JP5670279B2 - Virtual network control device, virtual network control method, virtual network control system, and program - Google Patents

Description

  The present invention relates to a technology for relaying traffic transmitted and received between a user terminal and a predetermined device using a predetermined device, and particularly to a technology for relaying traffic using a virtual network.

  Conventionally, a method of performing quarantine and traffic monitoring by relaying traffic of a user terminal is known. As such a method, for example, a proxy device is installed on a communication path in a network on the DC (data center) side to monitor or censor packets, or to copy a packet copied by a mirror port of a switch in the network. There is a method in which a monitoring device or the like acquires and performs packet monitoring or censoring. These devices are provided at a fixed point on a specific LAN, for example, and monitor received traffic.

JP 2010-200032 A

  However, due to the distributed arrangement of servers due to the progress of cloud computing and the improvement of portability of terminals, the communication destinations and networks to communicate are diversifying, and the traffic relay monitoring device provided at a fixed point on a specific LAN as in the past Etc., it is becoming difficult to monitor the traffic of individual user terminals. That is, in such a distributed environment, there is a problem that it is difficult to acquire information necessary for maintenance or the like simply by installing a device that acquires traffic information on a route in a specific network.

  It has been possible in the past to monitor the amount of traffic in a server that aggregates overlay networks. However, because specific client communication can be monitored only by a specific aggregation server, in a monitoring method that requires a special device, a special device is introduced in every aggregation server in order to monitor the communication of each client. There was a problem that it was necessary and this was unrealistic.

  The present invention has been made in view of the above points, and provides a technique for detouring a route of communication traffic between a user terminal and a communication target device so as to pass through a predetermined device that performs analysis, monitoring, and the like. The purpose is to do.

  In order to solve the above-described problem, the present invention provides a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device. Storage means for storing the location information of the termination device, an instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and transmission / reception by the predetermined tunnel connection device And an instruction notification means for notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured to the predetermined tunnel termination device. Configured as a virtual network control device.

  The bypass instruction may be configured to include an instruction to replace an address attached to data with a virtual address when performing data encapsulation in the predetermined tunnel connection device. The predetermined tunnel termination device may be a tunnel termination device that bridges communication of the predetermined tunnel connection device.

  For example, a monitoring device is connected to the predetermined tunnel termination device. In this case, the predetermined tunnel termination device decapsulates the encapsulated data received in the tunnel, and the decapsulated data is received. Transmit to the monitoring device.

  In addition, the detour instruction may be notified through the tunnel in a state where the predetermined tunnel connection device has previously established a tunnel with a tunnel terminal device other than the predetermined tunnel terminal device.

  In addition, when a virtual network has already been established by a plurality of tunnel connection devices using the tunnel termination device as a hub, the bypass instruction may be notified to the plurality of tunnel connection devices.

  The present invention also relates to a virtual network control method executed by a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device, the predetermined tunnel Storing the location information of the termination device in the storage means, an instruction for establishing a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the predetermined tunnel connection device And a step of notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured by the predetermined tunnel termination device among data transmitted and received by the virtual network. It can also be configured as a control method.

  The present invention also provides a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device, and a predetermined tunnel termination device to which a monitoring device is connected. A virtual network control system comprising: storage means for storing position information of the predetermined tunnel termination device; a predetermined tunnel connection device; and the predetermined tunnel indicated by the position information. A detour instruction including an instruction to establish a tunnel with an end device and identification information for identifying data to be detoured by the predetermined tunnel end device among data transmitted and received by the predetermined tunnel connection device; Instruction notifying means for notifying the tunnel connection device of the predetermined tunnel termination device, Decapsulates the encapsulated data received in tunnels, it is also possible to configure the decapsulated data as a virtual network control system and transmits to the monitoring apparatus.

  The present invention can also be configured as a program for causing a computer to function as each means of the virtual network control device.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to provide the technique of detouring the path | route of the communication traffic between a user terminal and a communication object apparatus so that it may pass along the predetermined | prescribed apparatus which performs analysis, monitoring, etc.

1 is an overall configuration diagram of a virtual network system 1. FIG. 2 is a functional configuration diagram of a virtual network control device 10. FIG. 3 is a functional configuration diagram of a tunnel connection device 20. FIG. FIG. 6 is a diagram showing another form of the tunnel connection device 20. 3 is a functional configuration diagram of a tunnel termination device 30. FIG. It is a sequence diagram for demonstrating the example of a process sequence until a virtual network is constructed | assembled. It is a figure which shows the example of the virtual network containing several tunnel connection apparatuses. It is a sequence diagram for demonstrating the process sequence in the case of changing a structure after a virtual network is constructed. It is a figure which shows the example of communication from the user terminal in L3 mode to a server. It is a figure which shows the example of a process which selects the flame | frame addressed to a virtual IP address. It is a figure which shows the example of communication from the server in L3 mode to a user terminal. It is a figure which shows the system configuration example which concerns on embodiment. It is a figure which shows the state before the traffic acquisition in the operation example 1. FIG. It is a figure for demonstrating the structure change instruction | indication transmission in the operation example 1. FIG. It is a figure for demonstrating tunnel connection establishment with the tunnel termination | terminus apparatus 301 in the operation example 1. FIG. It is a figure which shows acquisition and transmission / reception of the packet in the operation example 1. FIG. It is a figure which shows the state before the traffic acquisition in the operation example 2. FIG. It is a figure for demonstrating the structure change instruction | indication transmission in the operation example 2. FIG. It is a figure for demonstrating tunnel connection establishment with the tunnel termination | terminus apparatus 301 in the operation example 2. FIG. It is a figure which shows the relay to the relay in the example 2 of operation, and the output to the monitoring apparatus.

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment.

<Virtual network system>
First, the basic configuration and function of the virtual network system used in the embodiment of the present invention will be described.

(System configuration)
FIG. 1 shows a basic configuration diagram of the virtual network system 1. As shown in FIG. 1, the virtual network system 1 is configured by connecting a virtual network control device 10, a tunnel connection device 20, and a tunnel termination device 30 to an IP network 40 (for example, the Internet). In the example illustrated in FIG. 1, a user terminal 50 (client device) is connected to the tunnel connection device 20. The tunnel termination device 30 is connected to a server, other user terminals, and the like. In FIG. 1, one tunnel termination device 30 and one tunnel connection device 20 are shown as representatives, but a plurality of devices may actually exist. In addition, since a virtual network is configured by constructing a tunnel between the tunnel connection device 20 and the tunnel termination device 30, a system including the tunnel connection device 20 and the tunnel termination device 30 may be referred to as a virtual network system. Good.

