory 21 and connect 22 grade components of mouth.Exemplary explanation is carried out to each component parts of router below.
Processor 20:For being responsible for exchanging routing iinformation, routing table lookup and forwarding data packet, route is safeguarded in such as processing Various forms and route computing needed for device etc..
Memory 21:For storing the configuration of router, operating system, routing protocol software etc..Can have in router A variety of memories, such as ROM, RAM etc..
Interface 22:Data packet is sent and received for router.Interface 22 in router includes lan interfaces and wide Domain network interface, in addition, router does not input in itself and terminal presentation facility, further includes control port in router interface, uses Communicated in user or administrator using terminal with router, complete configuration of routers.
The embodiment of the present invention provides a kind of VPN management systems, which can include centralized management device, at least two CE Equipment, at least two PE equipment and a P equipment.Wherein, at least two PE equipment are connected with P equipment respectively, form backbone network, A CE equipment at least two CE equipment is connected with a PE equipment at least two PE equipment, at least two PE The bandwidth needed at least one VPN is configured in equipment, and at least two CE equipment have public network IP address.
Exemplary, exemplified by building a VPN, which is to realize three areas (such as Beijing, Shanghai and Guangzhou) The VPN of communication is established based on backbone network, i.e. the VPN includes 3 CE equipment, it is assumed that the number of the CE equipment in VPN management systems The quantity measured as 3, PE equipment is the configuration diagram that 3, Fig. 4 show a kind of VPN management systems provided in an embodiment of the present invention. In Fig. 4, VPN management systems include:100,3 CE equipment of centralized management device (are denoted as CE equipment 101, CE equipment 102 respectively With CE equipment 103), 3 PE equipment (being denoted as PE equipment 104, PE equipment 105 and PE equipment 106 respectively), and P equipment 107. Wherein, PE equipment 104, PE equipment 105 and PE equipment 106 are connected with P equipment 107 respectively, form backbone network;CE equipment 101 with PE equipment 104 connects, and CE equipment 102 is connected with PE equipment 105, and CE equipment 103 is connected with PE equipment 106.In each PE equipment On be pre-configured with bandwidth needed for the VPN of this structure, and be pre-configured with CE equipment (including the CE equipment of the VPN 101st, CE equipment 102 and CE equipment 103) public network IP address, i.e., connected CE equipment 101 is reserved in PE equipment 104 Public network IP address, the public network IP address of connected CE equipment 102 is reserved in PE equipment 105, reserved in PE equipment 106 and its The public network IP address of the CE equipment 103 of connection.
It should be noted that in the embodiment of the present invention, multiple VPN can be built according to the demand of user, in following implementations In example exemplified by building a VPN, VPN management methods provided in an embodiment of the present invention, apparatus and system are carried out exemplary Explanation.
The embodiment of the present invention provides a kind of method of management VPN, can be applied to the VPN management system of above-described embodiment offer System, with reference to Fig. 4, as shown in figure 5, this method can include S101-S105:
S101, centralized management device receive VPN structure requests, and VPN structure requests include VPN demands.
In the embodiment of the present invention, operator it is one section following can to estimate a certain area by assessment modes such as market surveys The VPN situations (such as the quantity of VPN, bandwidth etc.) built may be needed in time, in this way, in bone of the configuration based on MPLS technology During dry network, related resource configuration is carried out in backbone network, is included in each PE equipment of backbone network and matches somebody with somebody in advance The bandwidth needed at least one VPN (the i.e. following at least one VPN that may need to build) is put, and has been pre-configured with CE equipment Public network IP address, can be in the corresponding PE in each area so that when user proposes to build the request of new VPN to operator CE equipment is accessed on the port of equipment, and according to the public network IP address of preconfigured CE equipment, the public network IP of setting CE equipment Address so that the path between CE equipment and PE equipment is reachable.
In the embodiment of the present invention, user (such as network administrator) can by the user interface in centralized management device to The instruction (i.e. the request of VPN structures) of centralized management device input structure VPN, VPN structure requests include VPN demands, the VPN Demand can be quantity, bandwidth, the mark of the VPN specified of VPN etc., so that centralized management device can be by VPN management systems In the CE equipment (i.e. target CE equipment) of specified quantity be configured to a VPN.
S102, centralized management device determine to build the target of the first VPN according to VPN demands from least two CE equipment CE equipment.
S103, centralized management device send tunnel structure message according to VPN demands to target CE equipment.
Wherein, above-mentioned tunnel structure message includes tunnel protocol, and the quantity of target CE equipment is more than or equal to 2.
In the embodiment of the present invention, after centralized management device receives VPN structure requests, the VPN in being asked according to VPN Demand, determines the target CE equipment of the first VPN of structure, then concentrate tube from least two CE equipment in VPN management systems Control each CE equipment in device and target CE equipment and establish and connect, such centralized management device can with target CE equipment Each CE equipment communications, further, centralized management device send tunnel structure message according to VPN demands to target CE equipment, So as to tunnel communication is established between target CE equipment, so as to complete the structure of the first VPN.