  The virtual network control device 10 is a device for instructing the tunnel connection device 20 and the tunnel termination device 30 to construct / change a virtual network. The tunnel connection device 20 is a device that performs a tunnel connection with the tunnel termination device 30. The tunnel termination device 30 is a device that terminates a tunnel between one or a plurality of tunnel connection devices 20. A virtual network is formed between tunnel connection devices connected to the same tunnel termination device 30. Hereinafter, each device will be described in more detail.

  FIG. 2 shows a functional configuration diagram of the virtual network control device 10. As shown in FIG. 2, the virtual network control device 10 includes a virtual network construction / change instruction receiving unit 11, a configuration information storage unit 12, a device communication unit 13, a location information registration unit 14, a location information storage unit 15, and an instruction notification. Part 16.

  The virtual network construction / change instruction receiving unit 11 receives, for example, instructions related to virtual network construction or modification from an external device (for example, a web browser terminal, an NW monitoring system, etc.) connected to the virtual network control device 10 through a network. A function of storing virtual network configuration information in the configuration information storage unit 12 based on the instruction is provided. The virtual network configuration information stored in the configuration information storage unit 12 includes, for example, information indicating which tunnel connection device and which tunnel termination device are connected by which protocol type. That is, the configuration information storage unit 12 stores, as configuration information, for example, a table that associates identification information of tunnel connection devices, identification information of tunnel termination devices, and protocol types. It also holds information necessary as setting information for each device to be described later.

  The device communication unit 13 is a functional unit for communicating with the tunnel connection device 20 and the tunnel termination device 30.

  The location information registration unit 14 receives a location registration request including identification information and location information (for example, the current IP address of the tunnel termination device 30) of the tunnel termination device 30 from the tunnel termination device 30, and The position information of the device 30 is stored in the position information storage unit 15. The identification information is information that can identify the tunnel termination device 30 regardless of the position of the tunnel termination device 30.

  The location information storage unit 15 stores (registers) the identification information of each tunnel termination device 30 in advance, and the location information registration unit 14 has already received the identification information received from the tunnel termination device 30 in the location information storage unit 15. After confirming that the information is stored, the position information is stored in the position information storage unit 15 in association with the identification information. The location information registration unit 14 may similarly register location information for the tunnel connection device 20. For example, when the position information of the tunnel termination device 30 is substantially fixed, the system administrator may register the position information of the tunnel termination device 30.

  Based on the configuration information stored in the configuration information storage unit 12, the instruction notification unit 16 sends a tunnel connection request to the tunnel connection device 20 configuring the virtual network related to the configuration information in response to a request from the tunnel connection device 20. This is a functional unit that notifies the setting information for the connection, and transmits setting information such as identification information and protocol type of the tunnel connection device coming to the connection to the tunnel termination device 30 configuring the virtual network related to the configuration information. The instruction notification unit 16 also has a function of transmitting a virtual network configuration change instruction to the tunnel termination device 30.

  In this embodiment, a functional unit for receiving an instruction from the outside and a functional unit for issuing an instruction to the device are provided in the same device, but these are realized as separate modules (separate devices). Also good.

  The virtual network control device 10 according to the present embodiment (the same applies to a virtual network control device 104 described later) is for realizing the functions of the functional units of the virtual network control device 10 in a computer including a CPU, a storage device, and the like. This can be realized by executing the program. The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on the network.

  FIG. 3 shows a functional configuration diagram of the tunnel connection device 20. FIG. 3 shows an example in which the tunnel connection device 20 and the user terminal 50 are separate devices and are connected to the network as an example.

  As illustrated in FIG. 3, the tunnel connection device 20 includes a virtual network control device communication unit 21, a setting unit 23, a data storage unit 24, and a tunnel connection communication unit 25. The tunnel connection communication unit 25 includes a tunnel construction unit 251 and a protocol processing unit 252.

  The virtual network control device communication unit 21 is a functional unit for performing communication with the virtual network control device 10.

  The setting unit 23 transmits a tunnel setting information request to the virtual network control device 10 when the tunnel connection device 20 is activated (when the power of the tunnel connection device 20 is turned on). It is a functional unit that receives the requested tunnel setting information and performs settings for tunnel communication based on the received tunnel setting information. Further, the setting unit 23 may have a function of transmitting a tunnel setting information request to the virtual network control device 10 at a time based on a predetermined rule. For example, the setting unit 23 may include a timer and transmit a tunnel setting information request at a predetermined time interval (for example, at the same time every day), or if there is no update by making an inquiry with the tunnel setting information request The tunnel setting information request may be transmitted by gradually increasing the time interval. The time based on a predetermined rule is not limited to these, and a time based on another rule may be adopted. These rules are set in advance in the tunnel connection device 20.

  The virtual network control device communication unit 21 is preset with address information of the virtual network control device 10. Also, the setting unit 23 receives a setting change instruction from the tunnel termination device 30 via the tunnel (via the protocol processing unit 251) and performs setting according to the setting information included in the setting change instruction, or in accordance with the setting change instruction, the virtual network A function of acquiring setting information from the control device 10 is also provided.

  The tunnel setting information includes position information (address) of the tunnel termination device 30 that is a connection destination of the tunnel, parameter values such as secret information (initial shared key, etc.) necessary for generating the tunnel, and protocol type that constitutes the tunnel (L2, L3, L4, etc. described later). In addition to these, the type of encryption, tunnel QoS information, and the like may be included.

  Further, “perform setting for tunnel connection based on tunnel setting information” means performing setting for realizing a tunnel instructed by the setting information. For example, a tunnel program corresponding to the instructed protocol type (assuming that the program is stored in the data storage unit 24 for each type, corresponding to the protocol processing unit 252) and tunnel connection is started. The destination address and parameter value are stored in the data storage unit 24 so that the tunnel construction unit 251 and the like can refer to them. This is only an example.

  The data storage unit 24 stores a program for each tunnel in association with each protocol type, and stores a tunnel connection destination and parameter values included in the tunnel setting information.

  As described above, in addition to starting a program corresponding to the protocol processing unit 252 as a module for each protocol type (this also corresponds to switching the function according to setting information), it has a function of a plurality of protocol types. A program (protocol processing unit 252) may be activated to switch functions according to setting information. Further, a hardware circuit for protocol processing may be provided for each protocol type, and the circuit may be switched according to setting information.

  The tunnel construction unit 251 in the tunnel connection communication unit 25 reads the tunnel connection destination position information and the parameter value from the data storage unit 16 and transmits a tunnel connection request to the tunnel termination device 30 that is the connection destination. Performs processing to establish a tunnel with the end device. The protocol processing unit 252 is a functional unit that performs protocol processing for tunnel communication such as encapsulation / decapsulation and encryption / decryption of data transmitted and received by the user terminal 50. Establishing a tunnel means setting information for performing encapsulation / decapsulation and encryption / decryption in packet communication with a tunnel connection destination.

  The tunnel connection device 20 also has a function of allowing packets to pass through without performing special processing when the user terminal 50 communicates with a communication target server or the like without going through a tunnel.

  The tunnel connection device 20 can be realized by causing a computer (including a communication device having a configuration including a CPU, a memory, and the like) to execute programs corresponding to the tunnel connection communication unit 25 and the setting unit 23.

  The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on the network.

  Although FIG. 3 shows a configuration in which the user terminal 50 and the tunnel connection device 20 are connected, this is only an example. As shown in FIG. 4, the user terminal 50 may have a function of the tunnel connection device 20 as a driver. In this case, the user terminal 50 may be called a tunnel connection device.

  In the present embodiment, it is assumed that tunnel connection device 20 shown in FIG. 3 is a device that can be carried to a desired place by a user. In addition, the user terminal 50 at this time may be a general camera terminal or the like, a Web camera, a home appliance, or the like.

  FIG. 5 shows a functional configuration diagram of the tunnel termination device 30.

  As shown in FIG. 5, the tunnel termination device 30 includes a virtual network control device communication unit 31, a registration request unit 32, a setting unit 33, a virtual network configuration change control unit 34, a data storage unit 35, and a tunnel termination communication unit 36. Have. The tunnel termination communication unit 36 includes a tunnel construction unit 361 and a protocol processing unit 362.

  The virtual network control device communication unit 31 is a functional unit for performing communication with the virtual network control device 10.

  The registration request unit 32 is a functional unit that transmits a location registration request to the virtual network control device 10 when the tunnel termination device 30 is activated or connected to the network. In response to this location registration request, location registration is performed in the virtual network control device 10. If the tunnel termination device 30 is not automatically registered, the registration request unit 32 may not be provided. Also, the tunnel connection device 20 may include a registration request unit similar to the tunnel termination device 30 to perform location registration.

  The setting unit 33 is a functional unit that receives tunnel connection information (setting information) from the virtual network control device 10 and performs settings for tunnel connection based on the received tunnel connection information. The virtual network control device communication unit 31 is preset with address information of the virtual network control device 10.

  The tunnel connection information includes parameter values such as identification information (or location information) of the tunnel connection device 20 that is connected to the tunnel termination device 30, secret information (such as an initial shared key) necessary for generating a tunnel, Includes the protocol types (L2, L3, L4, etc., described later) that make up the tunnel. In addition to these, encryption type, tunnel QoS information, and the like may be included.

  Also, “perform setting for tunnel connection based on tunnel connection information” means setting for enabling connection of the instructed tunnel. For example, a tunnel program corresponding to the instructed protocol type (assuming that each type of program is stored in the data storage unit 35. corresponding to the protocol processing unit 362) is started and connected. The identification information (or position information) and parameter values of the incoming tunnel connection device are stored in the data storage unit 35 so that the tunnel construction unit 361 and the like can refer to them. This is only an example.

  In the data storage unit 35, a program for each tunnel is stored in association with each protocol type, and information and parameter values of tunnel connection devices coming to the connection are stored.

  As described above, in addition to starting a program corresponding to the protocol processing unit 362 as a module for each protocol type (this also corresponds to switching the function according to the setting information), it has a function of a plurality of protocol types. A program (protocol processing unit 362) may be activated to switch functions according to setting information. Further, a hardware circuit for protocol processing may be provided for each protocol type, and the circuit may be switched according to setting information.

  The tunnel construction unit 361 in the tunnel termination communication unit 36 reads the identification information (or location information) of the tunnel connection device and various parameter values from the data storage unit 35, and in response to receiving the tunnel connection request, The request source confirms that it is the notified tunnel connection device, and performs processing for establishing a tunnel with the tunnel connection device. Further, the protocol processing unit 362 performs processing for tunnel communication such as encapsulation / decapsulation of data to be transmitted / received.

  The tunnel termination communication unit 36 also has a function of creating a table of identification information (may be position information) of tunnel connection devices that are tunnel-connected and storing them in the data storage unit 35.

  The virtual network configuration change control unit 34 receives a virtual network configuration change instruction including new virtual network configuration information from the virtual network control device 10 in a state where the virtual network has already been constructed and tunnel communication is possible in the virtual network. This is a functional unit that transmits tunnel setting information and the like based on the configuration of the new virtual network to each tunnel connection device that is tunnel-connected through the already constructed tunnel. The virtual network configuration change instruction includes, for example, identification information (or location information) of a tunnel termination device and identification information (or location information) of a tunnel connection device connected to the tunnel termination device in the changed virtual network configuration. Table, protocol type, and other necessary parameter values.

  The virtual network configuration change control unit 34 compares the table included in the received virtual network configuration change instruction with the table of identification information (or location information) of the tunnel connection device that is currently establishing the tunnel, The tunnel connection device to which (setting information) should be sent is determined. For example, if a tunnel connection device that should be connected to a tunnel termination device other than itself is currently tunnel-connected due to a configuration change, it is determined that an instruction (setting information) should be sent to that tunnel termination device. The instruction to transmit includes the same setting information as when a new tunnel connection is made, and the tunnel connection apparatus that has received the setting performs setting according to the setting information. In addition to the processing described above, an instruction including identification information (or location information, etc.) of a tunnel connection device to which an instruction (setting information) should be sent via a tunnel is received as a configuration change instruction. An instruction may be sent to the connection device.