Optionally, in the embodiment of the present invention, above-mentioned tunnel protocol can include any one in following agreements:General road By encapsulating (Generic Routing Encapsulation, GRE) agreement, IP in IP, IP securities (Internet Protocol Security, IPSec), virtual extended LAN (Virtual extensible Local Area Network, VxLAN) agreement etc., specifically suitable tunnel protocol can be used according to actual use demand selection, the present invention is real Example is applied to be not especially limited.
Specifically, any one can be encapsulated on any one network layer protocol (such as IP agreement) using GRE protocol Other network layer protocols (for example, internet control message protocol (Internet Control Message Protocol, ICMP)), IP packet can be encapsulated in IP packet using IP in IP, i.e., IP packet to be packaged is encapsulated in outer layer IP reports Wen Zhong;Encrypted message content can be sealed using IP agreement security (Internet Protocol Security, IPSec) Transmitted in IP packet, can be with the safe transmission of data message;Two layer message can be encapsulated in User Datagram Protocol by VxLAN Discuss in (User Datagram Protocol, UDP).
It should be noted that in the embodiment of the present invention, above-mentioned centralized management device is established with target CE equipment and connected, and The action that tunnel structure message is sent to target CE equipment is performed by the structure maintenance module in the centralized management device.
Optionally, the structure maintenance module of above-mentioned centralized management device can also safeguard that centralized management device is set with target CE The standby connection established, sets keepalive period, monitors in the connection whether established between the centralized management device and target CE settings It is disconnected;Message or the information encryption that the structure maintenance module can be transmitted between centralized management device and target CE, so as to improve The security of transmission.
Each CE equipment in S104, target CE equipment receives the tunnel structure message that centralized management device is sent.
Each CE equipment in S105, target CE equipment is established tunnel with other CE equipment in target CE equipment and is led to Letter, to build the first VPN.
In the embodiment of the present invention, each CE equipment in target CE equipment receives the tunnel structure that centralized management device is sent Build message, and each CE equipment in target CE equipment is established tunnel with other CE equipment in target CE equipment and led to Letter.Exemplary, by taking the CE equipment (referred to as the first CE equipment below) in target CE equipment as an example, the first CE equipment The tunnel protocol in message can be built based on tunnel with other CE in target CE equipment and establish tunnel communication, so that the first CE Equipment can be with other targets CE equipment communications.In conclusion target CE equipment receives the tunnel structure that centralized management device is sent Message is built, so as to can establish tunnel communication between each target CE equipment, so far, the first VPN is built successfully, this first User equipment (or the equipment such as terminal) in VPN can be communicated in the VPN built based on backbone network, realize that business is past Come.
Exemplary, as shown in figure 4, structure includes the process of the VPN of CE equipment 101, CE equipment 102 and CE equipment 103 In, after each CE equipment is completed with the connection of corresponding PE equipment, centralized management device 100 is set to CE equipment 101, CE respectively Standby 102 and CE equipment 103 sends tunnel structure message, so that being built between CE equipment 101, CE equipment 102 and CE equipment 103 Vertical tunnel communication, i.e. any two CE equipment in three CE equipment can communicate, it is understood that be, the VPN's Each website (each website of VPN, that is, refer to the VPN internal networks of different regions, for example, in above-mentioned Fig. 4, CE equipment 101 The regional internal network serviced is VPN_a, and the regional internal network that CE equipment 102 is serviced is VPN_b, CE equipment The 103 regional internal networks serviced are VPN_c) in user equipment can by through respective CE equipment route, be based on The VPN of structure is communicated and (accessed mutually, transmission data etc.).
Optionally, with reference to Fig. 5, as shown in fig. 6, after above-mentioned S105, VPN management methods provided in an embodiment of the present invention It can also include S106 and S107:
S106, centralized management device send routing configuration information to target CE equipment.
Wherein, routing configuration information includes static routing information or dynamic routing protocol, which is used for The target CE equipment of first VPN obtains dynamic routing information.
In the embodiment of the present invention, after above-mentioned first VPN is built successfully, in order to ensure between each website of the first VPN It can access mutually, centralized management device can send routing configuration information to all target CE equipment, be the first each stations of VPN Point configuration routing iinformation (i.e. routing table) so that target CE equipment receive the user equipment in corresponding website data message it Afterwards, can forward the data message according to routing iinformation, or target CE equipment receive the transmission of PE equipment data message it Afterwards, which can be given to the user equipment corresponded in website according to routing iinformation, realize each Intra-site Communication.
Optionally, in the embodiment of the present invention, the routing iinformation that centralized management device configures the first each websites of VPN can lead to Static configuration and dynamic configuration are crossed, if centralized management device is route by static configuration mode for each site configurations of the first VPN During information, the network segment information for each Intra-site network that centralized management device is submitted when opening a VPN according to user's application, Routing iinformation is configured, and the routing iinformation is sent to the corresponding CE equipment of the first each websites of VPN (i.e. above-mentioned target CE is set It is standby);If centralized management device by way of dynamic configuration for the first VPN each site configuration routing iinformations when, centralized management Device sends dynamic routing protocol respectively to target CE equipment, the routing iinformation for the other side that can learn from each other between target CE equipment (intercoursing routing iinformation), and routing algorithm in dynamic routing protocol and the generation of the routing iinformation of study are respective Routing iinformation.
In the embodiment of the present invention, above-mentioned dynamic routing protocol can include but is not limited to following Routing Protocols:It is open most Short path preferential (Open Shortest Path First, OSPF) agreement, Border Gateway Protocol (Border Gateway Protocol, BGP), routing information protocol (Routing Information Protocol, RIP), intermediate system to centre be System (Intermediate System to Intermediate System, ISIS) Routing Protocol etc..Specifically can be according to reality Border use demand selects suitable dynamic routing protocol, and the embodiment of the present invention is not especially limited.
S107, target CE equipment receive the routing configuration information that centralized management device is sent.
It is understood that the route that each CE equipment in target CE equipment receives the transmission of centralized management device is matched somebody with somebody Confidence ceases.Exemplary, by taking the CE equipment (such as the first CE equipment) in target CE equipment as an example, the first CE equipment receives The routing configuration information sent to centralized management device, the first CE equipment can determine routing iinformation according to routing configuration information, So as to according to routing iinformation with realizing data smoothly route or forwarding.
In the embodiment of the present invention, after the structure of above-mentioned the first VPN of completion, centralized management device can also manage first The business of VPN, specifically, tactical management, network flow management, routing iinformation management can be included.
In the embodiment of the present invention, centralized management device carries out tactical management to the first VPN and is specially:Centralized management device to Above-mentioned at least one target CE equipment sending strategy information, the policy information include access strategy information, band-width tactics information with At least one of and in qos policy information;Above-mentioned at least one target CE equipment receives the strategy letter that centralized management device is sent Breath, the policy information are used for the strategy that at least one target CE equipment adjusts the first VPN.
In the following, by centralized management device to exemplified by target CE equipment (such as a first CE equipment) sending strategy information, Illustrate that the business of centralized management device management VPN carries out exemplary explanation.
Optionally, centralized management device sends access strategy information to the first CE equipment, which is used to refer to After showing that the access rights of the first CE equipment, the first CE equipment receive the access strategy information, it can be believed according to access strategy The access rights of instruction are ceased, other CE in access target CE equipment.
Wherein, the access strategy that above-mentioned centralized management device can be set according to the feature of each website of the first VPN is believed Breath.Exemplary, above-mentioned VPN_a is the headquarter sites of a certain enterprise, and the CE equipment of website VPN_a be CE_a, VPN_b with VPN_c is the branch site of the enterprise, and the CE equipment of website VPN_b is CE_b, and the CE equipment of website VPN_c is CE_c, is concentrated Control device can be set:The CE_a of headquarter sites has permission to access the CE_b and CE_c of branch site, but the CE_ of branch site B and CE_c lacks of competence access the CE_a of headquarter sites, and can be accessed mutually between the CE_b of branch site and CE_c.
Above-mentioned centralized management device can also set access strategy information according to specific type of service.Exemplary, on The headquarter sites that VPN_a is a certain enterprise are stated, VPN_b and the branch site that VPN_c is the enterprise, centralized management device can be set Put:The CE_c of the CE_b and VPN_c of branch site VPN_b have permission to access some file server (for example, this document takes Shared data etc. are stored with business device), but the CE_c of the CE_b and VPN_c of branch site VPN_b do not have permission to access and are somebody's turn to do (some trade secrets may be stored in these systems) such as the enterprise resource planning of enterprise, CRM systems.
Above-mentioned centralized management device can with type of service set access strategy information, specifically can include according to it is following extremely One item missing sets the access rights of the first each websites of VPN:The purpose IP address of data message, the destination IP network segment, source IP address, The source IP network segment, destination interface, source port etc..
Optionally, in the embodiment of the present invention, above-mentioned centralized management device can by any one in following manner to Target CE equipment provides access strategy information:Access control lists (Access Control List, ACL), OpenFlow flow Table, static routing and policybased routing (Policy-Based Routing, PBR) etc..
Optionally, in the embodiment of the present invention, centralized management device carries out network flow management to the first VPN and is specially:Extremely Few target CE equipment reports the network traffics of at least one target CE equipment to centralized management device;The centralized management fills Put and receive the network traffics that at least one target CE equipment reports, to monitor the network traffics of the first VPN.
In the embodiment of the present invention, centralized management device can manage the bandwidth of the first VPN, and centralized management device is to first VPN, which carries out Bandwidth Management, can include static bandwidth management and elastic Bandwidth Management (can be understood as daynamic bandwidth managment).Tool Body, centralized management device can be at least one target CE equipment transmission bandwidth policy information, to manage the band of the first VPN Width, centralized management device can be that the first VPN configures fixed-bandwidth (i.e. available bandwidths of the first VPN in backbone network be Fixed value);Centralized management device can also be according to the service conditions of the first VPN, at least one target CE equipment transmission bandwidths Policy information, indicates that at least one target CE equipment carries out Bandwidth adjustment.Exemplary, set with a CE in target CE equipment Exemplified by standby (such as above-mentioned first CE equipment), Bandwidth adjustment can include:First CE equipment adjustment (increase or reduce) this first The available bandwidth of data message is specified in the available bandwidth of the upstream Interface of CE equipment, or adjustment.