  Further, when changing the protocol type used by itself, the tunnel terminating device 30 activates the protocol processing function of the protocol according to the instruction, sets it, and waits for connection.

  Further, the instruction to transmit may be an instruction instructing the virtual network control apparatus 10 to send a tunnel setting information request instead of the setting information. Receiving this, the tunnel connection apparatus 20 receives the setting information from the virtual network control apparatus 10 and performs setting.

  The tunnel termination device 30 stores programs corresponding to the tunnel termination communication unit 36, the setting unit 33, the registration unit 32, and the virtual network configuration change control unit 34 on a computer (including a communication device having a configuration including a CPU, a memory, and the like). This can be realized by executing.

  The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on the network.

(System operation example)
Next, a basic operation example of the virtual network system 1 will be described. First, an example of a processing procedure from when the virtual network control device 10 receives a virtual network construction instruction from an external device to when a virtual network is constructed will be described with reference to the sequence diagram of FIG.

  First, when an administrator who manages a virtual network instructs virtual network construction from a user interface (such as a Web screen) of an external device (such as a Web browser terminal), the virtual network construction instruction (including virtual network configuration information) is issued. It is sent to the control device 10 (step 1).

  The virtual network construction / change instruction receiving unit 11 of the virtual network control apparatus 10 that has received the virtual network construction instruction stores the virtual network configuration information included in the virtual network construction instruction in the configuration information storage unit 12 (step 2).

  Based on the configuration information, the instruction notifying unit 16 of the virtual network control device 10 sends the identification information (or location information) of the tunnel connection device coming to the connection to the corresponding tunnel termination device 30, the protocol type, and various parameter values. Etc. (step 3). Note that the configuration instruction notification to the tunnel termination device 30 does not need to be at this timing, and may be at another timing. For example, it may be after notification of setting information to the tunnel connection device 20. The setting unit 33 that has received the information from the virtual network control device 10 stores and sets the information (step 4). In this example, it is assumed that the location information of the tunnel termination device 30 is registered in advance in the location information storage unit 15 together with the identification information when the tunnel termination device is installed.

  Here, when the tunnel connection device 20 is activated, the tunnel connection device 20 transmits a tunnel setting information request to the virtual network control device 10 (step 5). The tunnel setting information request includes identification information of the tunnel connection device 20.

  In the virtual network control device 10 that has received the tunnel setting information request, the instruction notification unit 16 reads the tunnel setting information corresponding to the tunnel connection device 20 from the configuration information storage unit 12 in response to the tunnel setting information request (step 6). Then, the data is transmitted to the tunnel connection device 20 (step 7).

  The tunnel connection device 20 that has received the tunnel setting information performs setting based on the setting information, and transmits a tunnel connection request to the tunnel termination device 30 by the tunnel construction unit 251 in the tunnel connection communication unit 25 (step 8). The tunnel connection device 20 and the tunnel termination device 30 each generate a tunnel (which may be called a virtual path) using information received from the virtual network control device 10 (step 9).

  Note that if necessary depending on the type of protocol used in the tunnel, the tunnel construction unit 362 in the tunnel termination communication unit 36 of the tunnel termination device 30 moves the location on the virtual network to the tunnel connection device 20 that is the transmission source of the tunnel connection request. Give out information. For example, in the case of the L3 mode described later, a virtual IP address (virtual address) is paid out as position information on the virtual network.

  Although the above example describes one tunnel connection device 20, there are generally a plurality of tunnel connection devices 20 connected to one tunnel termination device 30, and each tunnel connection device 20 is configured in the same manner. Build a tunnel.

  An example in which a plurality of tunnel connection devices 20 constructs a tunnel is shown in FIG. FIG. 7 shows a configuration in which the tunnel connection device 20 and the user terminal 50 are connected as a configuration on the terminal side, and a configuration in which the function of the tunnel connection device 20 is deployed in the user terminal 50.

  In the configuration shown in FIG. 7, after the tunnel is generated, the tunnel connection device 20 captures, for example, a packet transmitted by the user terminal 50, selects the packet according to the tunnel protocol, attaches a virtual header, and encapsulates and encrypts the packet. And transmit to the tunnel termination device 30 through the tunnel.

  When the tunnel termination device 30 receives a packet from the tunnel connection device 20 through the tunnel, the tunnel termination device 30 transfers the packet according to the header information of the packet. There are two transfer destinations: a server in the same network as the tunnel termination device 30 or a network that can be routed from the network, and the other tunnel connection device 20.

  When the tunnel termination device 30 transfers the packet to the server, the encapsulation is canceled, and when the packet is transferred to the tunnel connection device 20, the encapsulation is performed again for the tunnel connection device 20 after the release of the encapsulation. The tunnel connection device 20 cancels the encapsulation of the packet received from the tunnel termination device 30 and transfers the packet to the user terminal 50.

  The tunnel termination device 30 and the tunnel connection device 20 constitute a virtual network, and the server and the user terminal 50 are connected to this virtual network.

  Next, with reference to the sequence diagram of FIG. 8, a basic processing procedure in the case of changing the configuration after the virtual network is constructed will be described.

  When a tunneling connection between the tunnel termination device 30 and the tunnel connection device 20 is established and a virtual network is configured, and a virtual network configuration change instruction is given from an external device by a system administrator or the like, the virtual network configuration change The instruction is notified to the virtual network control device 10 (step 11). The virtual network configuration change instruction includes the changed virtual network configuration information.

  Then, the instruction notification unit 16 of the virtual network control apparatus 10 notifies the tunnel termination apparatus 30 of a virtual network configuration change instruction (Step 12). In addition, from the instruction notification unit 16 of the virtual network control device 10, a virtual network configuration change instruction (setting information) is also sent to another tunnel termination device according to the changed virtual network configuration.

  In the tunnel terminating device 30 that has received the virtual network configuration change instruction, the virtual network configuration change control unit 34 includes the tunnel connection device table included in the instructed configuration information, and the tunnel connection that is currently establishing the tunnel connection with itself. The device tables are compared, for example, by selecting a tunnel connection device that has established a tunnel connection from among the tunnel connection devices included in the configuration information, this is determined as a device to which a setting change instruction should be sent (step 13) An instruction is transmitted through the tunnel to the tunnel connection device 20 determined to be sent (step 14). As described above, instead of making such a determination, a tunnel connection apparatus that should send an instruction via a tunnel may be included in the virtual network configuration change instruction.