In the embodiment of the present invention, centralized management device can send qos policy information at least one target CE equipment, with Indicate the priority of different clients or the priority of business, so as to ensure the transmission quality of important user, or ensure weight The transmission quality for the business wanted.Optionally, existing qos policy in backbone network can be sent at least by centralized management device One target CE equipment.Exemplary, exemplified by sending qos policy information to the first CE equipment, the first CE equipment receives collection The qos policy that middle control device is sent, the data message that the user equipment in the first VPN site that it is received is sent it Afterwards, the value of QoS is set in the TOS fields of the IP address of the data message, then data message is sent to pair by the first CE equipment The PE equipment answered, after which receives the data message, carries out MPLS processing to the data message and (maps IP address For fixed labels), the value of the TOS fields of data message is also mapped onto the EXP fields of MPLS messages, it is known that, data in the first VPN Qos policy in the qos policy and backbone network of message matches each other, which can successfully be transmitted based on backbone network.
In the embodiment of the present invention, due to centralized management device can at least one target CE equipment sending strategy information, So that at least one target CE equipment adjusts the strategy of the first VPN, communication quality is improved.Compared with prior art, without existing again Cumbersome, macrocyclic Developing Tactics are carried out in the PE equipment of backbone network, can more neatly manage the business of VPN.
Optionally, the present invention is in embodiment, and centralized management device can also supervise the network traffics in the first VPN Control.Exemplary, by taking above-mentioned first CE equipment as an example, the first CE equipment can report the first CE equipment to centralized management device Network traffics, which includes the uplink traffic and downlink traffic of the first CE equipment, so that centralized management device connects The network traffics that the first CE equipment reports are received, to monitor the network traffics of the first VPN.
All CE equipment (i.e. above-mentioned all target CE equipment) of first VPN report target CE to set to centralized management device The network traffics of standby input port and output port, such centralized management device can monitor the network traffics of whole first VPN, To handle some unusual conditions.Compared with prior art, since target CE equipment can be to centralized management device report network stream Amount, it is possible to achieve traffic visualization, solves the problems, such as that the network traffics of VPN can not be monitored in the prior art.
Optionally, in the embodiment of the present invention, centralized management device can also carry out the first VPN routing iinformation management, tool Body is:At least one target CE equipment can be to centralized management device transmission link exception notification message, so that centralized management fills Routing configuration information can be updated according to link exception notification message by putting, and then sent and updated at least one target CE equipment Routing configuration information afterwards.
Exemplary, in some CE equipment (such as the first CE equipment) and other CE equipment of the first VPN of the first VPN Link between (other CE equipment i.e. in the first CE equipment and target CE equipment) be abnormal (such as liaison interrupt or occur Congestion) when, the first CE equipment is to centralized management device transmission link exception notification message;The centralized management device receives The link exception notification message that one CE equipment is sent, and after updating routing configuration information, centralized management device is to the first CE Equipment send renewal after routing configuration information (including the static routing information referred in above-described embodiment or dynamic routing association View) so that the new routing iinformation (new routing iinformation indicates new link) determined according to the new routing configuration information, with Other CE equipment communications in first VPN, for example, in above-mentioned VPN management systems as shown in Figure 4, in VPN_a, VPN_b and User equipment between VPN_c can communicate, if the chain between the CE equipment 101 of VPN_a and the CE equipment 102 of VPN_b Road is broken down, and CE equipment 101 is to 100 transmission link exception notification message of centralized management device, then centralized management device 100 The routing configuration information of CE equipment 101 is updated, then the routing configuration information after renewal is sent to CE equipment 101, selects new Link transmission data message, for example, VPN_a can send data message to VPN_b through the transfer of VPN_c, ensure VPN_a with Normal communication between VPN_b.
It should be noted that in the embodiment of the present invention, the business of centralized management device management VPN (including above-described embodiment Described in at least one target CE equipment sending strategys information, receive the network flow that at least one target CE equipment reports Measure, receive the link exception notification message of at least one target CE equipment transmission, update routing configuration information etc.) by the concentration Management and control module in control device performs.
VPN management methods provided in an embodiment of the present invention, can be applied to the VPN management systems of above-described embodiment offer, (it may need what is built in following a period of time due to configuring at least one VPN at least two PE equipment in backbone network VPN the bandwidth needed for), at least two CE equipment in backbone network have the public network IP address of at least one VPN, therefore, in structure When building a VPN, when the centralized management device in the VPN management systems receives VPN structure requests, it can be built according to VPN Structure demand in request determines the target CE equipment of the first VPN of structure from least two CE equipment, and according to VPN demands Tunnel structure message is sent to target CE equipment, is led to so as to can build message according to tunnel between target CE equipment and establish tunnel Letter, builds the first VPN.Compared with prior art, during VPN is built, without passing through the long-term, complicated of the prior art again Building process, so can be so as to rapid build VPN.
Further, since centralized management device can be at least one target CE equipment sending strategy information, with adjustment The strategy of VPN, and packaging control device can receive the network traffics and link exception that at least one target CE equipment is sent Notification message, to monitor the network traffics of VPN, updates routing configuration information, in this way, the business of VPN can be managed more neatly.
The embodiment of the present invention also provides a kind of VPN managing devices, which, which is applied to VPN management systems, includes Centralized management device, which further includes at least two CE equipment, at least two PE equipment and a P equipment, should At least two PE equipment are connected with P equipment respectively, form backbone network, a CE equipment at least two CE equipment with this extremely A corresponding PE equipment connects in few two PE equipment, and the band needed at least one VPN is configured at least two PE equipment Width, at least two CE equipment have public network IP address.Fig. 7 shows VPN managing devices involved in above-described embodiment A kind of possible structure diagram, as shown in fig. 7, the VPN managing devices can include receiving module 30, determining module 31 and hair Send module 32.
Receiving module 30, for receiving VPN structure requests, VPN structure requests include VPN demands;Determining module 31, For according to VPN demands, determining to build the target CE equipment of the first VPN from least two CE equipment;Sending module 32, is used for Tunnel structure message is sent to target CE equipment according to VPN demands, so as to establish tunnel communication between target CE equipment, structure the One VPN.
Optionally, sending module 32, are additionally operable to send routing configuration information, the routing configuration information bag to target CE equipment Static routing information or dynamic routing protocol are included, which is used for target CE equipment and obtains dynamic routing information.
Optionally, above-mentioned sending module 32, is additionally operable to at least one target CE equipment sending strategy information, strategy letter Breath includes at least one in access strategy information, band-width tactics information and qos policy information.
Optionally, above-mentioned receiving module 30, the network traffics reported for receiving at least one target CE equipment, with monitoring The network traffics of first VPN, the network traffics include the uplink traffic and downlink traffic of at least one target CE equipment;This connects Module 30 is received, is additionally operable to receive the link exception notification message that at least one target CE equipment is sent.
Optionally, as shown in fig. 7, VPN managing devices provided in an embodiment of the present invention further include update module 33.The renewal Module 33, the link exception notification message for being received according to receiving module 30 update routing configuration information.
Above-mentioned sending module 32, is additionally operable at least one target CE equipment and sends the routing configuration after update module 33 updates Information.
Above-mentioned VPN managing devices as shown in Figure 7 can be applied to centralized management device, which can wrap Processor is included, memory, stores the computer program that can be run on a memory and on centralized management device, computer program When being performed by centralized management device, it is possible to achieve the action of centralized management device in above-mentioned VPN management methods embodiment, and can reach To identical technique effect, to avoid repeating, which is not described herein again.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and meter is stored with computer-readable recording medium Calculation machine program, when which is executed by processor, it is possible to achieve above-mentioned VPN management methods embodiment centralized management device Action, and identical technique effect can be reached, to avoid repeating, which is not described herein again.Wherein, it is described computer-readable to deposit Storage media, such as ROM, RAM, magnetic disc or CD.
The embodiment of the present invention also provides another VPN managing devices, which is applied to VPN management system bags In at least two CE equipment included build the first VPN target CE equipment, the VPN management systems further include centralized management device, At least two PE equipment and a P equipment, at least two PE equipment are connected with P equipment respectively, form backbone network, this at least two CE equipment PE equipment connection corresponding with least two PE equipment in a CE equipment, at least two PE are set Bandwidth needed for the standby upper at least one VPN of configuration, at least two CE equipment have public network IP address.Fig. 8 shows above-mentioned reality Another possible structure diagram of VPN managing devices involved in example is applied, as shown in figure 8, the VPN managing devices can wrap Include receiving module 40 and structure module 41.
Receiving module 40, the tunnel for receiving the transmission of centralized management device build message;Module 41 is built, is used for and mesh Tunnel communication is established between other CE equipment in mark CE equipment, to build the first VPN.
Optionally, above-mentioned receiving module 40, is additionally operable to receive the routing configuration information that centralized management device is sent, the route Configuration information includes static routing information or dynamic routing protocol, which is used for where VPN managing devices Target CE equipment obtains dynamic routing information.
Optionally, above-mentioned receiving module 40, is additionally operable to receive the policy information that centralized management device is sent, the policy information For where VPN managing devices target CE equipment adjust the first VPN strategy, the policy information include access strategy information, At least one of in band-width tactics information and qos policy information.
Optionally, as shown in figure 8, VPN managing devices provided in an embodiment of the present invention further include sending module 42, the transmission Module 42, the network traffics for the target CE equipment where reporting the VPN managing devices to centralized management device;The transmission mould Block 42, the chain being additionally operable between other CE equipment in the target CE equipment where the VPN managing devices and target CE equipment When road is abnormal, to centralized management device transmission link exception notification message.
Above-mentioned VPN managing devices as shown in Figure 8 can be applied to where VPN managing devices target CE equipment (such as The first CE equipment in above-described embodiment), the first CE equipment includes processor, memory, and storage is on a memory and can be The computer program run on processor, when computer program is executed by processor, it is possible to achieve above-mentioned VPN management methods are implemented The action of first CE equipment in example, and identical technique effect can be reached, to avoid repeating, which is not described herein again.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and meter is stored with computer-readable recording medium Calculation machine program, when which is executed by processor, it is possible to achieve the first CE equipment in above-mentioned VPN management methods embodiment Action, and identical technique effect can be reached, to avoid repeating, which is not described herein again.Wherein, it is described computer-readable to deposit Storage media, ROM, RAM, magnetic disc or CD etc..