  The tunnel connection device 20 that has received the setting change instruction performs setting (switching) based on the setting information included in the instruction (step 15). Further, as described above, an instruction to access the virtual network control apparatus 10 may be issued as a setting change instruction. In this case, as illustrated in FIG. 8, the tunnel connection device 20 transmits a setting information request to the virtual network control device 10 (step 21), and the instruction notification unit 16 of the virtual network control device 10 transmits the tunnel connection device 20. Whether or not there is a change in the setting is checked with reference to the configuration information storage unit 12 (step 22). If it is determined that there is a change, the changed setting information is transmitted to the tunnel connection device 20 (step 23). Then, the tunnel connection device 20 performs setting (step 24).

  In addition, the stopped tunnel connection device 20 that is not currently connected to any tunnel termination device 30 accesses the virtual network control device 10 and inquires about configuration information at the time of separate startup or at a time based on a predetermined rule. go to. Also at this time, the same operation as in steps 21 to 24 is performed.

  A method of controlling the tunnel connection device 20 with a signal from the tunnel of the tunnel termination device 30 can be called inbound signaling. On the other hand, a method for directly instructing the tunnel termination device 30 and the tunnel connection device 20 from the virtual network control device 10 is called meta-signaling.

  In the virtual network system 1, the network is configured between the user terminals 50 (clients) associated with the tunnel connection device 20 using the tunnel termination device 30 as a virtual hub by the configuration and procedure as described above.

(Specific example of tunnel communication)
The virtual network constructed by the technology of the present embodiment can handle various layers of protocols from L2 to L4. For example, this is done by switching the encapsulation part of packets to be transmitted / received according to the setting of the layer to be handled by the tunnel connection device 20 and the tunnel termination device 30, and the virtual address in each layer (if L2, MAC address, L3 This is realized by acting as if it has an IP address. Hereinafter, a specific example of the encapsulation method in the L3 mode is shown below as an example. The following communication is mainly performed by the functions of the protocol processing unit 252 of the tunnel connection communication unit 25 and the protocol processing unit 362 of the tunnel termination communication unit 36.

  An operation example when the type of protocol to be used is L3 (referred to as L3 mode) will be described with reference to FIGS. In each figure, MACrt is the MAC address of the router, and MACvns is the MAC address of the tunnel termination device 30.

  FIG. 9 is a diagram illustrating an example of communication from the user terminal 50 to the server 60. In the L3 mode, the tunnel connection device 20 has a virtual IP address (172.16.050 in this example) assigned from the tunnel termination device 30.

  An Ether frame having the address shown in FIG. 9 is transmitted from the user terminal 50 (step 101).

  The tunnel connection device 20 that has received the frame learns the MAC address of the user terminal 50 (stored in the storage device together with the IP address) (step 102). Also, the tunnel connection device 20 selects a frame captured from the user terminal 50 and destined for the virtual IP address (addressed to the virtual network IP address), and transfers the frame to the tunnel termination device 30 through the tunnel.

  An example of processing for selecting a frame addressed to a virtual IP address is shown in FIG. In the example illustrated in FIG. 10, an example in which communication is performed using a socket is illustrated as an example of the communication unit. Further, as shown in FIG. 10, the tunnel connection device 20 holds a route table in which a predetermined IP address group (for example, a virtual IP address group, but is not limited thereto) is recorded as a virtual network address. doing.

  As shown in FIG. 10, the tunnel connection device 20 stores the MAC address of the frame received from the user terminal 50 and refers to the routing table if the destination IP address is included in the virtual IP address group ( Destination IP determination Yes), the transmission source IP address is rewritten to the virtual IP address assigned to the tunnel connection device 20, and tunnel transfer is performed. In the example of FIG. 10, a virtual NW header (VN header) describing meta information or the like is attached, but this header is not essential. The virtual NW header is used, for example, for identification of a control packet used for key exchange or the like. If the destination IP address is not included in the virtual IP address group (destination IP determination No), the destination IP address is not transmitted through the tunnel but is transmitted to a normal LAN segment.

  As described above, when performing tunnel transfer in FIG. 9, the tunnel connection device 20 cuts out a portion corresponding to the L3 packet (IP packet in this example) from the captured frame, and replaces the L3 address with the virtual IP address. To the tunnel terminating device 30 (S103 to S105).

  Upon receiving the encapsulated packet, the tunnel terminating device 30 performs decryption / decapsulation (step 106), and depending on the destination IP address of the encapsulated packet, another tunnel having the server 60 or its virtual IP address. Transmission is performed toward the connection device 20 (step 107).

  An example of communication from the server 60 to the user terminal 50 is shown in FIG. As shown in FIG. 11, basically the reverse process of communication from the user terminal 50 to the server 60 is performed. That is, the tunnel terminating device 30 captures the frame transmitted from the server 60 (step 201), cuts out the portion corresponding to the L3 packet from the captured frame and performs encryption / encapsulation (step 202), and tunnel connection Transfer to the device 20 (step 203). The tunnel connection device 20 that has received this, after decryption / decapsulation (step 204), changes the destination IP address from the virtual IP address to the real address of the user terminal 50 (step 205). The packet is transmitted as if it was directly transmitted to the user terminal 50 (step 206). Frames received by the tunnel termination device 30 from other tunnel connection devices 20 can be transmitted to the user terminal 50 by the same processing.

<Embodiment for switching connection and switching traffic route>
Hereinafter, an embodiment in which connection switching or traffic path switching is performed in order to perform traffic acquisition or the like in a monitoring device will be described. In the present embodiment, the technology of the virtual network system described above is used, and each tunnel connection device, each tunnel termination device, and the virtual network connection device described below are respectively the tunnel connection device 20 and the tunnel termination described above. It is assumed that the functions of the device 30 and the virtual network connection device 10 are included. In the following, an example in which the tunnel connection apparatus is connected to a server or a terminal will be described. However, as described above, a form in which the function of the tunnel connection apparatus is installed in the server or terminal as a driver may be used. Furthermore, in the following example, it is assumed that virtual network communication is performed in the L3 mode, but the layer of tunnel communication is not limited to this.

  However, by adopting L3 mode with virtual addresses, it is possible to handle packets of multiple clients belonging to multiple different networks in one tunnel termination unit segment (details of tunnel termination unit segments will be described later). There is an effect of becoming.