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program production Product.Therefore, in terms of the embodiment of the present invention can use complete hardware embodiment, complete software embodiment or combine software and hardware Embodiment form.Moreover, the embodiment of the present invention can be used wherein includes computer available programs generation in one or more The meter implemented in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code The form of calculation machine program product.
The embodiment of the present invention be with reference to according to the method for the embodiment of the present invention, equipment (system) and computer program product Flowchart and/or the block diagram describe.It should be understood that it can be realized by computer program instructions in flowchart and/or the block diagram The combination of flow and/or square frame in each flow and/or block and flowchart and/or the block diagram.These calculating can be provided Processing of the machine programmed instruction to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices Device is to produce a machine so that passes through the instruction that computer or the processor of other programmable data processing devices perform and produces It is used for realization the function specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames Device.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or The instruction performed on other programmable devices is provided and is used for realization in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a square frame or multiple square frames.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention answers the scope of the claims of being subject to.

Claims (15)

  1. A kind of 1. Virtual Private Network VPN management methods, it is characterised in that the centralized management included applied to VPN management systems Device, the VPN management systems further include at least two customer edge CE equipment, at least two Provider Edge PE equipment and one A operator P equipment, at least two PE equipment are connected with the P equipment respectively, form backbone network, at least two CE CE equipment PE equipment connection corresponding with least two PE equipment in equipment, at least two PE are set Bandwidth needed for the standby upper at least one VPN of configuration, at least two CE equipment have public network internet protocol address;It is described Method includes:
    VPN structure requests are received, the VPN structures request includes VPN demands;
    According to the VPN demands, determine to build the target CE equipment of the first VPN from least two CE equipment;
    Tunnel structure message is sent to the target CE equipment according to the VPN demands, so as to be built between the target CE equipment Vertical tunnel communication, builds the first VPN.
  2. 2. according to the method described in claim 1, it is characterized in that, the method further includes:
    Routing configuration information is sent to the target CE equipment, the routing configuration information includes static routing information or dynamic Routing Protocol, the dynamic routing protocol are used for the target CE equipment and obtain dynamic routing information.
  3. 3. method according to claim 1 or 2, it is characterised in that the method further includes at least one of following:
    To at least one target CE equipment sending strategy information, the policy information includes access strategy information, band-width tactics are believed At least one of in breath and QoS policy information;
    The network traffics that at least one target CE equipment reports are received, it is described to monitor the network traffics of the first VPN Network traffics include the uplink traffic and downlink traffic of at least one target CE equipment;
    The link exception notification message that at least one target CE equipment is sent is received, and is notified extremely according to the link Message, updates routing configuration information, and the routing configuration information after renewal is sent at least one target CE equipment.
  4. A kind of 4. Virtual Private Network VPN management methods, it is characterised in that at least two included applied to VPN management systems The target CE equipment of the first VPN is built in CE equipment, the VPN management systems further include centralized management device, at least two fortune Battalion's business's edge PE equipment and operator's P equipment, at least two PE equipment are connected with the P equipment respectively, form bone Dry net, the CE equipment PE equipment corresponding with least two PE equipment at least two CE equipment Connect, the bandwidth needed at least one VPN is configured at least two PE equipment, at least two CE equipment has public network Internet protocol address;The described method includes:
    First CE equipment receives the tunnel structure message that the centralized management device is sent, and the first CE equipment sets for target CE A CE equipment in standby;
    Tunnel communication is established with other CE equipment in the target CE equipment, to build the first VPN.
  5. 5. according to the method described in claim 4, it is characterized in that, the method further includes:
    Receive the routing configuration information that the centralized management device is sent, the routing configuration information include static routing information or Person's dynamic routing protocol, the dynamic routing protocol are used for the first CE equipment and obtain dynamic routing information.
  6. 6. method according to claim 4 or 5, it is characterised in that the method further includes at least one of following:
    The policy information that the centralized management device is sent is received, the policy information is used for described in the first CE equipment adjustment The strategy of first VPN, the policy information include access strategy information, band-width tactics information and QoS policy letter At least one of in breath;
    The network traffics of the first CE equipment are reported to the centralized management device;
    When the link between other CE equipment in the first CE equipment and the target CE equipment is abnormal, to described Centralized management device transmission link exception notification message.
  7. 7. a kind of VPN managing devices, it is characterised in that the centralized management device included applied to VPN management systems, the VPN Management system further includes at least two CE equipment, at least two PE equipment and a P equipment, at least two PE equipment difference It is connected with the P equipment, composition backbone network, a CE equipment at least two CE equipment is set with least two PE Corresponding PE equipment connection in standby, configures the bandwidth needed at least one VPN at least two PE equipment, it is described extremely Few two CE equipment have public network IP address;The VPN managing devices include:
    Receiving module, for receiving VPN structure requests, the VPN structures request includes VPN demands;
    Determining module, for according to the VPN demands, determining to build the target of the first VPN from least two CE equipment CE equipment;
    Sending module, for sending tunnel structure message to the target CE equipment according to the VPN demands, so that the target Tunnel communication is established between CE equipment, builds the first VPN.