(System configuration)
FIG. 12 shows a system configuration example according to the present embodiment. As shown in FIG. 12, this system includes a tunnel connection device 101, a tunnel termination device 102, a tunnel connection device 103, a virtual network control device 104, and a tunnel termination device segment 105 over an IP network 100 (for example, the Internet or a closed network). And the server 106 are connected. A server 107 is connected to the tunnel connection apparatus 101, and an end user user terminal 200 is connected to the tunnel connection apparatus 103. In this example, the tunnel connection device 103 and the user terminal 200 belong to an arbitrary LAN (office, home, business trip destination, etc.) to which the user belongs.

  The tunnel termination unit segment 105 includes a tunnel termination unit 301, a monitoring unit 302, a switch 303, and a default GW (hereinafter referred to as DGW) router 304 that are used when acquiring traffic. The switch 303 is a general switch having a mirror port and the DGW router 304 is a general NAT router. Note that the monitoring device 302 is merely an example, and the device provided in the tunnel termination device segment 105 is not limited to the monitoring device 302. In addition to the monitoring device 302, various devices such as a traffic analysis device and a censor device that receive packet information of a certain traffic can be provided.

  In the system shown in FIG. 12, a virtual network (tunnel) connection (dotted line arrow) via the tunnel termination device 102 is used for connection between the user terminal 200 and the server 107 participating in the virtual network by introducing the tunnel connection device 101. Is used. For connection between the server 106 and the user terminal 200 not participating in the virtual network, a normal IP connection is used instead of the virtual network connection (solid arrow).

  In the configuration shown in FIG. 12, the virtual network control device 104 stores the address of the traffic termination device 301 to which the monitoring device 302 is connected in the position information storage unit (15). The process for storing may be performed in advance by the system administrator, or may be performed by the registration process performed by the traffic terminating device described above.

(Operation Example 1: Acquisition of communication traffic with a server not participating in the virtual network)
As an operation example 1, an operation at the time of acquiring communication traffic with the server 106 not participating in the virtual network will be described with reference to FIGS. In the first operation example, the monitoring apparatus 302 acquires traffic by diverting the traffic path between the server 106 and the user terminal 200 to the tunnel termination apparatus segment 105. The procedure will be described below.

  FIG. 13 is a diagram illustrating a state before traffic acquisition. In the state shown in FIG. 13, the tunnel connection device connected to the user terminal 200 in communication between the user terminal 200 and the server 106 that does not use the tunnel connection device and does not participate in the virtual network (hereinafter referred to as the communication target server 106). 103 does not perform any special processing and passes the packet. Therefore, the user terminal 200 and the communication target server 106 communicate with each other in the same manner as when the tunnel connection device 103 is not provided.

  In this state, it is assumed that, for example, a network administrator inputs an instruction to the virtual network control apparatus 104 as shown in step 301 in FIG. 14 in order to acquire only communication traffic to the communication target server 106. This instruction is an instruction (configuration information) indicating a tunnel connection between the tunnel connection device 103 connected to the user terminal 200 and the tunnel termination device 301 in the tunnel termination device segment 105. The contents of this instruction are stored in the configuration information storage unit 12 of the virtual network control device 104. The above instruction also includes the destination address of the communication target server 106 from which the traffic information is to be acquired. This address is the setting information (setting change instruction, (It may be called a detour instruction etc.). This address is identification information for identifying data to be bypassed by the tunnel termination device 301 among data transmitted and received by the tunnel connection device 103. In addition, when the layer information included in the setting information (detour instruction) transmitted to the tunnel connection device 103 is L3, the instruction to set the L3 is a virtual address when encapsulating in the tunnel connection device. This corresponds to the instruction to change to.

  Based on the instruction, a configuration change instruction (setting information for tunnel connection) is transmitted from the virtual network control apparatus 104 to the tunnel connection apparatus 103 and the tunnel termination apparatus 301. As described above, there are two types of instruction transmission methods: inbound signaling and meta-signaling.

  In the current state, if the tunnel connection device 103 and the tunnel termination device 102 are tunnel-connected, the virtual network control device 104 that holds the virtual network configuration information knows this, and the tunnel connection device 103 14 is transmitted to the tunnel termination device 102 (step 302 in FIG. 14). Further, the configuration change instruction (setting information) is also sent to the tunnel termination device 301 that is the tunnel connection destination (step 303). Then, the tunnel termination apparatus 102 transmits a setting change instruction to the tunnel connection apparatus 103 via the tunnel (inbound signaling), and the tunnel connection apparatus 103 performs the setting (step 304). Setting is also performed in the tunnel termination device 301.

  When the tunnel connection device 103 is not tunnel-connected to any tunnel termination device, meta-signaling is performed. That is, for example, the tunnel connection device 103 makes an inquiry (setting information request) to the virtual network control device 104 at the above-mentioned trigger (a fixed time interval or the like) (step 311), thereby establishing a tunnel connection with the tunnel termination device 301. Setting information is acquired and set (step 312).

  In the setting in the tunnel connection device 103, the destination address of the communication target server 106 is stored in the storage means (route table) and used for selecting the communication to the communication target server 106.

  Thereafter, as shown in FIG. 15, the tunnel connection device 103 first establishes a tunnel connection with the tunnel termination device 301 in the tunnel termination device segment 105 (step 401). At this time, an address (that is, a virtual address) in the tunnel termination device segment 105 is issued from the tunnel termination device 301 to the tunnel connection device 103 (step 402).

  When a tunnel connection is established between the tunnel connection device 103 and the tunnel termination device 301, the tunnel connection device 103 selects a packet for the communication target server 106 out of the packets transmitted from the user terminal 200, and sets a transmission source address. It replaces with the address (virtual address) in the tunnel termination unit segment 105 issued from the tunnel termination unit 301. Then, encryption / encapsulation is performed to perform tunneling processing, and the data is transmitted to the tunnel terminating device 301 (step 501 in FIG. 16).

  When the tunnel termination device 301 receives the packet from the tunnel connection device 103, the tunnel termination device 301 performs decapsulation / decryption, and the decapsulated / decoded packet passes through the switch 303 in the middle of the tunnel termination device segment 105. And sent from the DGW router 304 (step 502). The tunnel termination device 301 is a device that bridges communication of the user terminal 200 under the tunnel connection device 103. The above packet is duplicated by the mirror port of the switch 303 or the like and input to the monitoring device 302 (step 503). In the case where the monitoring device 302 is a type of device provided on a packet path such as an FW device, the monitoring device 302 is directly connected to the path without being connected to the mirror port.