  8. 8. VPN managing devices according to claim 7, it is characterised in that the sending module, is additionally operable to the target CE equipment sends routing configuration information, and the routing configuration information includes static routing information or dynamic routing protocol, described Dynamic routing protocol is used for the target CE equipment and obtains dynamic routing information.
  9. 9. the VPN managing devices according to claim 7 or 8, it is characterised in that the VPN managing devices further include renewal Module;
    The sending module, is additionally operable to at least one target CE equipment sending strategy information, the policy information includes accessing At least one of in policy information, band-width tactics information and QoS policy information;
    The receiving module, is additionally operable to receive the network traffics that at least one target CE equipment reports, to monitor described The network traffics of one VPN, the network traffics include the uplink traffic and downlink traffic of at least one target CE equipment;
    The receiving module, is additionally operable to receive the link exception notification message that at least one target CE equipment is sent;
    The update module, for updating routing configuration information according to the link exception notification message;
    The sending module, is additionally operable to send the routing configuration information after renewal at least one target CE equipment.
  10. 10. a kind of VPN managing devices, it is characterised in that built at least two CE equipment included applied to VPN management systems The target CE equipment of first VPN, the VPN management systems further include centralized management device, at least two PE equipment and a P and set Standby, at least two PE equipment is connected with the P equipment respectively, composition backbone network, and one at least two CE equipment The connection of a CE equipment corresponding with least two PE equipment PE equipment, configure at least two PE equipment to Bandwidth needed for a few VPN, at least two CE equipment have public network IP address;The VPN managing devices include:
    Receiving module, message is built for receiving the tunnel that the centralized management device is sent;
    Module is built, for establishing tunnel communication between other CE equipment in the target CE equipment, to build first VPN。
  11. 11. VPN managing devices according to claim 10, it is characterised in that the receiving module, is additionally operable to described in reception The routing configuration information that centralized management device is sent, the routing configuration information includes static routing information or dynamic routing is assisted View, the target CE equipment where the dynamic routing protocol is used for the VPN managing devices obtain dynamic routing information.
  12. 12. the VPN managing devices according to claim 10 or 11, it is characterised in that the VPN managing devices further include hair Send module;
    The receiving module, is additionally operable to receive the policy information that the centralized management device is sent, the policy information is used for institute Target CE equipment where stating VPN managing devices adjusts the strategy of the first VPN, and the policy information is believed including access strategy At least one of in breath, band-width tactics information and QoS policy information;
    The sending module, for the target CE equipment where reporting the VPN managing devices to the centralized management device Network traffics;
    The sending module, is additionally operable in the target CE equipment where the VPN managing devices and the target CE equipment When link between other CE equipment is abnormal, to the centralized management device transmission link exception notification message.
  13. 13. a kind of VPN management systems, it is characterised in that including centralized management device, at least two CE equipment, at least two PE Equipment and a P equipment, the centralized management device include the VPN managing devices as described in claim 7-9 any one, institute State and be used for the target CE equipment for building the first VPN at least two CE equipment including as described in claim 10-12 any one VPN managing devices, at least two PE equipment is connected with the P equipment respectively, forms backbone network, at least two CE CE equipment PE equipment connection corresponding with least two PE equipment in equipment, at least two PE are set Bandwidth needed for the standby upper at least one VPN of configuration, at least two CE equipment have public network IP address.
  14. 14. a kind of computer-readable recording medium, it is characterised in that including computer instruction, when the computer instruction is collecting When being run on middle control device so that the centralized management device performs the VPN pipes as described in claims 1 to 3 any one Reason method.
  15. 15. a kind of computer-readable recording medium, it is characterised in that including computer instruction, when the computer instruction is in CE When being run in equipment so that the CE equipment performs the VPN management methods as described in claim 4 to 6 any one.