  The communication target server 106 receives a packet from the DGW router 304 of the tunnel termination device segment 105 and returns a response packet to the DGW router 304. Since the tunnel termination device 301 sends a response to the ARP that resolves the source address of the packet sent from the tunnel termination device segment 105 at its own interface (ARP proxy response), the DGW router 304 is a communication target server. The response packet received from 106 is transmitted to the tunnel terminating device 301 (step 504). The monitoring device 302 can also acquire this response packet. However, for example, when only the traffic of communication from the user terminal 200 to the communication target server 106 is to be monitored, the response packet need not be acquired.

  Then, the tunnel terminating device 301 sends the packet back to the tunnel connecting device 103, contrary to when the packet is received from the tunnel connecting device 103 (step 505), and the tunnel connecting device 103 determines the destination address of the user terminal 200 from the virtual address. The data is rewritten and transmitted to the user terminal 200.

(Operation example 2: Acquisition of communication traffic with servers participating in the virtual network)
Next, as operation example 2, an operation at the time of acquiring communication traffic with the server 107 participating in the virtual network will be described with reference to FIGS.
In the second operation example, the monitoring device 302 acquires traffic by detouring the traffic route between the server 107 and the user terminal 200 via the tunnel termination device 102 to the tunnel termination device segment 105. The procedure will be described below.

  FIG. 17 is a diagram illustrating a state before traffic acquisition. In the state shown in FIG. 17, communication between the server 107 and the user terminal 200 is performed in a virtual network via the tunnel termination device 102. In this example, the tunnel connection device 101 connected to the communication target server 107 has a function capable of communicating with a plurality of virtual network planes, for example, by including a plurality of tunnel connection devices.

  In this state, in order to acquire only communication traffic to the communication target server 107, it is assumed that, for example, an instruction is input from the network administrator to the virtual network control device 104 as shown in step 601 in FIG. This instruction is an instruction (configuration information) indicating a tunnel connection between the tunnel connection device 103 connected to the user terminal 200 and the tunnel termination device 301 in the tunnel termination device segment 105. This instruction includes the destination address of the communication target server 107 from which the traffic information is to be acquired, and this address is included in setting information (setting change instruction) transmitted to the tunnel connection apparatus 103 described below. . In addition, if a tunnel is not set between the tunnel connection device 101 and the tunnel termination device 301, an instruction indicating that a tunnel connection is established between the tunnel connection device 101 and the tunnel termination device 301 is included. However, in this example, it is assumed that the tunnel is already connected between the tunnel connection device 101 and the tunnel termination device 301. The contents of the instruction are stored in the configuration information storage unit 12 of the virtual network control device 104.

In this example, since the tunnel connection device 103 is tunnel-connected to the tunnel termination device 102, inbound signaling is performed. In other words, the virtual network control device 104 that holds the virtual network configuration information knows that the tunnel connection device 103 is tunnel-connected to the tunnel termination device 102 (that is, the virtual network configuration). A configuration change instruction for tunnel connection with the tunnel termination device 301 is transmitted to the tunnel termination device 102 (step 602 in FIG. 18). The configuration change instruction is also sent to the tunnel termination device 301 that is the tunnel connection destination (step 603).
Then, the tunnel termination device 102 transmits a setting change instruction to the tunnel connection device 103 via the tunnel (by inbound signaling), and the tunnel connection device 103 performs the setting (step 604). In the setting in the tunnel connection apparatus 103, the destination address of the communication target server 107 is stored in the storage means (route table), and is used for selecting communication with the communication target server 107. The setting is also performed in the tunnel termination device 301.

  Thereafter, as shown in FIG. 19, the tunnel connection device 103 disconnects the connection with the tunnel termination device 102 (step 701), and establishes a tunnel connection with the tunnel termination device 301 in the tunnel termination device segment 105 (step 701). 702). At this time, the address (that is, the virtual address) in the tunnel termination device segment 105 is issued from the tunnel termination device 301 to the tunnel connection device 103 (step 703).

  When the tunnel connection is established between the tunnel connection device 103 and the tunnel termination device 301, the tunnel connection device 103 selects a packet for the communication target server 107 from the packets transmitted from the user terminal 200, and transmits the source address. Is replaced with the address (virtual address) in the tunnel terminator segment 105 issued from the tunnel terminator 301. Then, after performing encryption and capsuling to perform a tunneling process, the data is transmitted toward the tunnel terminating device 301. In this way, the user terminal 200 communicates with the communication target server 107 on the virtual network via the tunnel termination device 301 (indicated by step 801 in FIG. 20).

  At this time, the tunnel terminating device 301 duplicates the packet flowing on the virtual network in a decapsulated state, and outputs the packet to an appropriate destination such as the DGW router 304 in the segment (step 802). At this time, the packet is further duplicated at the mirror port of the switch 303 on the way and transmitted to the monitoring apparatus 302 (step 803). Thereby, the communication traffic between the user terminal 200 and the communication target server 107 can be acquired.

  In both cases of the operation example 1 and the operation example 2, when inbound signaling is performed, one user side tunnel connection device 103 is connected to the tunnel termination device 102. In some cases, a plurality of tunnel connection devices are connected to the tunnel 102 to form a virtual network. In other words, a virtual network may be established by a plurality of tunnel connection devices with the tunnel termination device 102 as a hub. In this case, the setting information (detour instruction) can be transmitted to a plurality of tunnel connection devices via each tunnel. Thereby, it is possible to perform monitoring or the like by bypassing the traffic of a plurality of specific user terminals. In this case, for example, information indicating to which tunnel connection apparatus the detour instruction is transmitted is included in the setting change instruction sent from the virtual network control apparatus 104 to the tunnel termination apparatus 102, and the tunnel termination apparatus 102 indicates the information. The detour instruction can be transmitted to a plurality of tunnel connection devices.

<Summary of Embodiment, Effect>
As described above, in the present embodiment, the driver software installed in the user terminal or the network including a server that selects and analyzes traffic to be acquired in the tunnel connection device connected to the user terminal Transfer to (Tunnel Terminator Segment).

  At this time, as described in the operation example 1 and the operation example 2, the communication relay method is changed between communication for servers already participating in the virtual network and communication for other servers. When acquiring traffic going out of the virtual network as in Operation Example 1, communication is performed with the target server by bridging the communication of the user terminal on the side of the tunnel terminating device that has received the transfer, and this traffic is acquired. . Further, as described in the operation example 2, when communication in the virtual tunnel termination device is acquired, the connection is switched to the tunnel termination device for traffic acquisition, and the traffic in the virtual network is copied and output. Get traffic.

  As a result, regardless of the network from which the client device (user terminal) is communicating, only the communication for the specific destination can be separated and monitored. In addition, when performing traffic monitoring on the overlay network, it is possible to isolate only the communication of a specific client without introducing monitoring devices to all the aggregation servers.

In other words, by using the technology described in this embodiment, it is possible to acquire traffic information flowing on a network such as the Internet even when a function for acquiring traffic information cannot be installed in a DC on a specific communication path. Become. In this method, the operator of the user terminal does not notice whether or not his / her traffic is being relayed. It is also possible to provide a traffic monitoring function in an ASP manner. Note that the method by which the relayed traffic is acquired and analyzed, monitored, quarantined, etc. is not limited to a specific method.
The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 1 Virtual network system 10 Virtual network control apparatus 20 Tunnel connection apparatus 30 Tunnel termination apparatus 40 IP network 50 User terminal 60 Server 11 Virtual NW construction instruction reception part 12 Configuration information storage part 13 Device communication part 14 Position information registration part 15 Position information Storage unit 16 Instruction notification unit 21 Virtual virtual network controller communication unit 23 Setting unit 24 Data storage unit 25 Tunnel connection communication unit 251 Tunnel construction unit 252 Protocol processing unit 31 Virtual virtual network control device communication unit 32 Registration request unit 33 Setting unit 34 Virtual network configuration change control unit 35 Data storage unit 36 Tunnel termination communication unit 361 Tunnel construction unit 362 Protocol processing unit 100 IP network 101, 103 Tunnel connection device 102, 301 Tunnel termination device 104 Virtual network control device 105 Tunnel termination device Segment 106, 107 the server 200 the user terminal 302 monitoring device 303 switches 304 DGW router

Claims (11)

A virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device,
Storage means for storing position information of a predetermined tunnel termination device;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device An instruction notification means for notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured ,
The detour instruction includes an instruction to replace an address attached to data with a virtual address when data encapsulation is performed in the predetermined tunnel connection device, and the virtual address includes the predetermined tunnel termination device A virtual network control device which is paid out from a segment . A virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device,
Storage means for storing position information of a predetermined tunnel termination device;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device An instruction notification means for notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured ,
The detour instruction includes an instruction to replace an address attached to data with a virtual address when performing data encapsulation in the predetermined tunnel connection device, and the virtual address includes data whose destination is the virtual address. A virtual network control device which is paid out so as to be routed to the predetermined tunnel termination device. The virtual network control device according to claim 1, wherein the predetermined tunnel termination device is a tunnel termination device that bridges communication of the predetermined tunnel connection device. A monitoring device is connected to the predetermined tunnel termination device. The predetermined tunnel termination device decapsulates the encapsulated data received in the tunnel, and transmits the decapsulated data to the monitoring device. The virtual network control device according to claim 1, wherein the virtual network control device is a virtual network control device. The detour instruction is notified through the tunnel in a state where the predetermined tunnel connection device has previously established a tunnel with a tunnel termination device other than the predetermined tunnel termination device. 5. The virtual network control device according to claim 1. The detour instruction is notified to the plurality of tunnel connection devices when a virtual network is already established by a plurality of tunnel connection devices with the tunnel termination device as a hub. 6. The virtual network control device according to claim 1. A virtual network control method executed by a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device,
Storing location information of a predetermined tunnel termination device in a storage means;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device Notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured , and
The detour instruction includes an instruction to replace an address attached to data with a virtual address when data encapsulation is performed in the predetermined tunnel connection device, and the virtual address includes the predetermined tunnel termination device A virtual network control method characterized by being paid out from a segment . A virtual network control method executed by a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device,
Storing location information of a predetermined tunnel termination device in a storage means;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device Notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured , and
The detour instruction includes an instruction to replace an address attached to data with a virtual address when performing data encapsulation in the predetermined tunnel connection device, and the virtual address includes data whose destination is the virtual address. The virtual network control method, wherein the virtual network is paid out so as to be routed to the predetermined tunnel terminating device . Virtual network control system comprising a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device, and a predetermined tunnel termination device to which a monitoring device is connected Because
The virtual network control device is:
Storage means for storing position information of the predetermined tunnel termination device;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device An instruction notification means for notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured,
The predetermined tunnel termination device is a virtual network control system for decapsulating the encapsulated data received in the tunnel and transmitting the decapsulated data to the monitoring device ;
The detour instruction includes an instruction to replace an address attached to data with a virtual address when data encapsulation is performed in the predetermined tunnel connection device, and the virtual address includes the predetermined tunnel termination device A virtual network control system characterized by being paid out from a segment . Virtual network control system comprising a virtual network control device for controlling a virtual network configured by a tunnel set between a tunnel connection device and a tunnel termination device, and a predetermined tunnel termination device to which a monitoring device is connected Because
The virtual network control device is:
Storage means for storing position information of the predetermined tunnel termination device;
Of the instruction to establish a tunnel between the predetermined tunnel connection device and the predetermined tunnel termination device indicated by the location information, and the data transmitted and received by the predetermined tunnel connection device, the predetermined tunnel connection device An instruction notification means for notifying the predetermined tunnel connection device of a detour instruction including identification information for identifying data to be detoured,
The predetermined tunnel termination device is a virtual network control system for decapsulating the encapsulated data received in the tunnel and transmitting the decapsulated data to the monitoring device ;
The detour instruction includes an instruction to replace an address attached to data with a virtual address when performing data encapsulation in the predetermined tunnel connection device, and the virtual address includes data whose destination is the virtual address. A virtual network control system, which is paid out so as to be routed to the predetermined tunnel termination device . The program for functioning a computer as each means of the virtual network control apparatus of any one of Claims 1 thru | or 6.

Images