CN201711267327.5A 2017-12-05 2017-12-05 VPN management method, device and system Active CN108011759B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711267327.5A CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711267327.5A CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Publications (2)

Publication Number Publication Date
CN108011759A true CN108011759A (en) 2018-05-08
CN108011759B CN108011759B (en) 2021-06-18

Family

ID=62056366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711267327.5A Active CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Country Status (1)

Country Link
CN (1) CN108011759B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495367A (en) * 2018-12-06 2019-03-19 安徽云探索网络科技有限公司 Based on VPN route management system and method
CN109660439A (en) * 2018-12-14 2019-04-19 深圳市信锐网科技术有限公司 A kind of terminal mutual visit management system and method
CN110351308A (en) * 2019-08-20 2019-10-18 北京天融信网络安全技术有限公司 A kind of Virtual Private Network communication means and Virtual Private Network equipment
CN110912878A (en) * 2019-11-13 2020-03-24 南京理工大学 VPN-based information management system network security protection method and system
WO2021249432A1 (en) * 2020-06-11 2021-12-16 中国移动通信有限公司研究院 Network automation orchestration management method, entity, controller and electronic device
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052022A (en) * 2006-04-05 2007-10-10 华为技术有限公司 System and method for virtual special net user to access public net
CN103684958A (en) * 2012-09-14 2014-03-26 中国电信股份有限公司 Method and system for providing flexible VPN (virtual private network) service and VPN service center
CN104219147A (en) * 2013-06-05 2014-12-17 中兴通讯股份有限公司 Implementation method and device of VPN (virtual private network) for edge equipment
CN106487695A (en) * 2015-08-25 2017-03-08 华为技术有限公司 A kind of data transmission method, virtual network managing device and data transmission system
CN106936714A (en) * 2015-12-31 2017-07-07 华为技术有限公司 The processing method and PE equipment and system of a kind of VPN
CN107222449A (en) * 2016-03-21 2017-09-29 华为技术有限公司 Communication means, equipment and system based on the regular agreement of stream
CN107294849A (en) * 2016-04-13 2017-10-24 中兴通讯股份有限公司 Method, device and system for establishing service path

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052022A (en) * 2006-04-05 2007-10-10 华为技术有限公司 System and method for virtual special net user to access public net
CN103684958A (en) * 2012-09-14 2014-03-26 中国电信股份有限公司 Method and system for providing flexible VPN (virtual private network) service and VPN service center
CN104219147A (en) * 2013-06-05 2014-12-17 中兴通讯股份有限公司 Implementation method and device of VPN (virtual private network) for edge equipment
CN106487695A (en) * 2015-08-25 2017-03-08 华为技术有限公司 A kind of data transmission method, virtual network managing device and data transmission system
CN106936714A (en) * 2015-12-31 2017-07-07 华为技术有限公司 The processing method and PE equipment and system of a kind of VPN
CN107222449A (en) * 2016-03-21 2017-09-29 华为技术有限公司 Communication means, equipment and system based on the regular agreement of stream
CN107294849A (en) * 2016-04-13 2017-10-24 中兴通讯股份有限公司 Method, device and system for establishing service path

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495367A (en) * 2018-12-06 2019-03-19 安徽云探索网络科技有限公司 Based on VPN route management system and method
CN109660439A (en) * 2018-12-14 2019-04-19 深圳市信锐网科技术有限公司 A kind of terminal mutual visit management system and method
CN110351308A (en) * 2019-08-20 2019-10-18 北京天融信网络安全技术有限公司 A kind of Virtual Private Network communication means and Virtual Private Network equipment
CN110351308B (en) * 2019-08-20 2021-12-31 北京天融信网络安全技术有限公司 Virtual private network communication method and virtual private network device
CN110912878A (en) * 2019-11-13 2020-03-24 南京理工大学 VPN-based information management system network security protection method and system
CN110912878B (en) * 2019-11-13 2022-04-01 南京理工大学 VPN-based information management system network security protection method and system
WO2021249432A1 (en) * 2020-06-11 2021-12-16 中国移动通信有限公司研究院 Network automation orchestration management method, entity, controller and electronic device
CN113810206A (en) * 2020-06-11 2021-12-17 中国移动通信有限公司研究院 Network automation arrangement management method, entity, controller and electronic equipment
CN113810206B (en) * 2020-06-11 2023-01-13 中国移动通信有限公司研究院 Network automation arrangement management method, entity, controller and electronic equipment
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium

Also Published As

Publication number Publication date
CN108011759B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
US11870691B2 (en) Intelligent wide area network (IWAN)
US10742556B2 (en) Tactical traffic engineering based on segment routing policies
US11949568B1 (en) Wan link selection for SD-WAN services
CN108011759A (en) A kind of VPN management methods, apparatus and system
CN107852365B (en) Method and apparatus for dynamic VPN policy model
US9705775B2 (en) Passive performance measurement for inline service chaining
US9838286B2 (en) Passive performance measurement for inline service chaining
CN104539443B (en) Communication network path and status information in more place networks
US10148459B2 (en) Network service insertion
US10243827B2 (en) Techniques to use a network service header to monitor quality of service
WO2016162833A1 (en) Method and system for traffic pattern generation in a software-defined networking (sdn) system
TW201728124A (en) Flexibly defined communication network controller based control, operations and management of networks
US11870641B2 (en) Enabling enterprise segmentation with 5G slices in a service provider network
US11902097B2 (en) Adaptive location-based SD-WAN policies
US7733788B1 (en) Computer network control plane tampering monitor
US9923773B2 (en) Dynamic, broker-based virtual service platform (VSP) engagement for computer networks
CN103534985A (en) Service load allocating method, apparatus and communication system
CN115811494A (en) Automatic application-based multi-path routing for SD-WAN services
Moser Performance Analysis of an SD-WAN Infrastructure Implemented Using Cisco System Technologies
Daba Quality of Service Comparison of Seamless Multi-Protocol Level Switching and Multi-Protocol Level Switching Networks
CN108462635A (en) A kind of communication network path in more place networks and status information
Argyropoulos et al. Deliverable D13. 1 (DJ2. 1.1) Specialised Applications’ Support Utilising OpenFlow/SDN
Gondal et al. Traffic Engineering QoS and MP-BGP VPNs in MPLS Networks
Headquarters Cross-Platform Release Notes for Cisco IOS Release 12.0 S

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant