WO2013075598A1 - Method, network device and system for user access control - Google Patents

Method, network device and system for user access control Download PDF

Info

Publication number
WO2013075598A1
WO2013075598A1 PCT/CN2012/084636 CN2012084636W WO2013075598A1 WO 2013075598 A1 WO2013075598 A1 WO 2013075598A1 CN 2012084636 W CN2012084636 W CN 2012084636W WO 2013075598 A1 WO2013075598 A1 WO 2013075598A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
gateway
gateway device
user group
accessed
Prior art date
Application number
PCT/CN2012/084636
Other languages
French (fr)
Chinese (zh)
Inventor
黄勇
牛乐宏
李长泰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013075598A1 publication Critical patent/WO2013075598A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • H04W4/08User group management

Definitions

  • a broadband network gateway (BNG) device is a gateway device for broadband home users and small enterprises to access an Internet network.
  • the BNG has the functions of authenticating and authenticating the access network of the user, allocating or assisting in allocating the IP address used by the user for Internet access, controlling the access bandwidth of the user, and performing charging for the user to access the Internet.
  • the user's information is configured on the BNG through network planning, and different BNGs in the same site independently process the online access services of different users.
  • This configuration mode is static. If the user goes online unevenly, a large number of users will go online through the same BNG, which will cause some BNG load to be high and some BNG load to be low, resulting in load imbalance.
  • Embodiments of the present invention provide a method, a network device, and a system for user access control, which can dynamically adjust and control user access to different gateway devices for online connection, which can solve the problem that the user is not online and the load of the gateway device is unbalanced.
  • a method for user access control comprising:
  • a network device for user access control including:
  • a determining unit configured to determine, from the at least two gateway devices, an access gateway device for the group of users to be accessed
  • a first sending unit configured to send an activation message to the access gateway device that is determined by the determining unit, where the activation message includes a user group identifier of the user group to be accessed, so that the access gateway
  • the device provides an online access service for the user identified by the user group identifier.
  • a system for user access control comprising a network device controlled by a user and at least two gateway devices, wherein:
  • the gateway device is configured to receive an activation message sent by the aggregation device, and provide an online access service for the user identified by the user group identifier.
  • the user access control method, the network device, and the system provided by the embodiment of the present invention determine an access gateway device for the user group to be accessed from at least two gateway devices, and send an activation to the access gateway device.
  • the message is such that the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, thereby avoiding a large number of users in the same gateway device.
  • the situation of the load being unbalanced on the line is made, so that the user can get a better online service.
  • FIG. 1 is a flowchart of a method for user access control according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another method for user access control according to an embodiment of the present invention
  • FIG. 4 is a flowchart of user data backup in another method for user access control according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of information exchange of user access control according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention
  • FIG. 8 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention
  • FIG. 9 is a network for user access control according to an embodiment of the present invention
  • FIG. 10 is a block diagram showing the composition of another network device for user access control according to an embodiment of the present invention.
  • FIG. 11 is a block diagram of another network device for user access control according to an embodiment of the present invention.
  • FIG. 12 is a block diagram of another network device for user access control according to an embodiment of the present disclosure.
  • FIG. 13 is a structural block diagram of a system for user access control according to an embodiment of the present invention.
  • the embodiment of the invention provides a method for user access control. As shown in FIG. 1, the method includes:
  • the aggregation device determines, from the at least two gateway devices, an access gateway for the user group to be accessed. Equipment.
  • the aggregation device is configured to determine the access gateway device for the user group to be accessed from the at least two gateway devices by using the following two methods, including:
  • the first method the aggregation device acquires a static gateway allocation policy, and determines a corresponding access gateway device from the at least two gateway devices for the user group to be accessed according to the static gateway allocation policy.
  • the second method is: acquiring load information of the at least two gateway devices, and selecting, according to the load information, a gateway device with the smallest load from the at least two gateway devices as the user group to be accessed The access gateway device.
  • the static gateway allocation policy may be a policy preset in the networking, including a gateway allocation mode, where the gateway allocation mode is used to indicate a correspondence between a user group identifier of the user group to be accessed and a gateway device identifier.
  • the specific static gateway allocation policy can be set according to the networking situation, which is not described in detail in this embodiment of the present invention.
  • the uplink or downlink bandwidth of the device, the traffic usage ratio of the gateway device port, and the CPU usage of the gateway device are not limited in this embodiment of the present invention.
  • the implementation manner of acquiring the load information of the at least two gateway devices may be directly obtained by the aggregation device, including:
  • the aggregation device receives the load information periodically sent by the at least two gateway devices; or the aggregation device periodically queries the at least two gateway devices, and acquires load information of the at least two gateway devices.
  • the implementation manner of obtaining the load information of the at least two gateway devices may also be obtained by the aggregation device through other devices that are used for real-time monitoring of the load information of the gateway device, which is not described in detail in this embodiment of the present invention.
  • the first method and the second method may be used when a part of the at least two gateway devices has been accessed, and the foregoing first method may also be in the at least two
  • the first method and the second method are used in the case where the user equipment is not connected to the user equipment.
  • the embodiment of the present invention does not limit this.
  • the aggregation device sends an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed, so that the access gateway device is the user group identifier.
  • the identified users provide online access services.
  • the user group identifier may be a service virtual local area network sVlan (Service Vi r tua l Loca l Area Network) identifier.
  • the user group identifier used in the embodiment of the present invention is not limited to sVlan, and may also be other information that has the function of identifying the user group, such as PWE3 (Pseudo-Wi re-Imprint Edge to Edge). Pseudowire technology) logo, PVC (Permanent Vi r tua l Connect ion, ATM technology) logo, etc. This embodiment of the present invention does not limit this.
  • the online access service may include, but is not limited to, user access authentication and authentication, user IP address allocation, and the like.
  • the user access control method provided by the embodiment of the present invention determines an access gateway device for a user group to be accessed from at least two gateway devices, and sends an activation message to the access gateway device, so as to enable
  • the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, thereby preventing a large number of users from going online on the same gateway device. In the case of load imbalance, users can get better online services.
  • the method includes:
  • the aggregation device determines, from the at least two gateway devices, an access gateway device for the user group to be accessed.
  • step 201 The description of the step 201 is the same as that described in the step 101, and details are not described herein.
  • the aggregation device sends an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed, so that the access gateway device is the user group identifier.
  • the identified users provide online access services.
  • step 202 The description of the step 202 is the same as that described in the step 102, and details are not described herein.
  • 203. Obtain load information of the at least two gateway devices.
  • the description of the load information is the same as that described in the step 102, and is not described in detail in the embodiment of the present invention.
  • the load threshold may be set to different thresholds according to different load information.
  • the load threshold may be set to an upper limit of the number of users on the gateway without affecting the user experience, and the present invention. The embodiment does not limit this.
  • a load of the first gateway device of the at least two gateway devices exceeds a corresponding load threshold, select a load from a gateway device in which the load does not exceed a corresponding load threshold.
  • the smallest gateway device acts as the second gateway device.
  • the switching from the one or more user groups that are accessed by the first gateway device to the accessing from the second gateway device may be implemented in the following manner, including:
  • Users provide online access services.
  • the second gateway device Sending an activation message to the second gateway device, where the activation message includes a user group identifier of the part of the user group, so that the second gateway device can provide the user identified by the user group identifier of the partial user group Online access service.
  • the first gateway device stops providing an online access service for the user identified by the user group identifier of the partial user group, and the second gateway can provide the user group identified by the user group identifier of the partial user group.
  • the implementation of the online access service is a well-known technology of the person skilled in the art, which is not described in detail in the embodiments of the present invention.
  • the related description of the online access service is the same as that described in the foregoing step 102, and details are not described herein again.
  • the method further includes:
  • the switching gateway device may be a gateway device whose one or more user groups on the third gateway do not exceed the corresponding threshold.
  • the switching gateway device sends an activation message to the switching gateway device, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device is on the third gateway.
  • the user identified by the user group identifier of one or more user groups provides an online access service.
  • the method further includes:
  • the user group provides online access services.
  • the gateway device identifier such that the gateway device that provides the online access service for the accessed user group, backs up the data of the user identified by the user group identifier of the accessed user group to the Backup on the gateway device.
  • the data of the user is a port of the user group where the user is located, and the gateway device that provides the online access service for the accessed user group sends a backup indication message.
  • Can include: determining a backup method from a predetermined backup mode, The scheduled backup methods include hot standby and warm standby.
  • the hot standby is implemented by backing up data of the user on the primary gateway to the corresponding backup gateway, and maintaining the pending state of the user data on the corresponding backup gateway, so that when the primary gateway fails.
  • the backup gateway can directly send the user data to ensure that the user does not drop the line.
  • the implementation of the warm standby is to back up the data of the user on the primary gateway to the corresponding backup gateway, and record the user data on the corresponding backup gateway. Therefore, when the primary gateway fails, the corresponding backup gateway performs user data transmission only when receiving a command sent by the server instead of processing the user data by the primary gateway.
  • the user access control method provided by the embodiment of the present invention determines an access gateway device for a user group to be accessed from at least two gateway devices, and sends an activation message to the access gateway device, so as to enable
  • the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, which can solve the problem that the user goes online unevenly.
  • the users of the overloaded gateway are switched to the gateway without overload, thereby achieving the balance of each gateway load. In the handover process, the overloaded gateway stops the service of the switched-out users, which saves the gateway resources.
  • the user access control method provided by the embodiment of the present invention through the backup of the user data and the fault processing of the gateway device, enables the user to remain online during the failure of the gateway device, so that the user can get a better online. service.
  • the aggregation device is a LAN switch.
  • the user equipment User Equipment, UE for short
  • an access device such as a Digital Subscriber Line Access Multiplexer (DSLAM).
  • DSLAM Digital Subscriber Line Access Multiplexer
  • the LAN switch connects the user group to be accessed by the user equipment UE1 in the DSLAM1 to the BNG1, and the LAN switch sends an activation message to the BNG1, where the activation message includes the user group identifier sVlan1 of the UE1.
  • sVlan Service Virtual Local Area Network
  • the user group identifier used in the embodiment of the present invention may not be limited to sVlan, and another example is PWE3 (Pseudo-Wire Emulation Edge to Edge).
  • PWE3 Pseudo-Wire Emulation Edge to Edge
  • the pseudo-line pseudo-wire technology of the edge, and the PVC Permanent Vi r tua l Connect ion, ATM technology
  • PVC Permanent Vi r tua l Connect ion, ATM technology
  • UPE1 sends a DHCP Di scover 4 message to DSLAM1.
  • the DSLAM1 is connected to the DHCP Di scover message, and the identifier information cVlan and sVlan1 of the UE are carried in the DHCP Di scover message and sent to the LAN Swi tch.
  • the LAN Swi tch sends the DHCP Di s cover message to Gl, BNG2, and BNG3.
  • the G1, the BNG2, and the G3 determine whether the user group identified by the sVlan1 is activated locally; if the BNG1 is YES, and the BNG2 and the BNG3 are negative, the BNG1 performs the user access.
  • the process including authenticating the user, assigning an address to the user, and sending a DHCP Offer to the LAN Swi tch; BNG2, BNG3 4, the DHCP Di scover received is discarded.
  • the LAN Swi tch receives the DHCP Offer message, where the message includes cVlan1 and sVlan1, and sends the DHCP Offer message to the DSLAM1.
  • DSLAM1 correctly sends the DHCP Offer message to the port where UE1 is located.
  • UPE1 sends DHCP Reques t, and sends it to BNGL through DSLAM1 and LAN Swi tch.
  • BNG1 responds to DHCP ACK 4 message and forwards it to UPEL via LAN Swi tch and DSLAM1
  • the UE1 obtains an IP address and a gateway address by using a DHCP ACK message, and sends an ARP Reques t request to request a MAC address corresponding to the gateway address.
  • the BNG1 responds to the ARP Reques sent by the UE1.
  • the ARP Response message is sent to UE1 through DSLAM1.
  • the process of accessing the user group of UE1 to BNG1 is completed through 501 to 512. Further, as shown in FIG. 6, another information interaction diagram of user access control according to an embodiment of the present invention is provided.
  • LAN Swi tch obtains load information of BNG1, BNG2, and G3;
  • LAN Swi tch detects that the BNG1 load exceeds its corresponding load threshold, then from G2 and
  • BNG3 BNG2 with lower load is selected for load migration, and the user group where UE1 is located is selected to be migrated out.
  • the LAN Swi tch sends a deactivation message to the BNG1, where the deactivation message includes sVlan1. 604. The LAN Swi tch sends an activation message to the BNG2, where the activation message includes sVlan1.
  • BNG2 sends a free ARP to LAN Swi tch.
  • the UE1 and the BNG2 complete the DHCP request process and the ARP request process.
  • the process of migrating the user group of the UE1 from the high-load BNG to the low-load BNG2 is completed through 601 to 606, which can solve the problem that the user access is uneven and the load between the BNGs is unbalanced. It should be noted that the specific implementation of 606 is the same as that of 502 to 512, and the implementation of the present invention will not be repeated herein.
  • FIG. 7 another information interaction diagram of user access control according to an embodiment of the present invention is provided.
  • the LAN Swi tch determines the user group data of the BNG1 backup BNG1.
  • the LAN Swi tch sends a backup indication message to the BNG1, where the message includes an identifier of the sVlan1 and the backup target BNG2, for example, an IP address of the BNG2.
  • BNG1 backs up user data on BNG1 to BNG2.
  • BNG1 fails, BNG3 can directly process user services on BNG1, ensuring that users can still access the network normally.
  • FIG. 8 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention.
  • the LAN Swi tch receives the keepa live packet sent by BNG1, BNG2, and BNG3.
  • the LAN Swi tch does not receive the keepa live packet of the BNG1 and determines that the BNG1 is faulty. 803.
  • the LAN Swi tch switches the user group where the user UE1 is located on the BNG1 to the corresponding backup gateway device BNG2; or, according to the load condition of receiving the BNG2 and the BNG3, select one of the low load according to the load level of the BNG2 and the BNG3.
  • BNG is used to carry users on BNG1.
  • the following is a description of the LAN Swi tch selected to switch the user group of the user UE1 on BNG1 to BNG2.
  • the LAN Swi tch sends an activation message to the BNG2, where the activation message carries sVlan1. 805. BNG2 sends a free ARP to LAN Swi tch.
  • the UE1 and the BNG2 complete the DHCP request process and the ARP request process.
  • the embodiment of the present invention provides a network device for user access control.
  • the network device includes: a determining unit 901 and a first sending unit 902.
  • the determining unit 901 is configured to determine, from the at least two gateway devices, an access gateway device for the user group to be accessed.
  • the first sending unit 902 is configured to send an activation message to the access gateway device that is determined by the determining unit 901, where the activation message includes a user group identifier of the user group to be accessed, so that the selection is performed.
  • the gateway device provides an online access service for the user identified by the user group identifier.
  • the device includes: an obtaining unit 903, a determining unit 904, a selecting unit 905, and a first switching unit 906.
  • the obtaining unit 903 is configured to acquire load information of the at least two gateway devices.
  • the determining unit 904 is configured to determine, according to the load information acquired by the acquiring unit 903, whether the at least two gateway devices have a gateway device whose load exceeds a corresponding load threshold.
  • the selecting unit 905 is configured to: when the load of the first gateway device of the at least two gateway devices exceeds the corresponding load threshold, the load from the at least two gateway devices does not exceed the corresponding load threshold The gateway device with the smallest load is selected as the second gateway device.
  • the first switching unit 906 is configured to switch from one or more user groups accessed by the first gateway device to the second gateway device selected by the selecting unit 905, so that the first The load of the gateway device does not exceed its corresponding load threshold.
  • the device includes: an allocating unit 907 and a second transmitting unit 908.
  • the allocating unit 907 is configured to allocate, to the user group that has been accessed, a backup gateway device, where the backup gateway device is configured to be used when the gateway that provides the online access service for the accessed user group fails.
  • the incoming user group provides online access services.
  • the second sending unit 908 is configured to send a backup indication message to the gateway device that provides the online access service for the accessed user group, where the backup indication message includes the user group that has been accessed.
  • the gateway device that provides the online access service for the accessed user group is backed up, and the data of the user identified by the user group identifier of the accessed user group is backed up to the backup gateway device.
  • the device further includes: a detecting unit 909, a second switching unit 910, and a third sending unit 911.
  • the detecting unit 909 is configured to detect a status of the at least two gateway devices.
  • the second switching unit 910 is configured to switch to one or more user groups on the third gateway device when the detecting unit 909 detects that the third gateway device in the at least two gateway devices fails.
  • a gateway device, where the handover gateway device is a gateway device that does not fail in the at least two gateway devices.
  • a third sending unit 911 configured to send an activation message to the switching gateway device, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device can be
  • the user identified by the user group identifier of one or more user groups on the third gateway provides an online access service.
  • the embodiment of the present invention further provides a system for user access control.
  • the system includes: a network device controlled by a user access and at least two gateway devices, where the user access control
  • the network device is a convergence device 1101
  • the at least two gateway devices are a gateway device 1102a and a gateway device 1 102b.
  • the aggregation device 1101 is configured to determine, from the at least two gateway devices, a gateway device 110a to be accessed for the user group to be accessed, and send an activation message to the gateway device 1102a, where the activation message is sent.
  • the user group identifier of the user group to be accessed is included.
  • the gateway device 1102a is configured to receive an activation message sent by the aggregation device 1101, and provide an online access service for the user identified by the user group identifier.
  • the aggregation device 1101 is further configured to allocate a backup gateway device 1102b to the accessed user group, and send a backup indication message to the gateway device 1102a that is providing an online access service for the accessed user group.
  • the gateway device 1102a is further configured to receive a backup indication message sent by the aggregation device 1101, where the backup indication message includes a user group identifier of the accessed user group and the backup The gateway device identifier of the gateway device 1102b backs up the data of the user identified by the user group identifier of the accessed user group to the backup gateway device 1102b. And when detecting that the gateway device 1102a fails in the at least two gateway devices, switching one or more user groups on the gateway device 1102a to the switching gateway device 102b, and sending the activation to the switching gateway device 1102b. Message.
  • the gateway device 1102a is further configured to receive an activation message sent by the aggregation device 1101, where the activation information includes a user group identifier of one or more user groups on the gateway device 1102a, and is the gateway device 11
  • the user identified by the user group identifier of one or more user groups on 02b provides an online access service.
  • the user access control method, the network device, and the system provided by the embodiment of the present invention determine an access gateway device for the user group to be accessed from at least two gateway devices, and send an activation to the access gateway device.
  • the message is such that the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, which can solve the problem that the user goes online unevenly.
  • the users of the overload gateway are switched to the gateway without overload, thereby achieving the balance of each gateway load.
  • the overload gateway stops serving the switched-out users, which saves the gateway resources.
  • the user access control method, the network device, and the system provided by the embodiment of the present invention through the backup of the user data and the fault handling of the gateway device, enable the user to remain online during the failure of the gateway device, so that the user can Get a good online service.
  • the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is a better implementation. .
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer.
  • a hard disk or optical disk or the like includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method, network device and system for user access control, which relate to the technical field of network communications. By determining an access gateway device for a user group to be accessed from at least two gateways, and sending to the determined access gateway device activation information which comprises a user group identifier of the user group to be accessed, the access gateway device provides on-line access service for the user group identified by the user group identifier, and can dynamically adjusts a user to access different gateway devices to be on-line, which can solve the problems of uneven online distribution of users and unbalanced BNG load. The embodiments of the present invention are mainly applied to the control process of user access gateways.

Description

一种用户接入控制的方法、 网络设备和系统 本申请要求于 2011 年 11 月 25 日提交中国专利局、 申请号为 CN 201110381826.3、 发明名称为 "用户接入控制的方法、 网络设备和系统" 的中 国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及网络通信技术领域, 尤其涉及一种用户接入控制的方法、 网 络设备及系统。 背景技术 宽带网络网关 (Broadband Network Ga teway, 简称 BNG )设备是用于宽 带家庭用户与小企业接入 Internet网络的网关设备。 BNG具有实现用户接入 网络的认证与鉴权, 分配或辅助分配用户上网用的 IP地址, 对用户接入带宽 进行控制,对用户上网进行计费等功能。  Method, network device and system for user access control The application is submitted to the Chinese Patent Office on November 25, 2011, the application number is CN 201110381826.3, and the invention name is "user access control method, network device and system" Priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. The present invention relates to the field of network communication technologies, and in particular, to a method, network device, and system for user access control. A broadband network gateway (BNG) device is a gateway device for broadband home users and small enterprises to access an Internet network. The BNG has the functions of authenticating and authenticating the access network of the user, allocating or assisting in allocating the IP address used by the user for Internet access, controlling the access bandwidth of the user, and performing charging for the user to access the Internet.
用户上网流量都经过 G设备, 随着互联网 (Internet ) 内容信息量的 增长, 上网流量不断增长, BNG设备需要不断扩容与之适应。 BNG扩容导致更 多的 BNG设备放置在一个站点。  Users' Internet traffic passes through G devices. As the amount of Internet content increases, Internet traffic continues to grow, and BNG devices need to be continuously expanded to accommodate them. BNG expansion has resulted in more BNG equipment being placed at one site.
目前, 为了保证用户能正常进入网络, 会通过网络规划将用户的信息配 置到 BNG上, 同一站点内的不同 BNG独立处理不同用户的上线接入业务。 这种 配置方式是静态的, 如果用户上线不均匀, 会造成大量用户通过同一个 BNG上 线, 使得一些 BNG负载量高, 一些 BNG负载量低, 造成负载失衡。  At present, in order to ensure that the user can enter the network normally, the user's information is configured on the BNG through network planning, and different BNGs in the same site independently process the online access services of different users. This configuration mode is static. If the user goes online unevenly, a large number of users will go online through the same BNG, which will cause some BNG load to be high and some BNG load to be low, resulting in load imbalance.
发明内容 发明的实施例提供一种用户接入控制的方法、 网络设备及系统, 能够动 态调整控制用户接入到不同的网关设备进行上线, 可以解决用户上线不均匀, 网关设备负载失衡的问题。 SUMMARY OF THE INVENTION Embodiments of the present invention provide a method, a network device, and a system for user access control, which can dynamically adjust and control user access to different gateway devices for online connection, which can solve the problem that the user is not online and the load of the gateway device is unbalanced.
为达到上述目的, 本发明的实施例釆用如下技术方案: 一种用户接入控制的方法, 包括: In order to achieve the above object, embodiments of the present invention use the following technical solutions: A method for user access control, comprising:
从至少两个网关设备中, 为待接入的用户群确定接入网关设备; 向所述接入网关设备发送激活消息, 所述激活消息中包含所述待接入的 用户群的用户群标识, 以使得所述接入网关设备为所述用户群标识所标识的 用户提供上线接入服务。  Determining, by the at least two gateway devices, an access gateway device for the user group to be accessed; sending an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed And providing the access gateway device with an online access service for the user identified by the user group identifier.
一种用户接入控制的网络设备, 包括:  A network device for user access control, including:
确定单元, 用于从至少两个网关设备中, 为待接入的用户群确定接入网 关设备;  a determining unit, configured to determine, from the at least two gateway devices, an access gateway device for the group of users to be accessed;
第一发送单元, 用于向所述确定单元确定的所述接入网关设备发送激活 消息, 所述激活消息中包含所述待接入的用户群的用户群标识, 以使得所述 接入网关设备为所述用户群标识所标识的用户提供上线接入服务。  a first sending unit, configured to send an activation message to the access gateway device that is determined by the determining unit, where the activation message includes a user group identifier of the user group to be accessed, so that the access gateway The device provides an online access service for the user identified by the user group identifier.
一种用户接入控制的系统, 包括用户接入控制的网络设备和至少两个网 关设备, 其中:  A system for user access control, comprising a network device controlled by a user and at least two gateway devices, wherein:
所述网关设备, 用于接收所述汇聚设备发送的激活消息, 并为所述用户 群标识所标识的用户提供上线接入服务。  The gateway device is configured to receive an activation message sent by the aggregation device, and provide an online access service for the user identified by the user group identifier.
本发明实施例提供的用户接入控制的方法、 网络设备及系统, 通过从至 少两个网关设备中, 为待接入的用户群确定接入网关设备, 并向所述接入网 关设备发送激活消息, 以使得所述接入网关设备为所述用户群标识所标识的 用户提供上线接入服务, 使得用户可以接入到任意一个网关设备上进行上线, 从而避免了大量用户在同一个网关设备上进行上线而造成负载失衡的情况, 使得用户可以得到较好的上线服务。  The user access control method, the network device, and the system provided by the embodiment of the present invention determine an access gateway device for the user group to be accessed from at least two gateway devices, and send an activation to the access gateway device. The message is such that the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, thereby avoiding a large number of users in the same gateway device. The situation of the load being unbalanced on the line is made, so that the user can get a better online service.
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明实施例提供的一种用户接入控制的方法流程图; 图 2为本发明实施例提供的另一种用户接入控制的方法流程图; 图 3 为本发明实施例提供的另一种用户接入控制的方法中故障处理流程 图; BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work. 1 is a flowchart of a method for user access control according to an embodiment of the present invention; FIG. 2 is a flowchart of another method for user access control according to an embodiment of the present invention; Another flowchart of fault handling in a method of user access control;
图 4 为本发明实施例提供的另一种用户接入控制的方法中用户数据备份 流程图;  4 is a flowchart of user data backup in another method for user access control according to an embodiment of the present invention;
图 5为本发明实施例提供的一种用户接入控制的信息交互示意图; 图 6为本发明实施例提供的另一种用户接入控制的信息交互示意图; 图 7为本发明实施例提供的另一种用户接入控制的信息交互示意图; 图 8为本发明实施例提供的另一种用户接入控制的信息交互示意图; 图 9为本发明实施例提供的一种用户接入控制的网络设备的组成框图; 图 10 为本发明实施例提供的另一种用户接入控制的网络设备的组成框 图;  FIG. 5 is a schematic diagram of information exchange of user access control according to an embodiment of the present invention; FIG. 6 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention; FIG. 8 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention; FIG. 9 is a network for user access control according to an embodiment of the present invention; FIG. 10 is a block diagram showing the composition of another network device for user access control according to an embodiment of the present invention;
图 11 为本发明实施例提供的另一种用户接入控制的网络设备的组成框 图;  FIG. 11 is a block diagram of another network device for user access control according to an embodiment of the present invention;
图 12 为本发明实施例提供的另一种用户接入控制的网络设备的组成框 图;  FIG. 12 is a block diagram of another network device for user access control according to an embodiment of the present disclosure;
图 1 3为本发明实施例提供的一种用户接入控制的系统的组成框图。  FIG. 13 is a structural block diagram of a system for user access control according to an embodiment of the present invention.
具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例 , 都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供了一种用户接入控制的方法, 如图 1 所示, 该方法包 括:  The embodiment of the invention provides a method for user access control. As shown in FIG. 1, the method includes:
101、 汇聚设备从至少两个网关设备中, 为待接入的用户群确定接入网关 设备。 101. The aggregation device determines, from the at least two gateway devices, an access gateway for the user group to be accessed. Equipment.
其中, 所述汇聚设备从至少两个网关设备中, 为待接入的用户群确定接 入网关设备可以通过以下两种方式实现, 包括:  The aggregation device is configured to determine the access gateway device for the user group to be accessed from the at least two gateway devices by using the following two methods, including:
第一种方法: 所述汇聚设备获取静态网关分配策略, 并根据所述静态网 关分配策略, 从所述至少两个网关设备中为所述待接入的用户群确定对应的 接入网关设备。  The first method: the aggregation device acquires a static gateway allocation policy, and determines a corresponding access gateway device from the at least two gateway devices for the user group to be accessed according to the static gateway allocation policy.
第二种方法: 获取所述至少两个网关设备的负载信息, 根据所述负载信 息, 为所述待接入的用户群从所述至少两个网关设备中选取负载量最小的网 关设备作为所述接入网关设备。  The second method is: acquiring load information of the at least two gateway devices, and selecting, according to the load information, a gateway device with the smallest load from the at least two gateway devices as the user group to be accessed The access gateway device.
其中, 所述静态网关分配策略可以为组网时预先设置的策略, 其中包括 网关分配方式, 所述网关分配方式用于指示待接入的用户群的用户群标识和 网关设备标识之间的对应关系, 具体的静态网关分配策略可以根据组网情况 具体进行设置, 本发明实施例对此不进行详细说明。 设备上行或下行带宽、 网关设备端口流量占用比及网关设备 CPU 的占用率, 本发明实施例对此不进行限制。  The static gateway allocation policy may be a policy preset in the networking, including a gateway allocation mode, where the gateway allocation mode is used to indicate a correspondence between a user group identifier of the user group to be accessed and a gateway device identifier. The specific static gateway allocation policy can be set according to the networking situation, which is not described in detail in this embodiment of the present invention. The uplink or downlink bandwidth of the device, the traffic usage ratio of the gateway device port, and the CPU usage of the gateway device are not limited in this embodiment of the present invention.
其中, 所述获取所述至少两个网关设备的负载信息的实现方式可以由所 述汇聚设备直接获取, 包括:  The implementation manner of acquiring the load information of the at least two gateway devices may be directly obtained by the aggregation device, including:
所述汇聚设备接收所述至少两个网关设备周期性发送的负载信息; 或者, 所述汇聚设备周期性查询所述至少两个网关设备, 并获取所述至 少两个网关设备的负载信息。  The aggregation device receives the load information periodically sent by the at least two gateway devices; or the aggregation device periodically queries the at least two gateway devices, and acquires load information of the at least two gateway devices.
另外, 所述获取所述至少两个网关设备的负载信息的实现方式也可以由 所述汇聚设备通过其它专门用于实时监控网关设备负载信息的设备获取, 本 发明实施例对此不再赘述。  In addition, the implementation manner of obtaining the load information of the at least two gateway devices may also be obtained by the aggregation device through other devices that are used for real-time monitoring of the load information of the gateway device, which is not described in detail in this embodiment of the present invention.
需要说明的是, 上述第一种方法和第二种方法均可以在所述至少两个网 关设备中已接入部分用户群的情况下使用, 而上述第一种方法还可以在所述 至少两个网关设备中还未接入用户群的情况下使用, 具体如何使用第一种方 法和第二种方法, 本发明实施例对此不进行限制。 102、 所述汇聚设备向所述接入网关设备发送激活消息, 所述激活消息中 包含所述待接入的用户群的用户群标识, 以使得所述接入网关设备为所述用 户群标识所标识的用户提供上线接入服务。 It should be noted that the first method and the second method may be used when a part of the at least two gateway devices has been accessed, and the foregoing first method may also be in the at least two The first method and the second method are used in the case where the user equipment is not connected to the user equipment. The embodiment of the present invention does not limit this. The aggregation device sends an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed, so that the access gateway device is the user group identifier. The identified users provide online access services.
其中, 所述用户群标识可以是服务虚拟局域网 sVlan ( Service Vi r tua l Loca l Area Network , 服务虚拟局域网)标识。 本发明实施例中使用的用户 群标识并不局限于为 sVlan, 也可以为其它具有标识用户群功能的信息, 例如 PWE3 ( Pseudo-Wi re Emula t ion Edge to Edge , 边缘到边缘的伪线仿真伪线 技术)标识, PVC ( Permanent Vi r tua l Connect ion, 永久虛连接, ATM技术) 标识等。 本发明实施例对此不进行限制。  The user group identifier may be a service virtual local area network sVlan (Service Vi r tua l Loca l Area Network) identifier. The user group identifier used in the embodiment of the present invention is not limited to sVlan, and may also be other information that has the function of identifying the user group, such as PWE3 (Pseudo-Wi re-Imprint Edge to Edge). Pseudowire technology) logo, PVC (Permanent Vi r tua l Connect ion, ATM technology) logo, etc. This embodiment of the present invention does not limit this.
其中, 所述上线接入服务可以但不限于包括用户接入认证与鉴权、 用户 IP地址分配等。  The online access service may include, but is not limited to, user access authentication and authentication, user IP address allocation, and the like.
本发明实施例提供的用户接入控制的方法, 通过从至少两个网关设备中, 为待接入的用户群确定接入网关设备, 并向所述接入网关设备发送激活消息, 以使得所述接入网关设备为所述用户群标识所标识的用户提供上线接入服 务, 使得用户可以接入到任意一个网关设备上进行上线, 从而避免了大量用 户在同一个网关设备上进行上线而造成负载失衡的情况, 使得用户可以得到 较好的上线服务。  The user access control method provided by the embodiment of the present invention determines an access gateway device for a user group to be accessed from at least two gateway devices, and sends an activation message to the access gateway device, so as to enable The access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, thereby preventing a large number of users from going online on the same gateway device. In the case of load imbalance, users can get better online services.
本发明实施例中提供了另一种用户控制接入的方法, 如图 2 所示, 该方 法包括:  Another method for user-controlled access is provided in the embodiment of the present invention. As shown in FIG. 2, the method includes:
201、 汇聚设备从至少两个网关设备中, 为待接入的用户群确定接入网关 设备。  201. The aggregation device determines, from the at least two gateway devices, an access gateway device for the user group to be accessed.
其中, 所述步骤 201 的有关描述与所述步骤 101 中的有关描述相同, 本 发明实施例对此不再赘述。  The description of the step 201 is the same as that described in the step 101, and details are not described herein.
202、 所述汇聚设备向所述接入网关设备发送激活消息, 所述激活消息中 包含所述待接入的用户群的用户群标识, 以使得所述接入网关设备为所述用 户群标识所标识的用户提供上线接入服务。  The aggregation device sends an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed, so that the access gateway device is the user group identifier. The identified users provide online access services.
其中, 所述步骤 202的相关描述与所述步骤 102 中的有关描述相同, 本 发明实施例对此不再赘述。 203、 获取所述至少两个网关设备的负载信息。 The description of the step 202 is the same as that described in the step 102, and details are not described herein. 203. Obtain load information of the at least two gateway devices.
其中, 所述获取所述至少两个网关设备的负载信息的实现方式的有关描 述与步骤 101中的有关描述相同, 本发明实施例对此不再赘述。  The description of the implementation of the load information of the at least two gateway devices is the same as that described in the step 101, and details are not described herein.
其中, 所述负载信息的有关描述与所述步骤 102 中的有关描述相同, 本 发明实施例对此不再详细说明。  The description of the load information is the same as that described in the step 102, and is not described in detail in the embodiment of the present invention.
204、 根据所述负载信息, 判断所述至少两个网关设备中是否存在负载超 过其对应负载阔值的网关设备。  204. Determine, according to the load information, whether the at least two gateway devices have a gateway device whose load exceeds a corresponding load threshold.
其中, 所述负载阔值根据负载信息的不同可以对应设置为不同的阔值, 例如, 所述负载阔值可以设置为在不影响用户使用感受的条件下网关上用户 数量的上限等, 本发明实施例对此不进行限制。  The load threshold may be set to different thresholds according to different load information. For example, the load threshold may be set to an upper limit of the number of users on the gateway without affecting the user experience, and the present invention. The embodiment does not limit this.
205、 当所述至少两个网关设备中的第一网关设备的负载超过其对应负载 阔值时, 从所述至少两个网关设备中负载没有超过其对应负载阔值的网关设 备中选取负载量最小的网关设备作为第二网关设备。  205. When a load of the first gateway device of the at least two gateway devices exceeds a corresponding load threshold, select a load from a gateway device in which the load does not exceed a corresponding load threshold. The smallest gateway device acts as the second gateway device.
206、 将从所述第一网关设备接入的一个或多个用户群切换到从所述第二 网关设备接入, 以使得所述第一网关设备的负载不超过其对应的负载阔值。  206. Switch from one or more user groups that are accessed by the first gateway device to access from the second gateway device, so that the load of the first gateway device does not exceed its corresponding load threshold.
其中, 所述将从所述第一网关设备接入的一个或多个用户群切换到从所 述第二网关设备接入可以通过以下方式实现, 包括:  The switching from the one or more user groups that are accessed by the first gateway device to the accessing from the second gateway device may be implemented in the following manner, including:
向所述第一网关设备发送去激活消息, 所述去激活消息包含所述部分用 户群的用户群标识, 以使得所述第一网关设备停止为所述部分用户群的用户 群标识所标识的用户提供上线接入服务。  Sending a deactivation message to the first gateway device, where the deactivation message includes a user group identifier of the part of the user group, so that the first gateway device stops identifying the user group identifier of the part of the user group. Users provide online access services.
向所述第二网关设备发送激活消息, 所述激活消息包含所述部分用户群 的用户群标识, 以使得所述第二网关设备能够为所述部分用户群的用户群标 识所标识的用户提供上线接入服务。  Sending an activation message to the second gateway device, where the activation message includes a user group identifier of the part of the user group, so that the second gateway device can provide the user identified by the user group identifier of the partial user group Online access service.
其中, 所述第一网关设备停止为所述部分用户群的用户群标识所标识的 用户提供上线接入服务与所述第二网关能够为所述部分用户群的用户群标识 所标识用户群提供上线接入服务的实现方式均为本领域技术人员公知的技 术, 本发明实施例对此不进行详细描述。 其中, 所述上线接入服务的有关描 述与所述步骤 102中的有关描述相同, 本发明实施例对此不再赘述。 可选的, 在 202、 所述汇聚设备向所述接入网关设备发送激活消息之后, 如图 3所示, 所述方法还包括: The first gateway device stops providing an online access service for the user identified by the user group identifier of the partial user group, and the second gateway can provide the user group identified by the user group identifier of the partial user group. The implementation of the online access service is a well-known technology of the person skilled in the art, which is not described in detail in the embodiments of the present invention. The related description of the online access service is the same as that described in the foregoing step 102, and details are not described herein again. Optionally, after the aggregation device sends an activation message to the access gateway device, as shown in FIG. 3, the method further includes:
301、 检测所述至少两个网关设备的状态。  301. Detect a status of the at least two gateway devices.
302、 当检测到所述至少两个网关设备中第三网关设备发生故障时, 将所 述第三网关设备上的一个或多个用户群切换到切换网关设备, 所述切换网关 其中, 所述切换网关设备可以为所述第三网关上的一个或多个用户群对 负载没有超过其对应阔值的网关设备。  302. When detecting that the third gateway device of the at least two gateway devices fails, the one or more user groups on the third gateway device are switched to the switching gateway device, where the switching gateway is The switching gateway device may be a gateway device whose one or more user groups on the third gateway do not exceed the corresponding threshold.
303、 向所述切换网关设备发送激活消息, 所述激活信息包含所述第三网 关上的一个或多个用户群的用户群标识, 以使得所述切换网关设备为所述第 三网关上的一个或多个用户群的用户群标识所标识的用户提供上线接入服 务。  303. Send an activation message to the switching gateway device, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device is on the third gateway. The user identified by the user group identifier of one or more user groups provides an online access service.
进一步可选的, 为了保证在网关出现故障时, 出现故障的网关上的用户 不会掉线, 可以对用户数据进行备份, 在 202、 所述汇聚设备向所述接入网关 设备发送激活消息之后, 如图 4所示, 所述方法还包括:  Further, in order to ensure that the user on the failed gateway does not drop the line when the gateway is faulty, the user data may be backed up. After the aggregation device sends the activation message to the access gateway device, As shown in FIG. 4, the method further includes:
401、 为已接入的用户群分配对应的备份网关设备, 所述备份网关设备用 于在为所述已接入的用户群提供上线接入服务的网关出现故障时为所述已接 入的用户群提供上线接入服务。  401. Allocating a corresponding backup gateway device to the accessed user group, where the backup gateway device is configured to be used when the gateway that provides the online access service for the accessed user group fails. The user group provides online access services.
402、 向为所述已接入的用户群提供上线接入服务的网关设备发送备份指 示消息, 所述备份指示消息中包含所述已接入的用户群的用户群标识和所述 备份网关设备的网关设备标识, 以使得所述为所述已接入的用户群提供上线 接入服务的网关设备, 将所述已接入的用户群的用户群标识所标识的用户的 数据备份到所述备份网关设备上。  402. Send a backup indication message to a gateway device that provides an online access service for the accessed user group, where the backup indication message includes a user group identifier of the accessed user group and the backup gateway device. The gateway device identifier, such that the gateway device that provides the online access service for the accessed user group, backs up the data of the user identified by the user group identifier of the accessed user group to the Backup on the gateway device.
其中, 所述用户的数据为所述用户所在的用户群接入到服务器的端口的 其中, 在向为所述已接入的用户群提供上线接入服务的网关设备发送备 份指示消息之前, 还可以包括: 从预定的备份方式中确定一种备份方式, 所 述预定的备份方式包括热备和温备。 The data of the user is a port of the user group where the user is located, and the gateway device that provides the online access service for the accessed user group sends a backup indication message. Can include: determining a backup method from a predetermined backup mode, The scheduled backup methods include hot standby and warm standby.
其中, 所述热备的实现方式为将主网关上用户的数据备份到对应的备份 网关上, 并在所述对应的备份网关上保持用户数据的待发状态, 以使得在主 网关出现故障时, 备份网关可以直接发送用户数据, 保证用户不掉线; 所述 温备的实现方式为将主网关上用户的数据备份到对应的备份网关上, 并在所 述对应的备份网关上记录用户数据, 以使得在主网关出现故障时, 对应的备 份网关在接收到服务器发送的代替主网关处理用户数据的命令时才进行用户 数据发送。  The hot standby is implemented by backing up data of the user on the primary gateway to the corresponding backup gateway, and maintaining the pending state of the user data on the corresponding backup gateway, so that when the primary gateway fails. The backup gateway can directly send the user data to ensure that the user does not drop the line. The implementation of the warm standby is to back up the data of the user on the primary gateway to the corresponding backup gateway, and record the user data on the corresponding backup gateway. Therefore, when the primary gateway fails, the corresponding backup gateway performs user data transmission only when receiving a command sent by the server instead of processing the user data by the primary gateway.
本发明实施例提供的用户接入控制的方法, 通过从至少两个网关设备中, 为待接入的用户群确定接入网关设备, 并向所述接入网关设备发送激活消息, 以使得所述接入网关设备为所述用户群标识所标识的用户提供上线接入服 务, 使得用户可以接入到任意一个网关设备上进行上线, 可以解决用户上线 不均匀的问题。 此外, 根据各个网关的负载情况, 将超负载网关的用户切换 到没有超载的网关中, 从而实现各个网关负载的均衡。 并且在切换过程中, 让超负载网关停止对已切换出去的用户进行服务, 节约了网关资源。  The user access control method provided by the embodiment of the present invention determines an access gateway device for a user group to be accessed from at least two gateway devices, and sends an activation message to the access gateway device, so as to enable The access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, which can solve the problem that the user goes online unevenly. In addition, according to the load situation of each gateway, the users of the overloaded gateway are switched to the gateway without overload, thereby achieving the balance of each gateway load. In the handover process, the overloaded gateway stops the service of the switched-out users, which saves the gateway resources.
此外, 本发明实施例提供的用户接入控制的方法, 通过用户数据的备份 和网关设备的故障处理, 使得在网关设备出现故障时, 用户可以始终保持在 线状态, 使得用户可以得到较好的上线服务。  In addition, the user access control method provided by the embodiment of the present invention, through the backup of the user data and the fault processing of the gateway device, enables the user to remain online during the failure of the gateway device, so that the user can get a better online. service.
举例来说, 如图 5 所示, 为本发明实施例提供的一种用户接入控制的信 息交互示意图。 汇聚设备为局域网交换机(LAN Switch), 用户设备(User Equipment, 简称 UE)通过接入设备,例如数字用户线路接入复用器( Digital Subscriber Line Access Multiplexer, 简称 DSLAM)连接到汇聚设备。  For example, as shown in FIG. 5, it is a schematic diagram of information interaction of user access control according to an embodiment of the present invention. The aggregation device is a LAN switch. The user equipment (User Equipment, UE for short) is connected to the aggregation device through an access device, such as a Digital Subscriber Line Access Multiplexer (DSLAM).
501、 LAN Switch将 DSLAM1下的用户设备 UE1所在的待接入用户群接入 到 BNG1, 则 LAN Switch发送激活消息给 BNG1, 所述激活消息中包含 UE1所 在用户群标识 sVlanl。  501. The LAN switch connects the user group to be accessed by the user equipment UE1 in the DSLAM1 to the BNG1, and the LAN switch sends an activation message to the BNG1, where the activation message includes the user group identifier sVlan1 of the UE1.
其中, sVlan ( Service Virtual Local Area Network, 月良务虚以局 i或网), 定义在 IEEE 802.1Q 中。 本发明实施例中使用的用户群标识可以并不局限于 为 sVlan, 另外如 PWE3 (Pseudo-Wire Emulation Edge to Edge, 边缘到边 缘的伪线仿真伪线技术), 和 PVC ( Permanent Vi r tua l Connect ion, 永久虚 连接, ATM技术 )都可用于作为用户群标识也可以为其它具有标识用户群功能 的信息, 本发明实施例对此不进行限制 Among them, sVlan (Service Virtual Local Area Network) is defined in IEEE 802.1Q. The user group identifier used in the embodiment of the present invention may not be limited to sVlan, and another example is PWE3 (Pseudo-Wire Emulation Edge to Edge). The pseudo-line pseudo-wire technology of the edge, and the PVC (Permanent Vi r tua l Connect ion, ATM technology) can be used as the user group identifier or other information having the function of identifying the user group, and the present invention is implemented. This example does not limit this
502、 UPE1发送 DHCP Di scover 4艮文到 DSLAM1。  502. UPE1 sends a DHCP Di scover 4 message to DSLAM1.
503、 DSLAM1接到 DHCP Di scover ^艮文, 并将所述 UE的标识信息 cVlan 及 sVlanl携带在所述 DHCP Di scover报文中发送到 LAN Swi tch。  503. The DSLAM1 is connected to the DHCP Di scover message, and the identifier information cVlan and sVlan1 of the UE are carried in the DHCP Di scover message and sent to the LAN Swi tch.
504、 LAN Swi tch将所述 DHCP Di s cover才艮文发送到 Gl , BNG2 , BNG3。 504. The LAN Swi tch sends the DHCP Di s cover message to Gl, BNG2, and BNG3.
505、所述 Gl、 BNG2及 G3收到包含 sVlanl的报文后,判断该 sVlanl 所标识用户群是否已在本机激活; BNG1判断为是, BNG2 , BNG3判断为否, 则 BNG1执行用户接入过程, 包括认证用户,给用户分配地址,并发送 DHCP Offer 才艮文到 LAN Swi tch; BNG2 , BNG3 4巴收到的 DHCP Di scover才艮文丟弃。 505. After receiving the packet including the sVlan1, the G1, the BNG2, and the G3 determine whether the user group identified by the sVlan1 is activated locally; if the BNG1 is YES, and the BNG2 and the BNG3 are negative, the BNG1 performs the user access. The process, including authenticating the user, assigning an address to the user, and sending a DHCP Offer to the LAN Swi tch; BNG2, BNG3 4, the DHCP Di scover received is discarded.
506、 LAN Swi tch收到 DHCP Offer报文,所述报文中包含 cVlanl及 sVlanl 并将所述 DHCP Offer 文送到 DSLAM1。  506. The LAN Swi tch receives the DHCP Offer message, where the message includes cVlan1 and sVlan1, and sends the DHCP Offer message to the DSLAM1.
507、 DSLAM1将 DHCP Offer报文正确送到 UE1所在端口。  507. DSLAM1 correctly sends the DHCP Offer message to the port where UE1 is located.
508、 UPE1发送 DHCP Reques t才艮文, 通过 DSLAM1及 LAN Swi tch转发送 到 BNGL  508, UPE1 sends DHCP Reques t, and sends it to BNGL through DSLAM1 and LAN Swi tch.
509. BNG1回应 DHCP ACK 4艮文,通过 LAN Swi tch及 DSLAM1转发送到 UPEL 509. BNG1 responds to DHCP ACK 4 message and forwards it to UPEL via LAN Swi tch and DSLAM1
510, UE1通过 DHCP ACK 文获得 IP地址及网关地址,并发送 ARP Reques t 才艮文请求对应网关地址的 MAC地址。 510. The UE1 obtains an IP address and a gateway address by using a DHCP ACK message, and sends an ARP Reques t request to request a MAC address corresponding to the gateway address.
511、 BNG1回应 UE1发送的 ARP Reques t才艮文。  511. The BNG1 responds to the ARP Reques sent by the UE1.
512、 ARP Response 文通过 DSLAM1 , 送到 UE1。  512. The ARP Response message is sent to UE1 through DSLAM1.
通过 501至 512完成了 UE1所在用户群接入到 BNG1的流程。 进一步的, 如图 6所示, 为本发明实施例提供的另一种用户接入控制的信息交互示意图。  The process of accessing the user group of UE1 to BNG1 is completed through 501 to 512. Further, as shown in FIG. 6, another information interaction diagram of user access control according to an embodiment of the present invention is provided.
601、 LAN Swi tch获取 BNGl、 BNG2及 G3的负载信息;  601, LAN Swi tch obtains load information of BNG1, BNG2, and G3;
602、 LAN Swi tch检测到 BNGl 负载超过其对应负载阔值, 则从 G2和 602, LAN Swi tch detects that the BNG1 load exceeds its corresponding load threshold, then from G2 and
BNG3中选择负载较低的 BNG2进行负载迁移, 并选择将 UE1所在用户群迁出。 In BNG3, BNG2 with lower load is selected for load migration, and the user group where UE1 is located is selected to be migrated out.
603、 LAN Swi tch 向所述 BNGl 发送去激活消息, 所述去激活消息包含 sVlanl。 604、 LAN Swi tch向所述 BNG2发送激活消息, 所述激活消息包含 sVlanl。603. The LAN Swi tch sends a deactivation message to the BNG1, where the deactivation message includes sVlan1. 604. The LAN Swi tch sends an activation message to the BNG2, where the activation message includes sVlan1.
605、 BNG2向 LAN Swi tch发送免费的 ARP。 605. BNG2 sends a free ARP to LAN Swi tch.
606、 UE1与 BNG2完成 DHCP请求过程及 ARP请求过程。  606. The UE1 and the BNG2 complete the DHCP request process and the ARP request process.
通过 601至 606完成了 UE1所在用户群从高负载 BNG迁移到低负载 BNG2 上的流程, 可以解决用户接入不均匀, BNG之间负载不均衡的问题。 需要说 明的是, 606的具体实现方式与 502至 512相同, 本发明实施对此不再赘述。  The process of migrating the user group of the UE1 from the high-load BNG to the low-load BNG2 is completed through 601 to 606, which can solve the problem that the user access is uneven and the load between the BNGs is unbalanced. It should be noted that the specific implementation of 606 is the same as that of 502 to 512, and the implementation of the present invention will not be repeated herein.
进一步可选的是, 如图 7 所示, 为本发明实施例提供的另一种用户接入 控制的信息交互示意图。  Further, as shown in FIG. 7, another information interaction diagram of user access control according to an embodiment of the present invention is provided.
701、 LAN Swi tch确定 BNG2备份 BNGl的用户群数据。  701. The LAN Swi tch determines the user group data of the BNG1 backup BNG1.
702、 LAN Swi tch发送备份指示消息到 BNG1 , 消息包含 sVlanl及备份目 标 BNG2的标识, 例如 BNG2的 IP地址等;  702. The LAN Swi tch sends a backup indication message to the BNG1, where the message includes an identifier of the sVlan1 and the backup target BNG2, for example, an IP address of the BNG2.
703、 BNG1将 BNG1上的用户数据备份到 BNG2上。  703. BNG1 backs up user data on BNG1 to BNG2.
通过 701至 703完成了 BNG1上的用户数据备份到 BNG2的流程, 使得在 BNG1 出现故障时, BNG3可以直接处理 BNG1上的用户业务, 保证了用户仍可 正常接入网络。  The process of backing up user data on BNG1 to BNG2 is completed through 701 to 703. When BNG1 fails, BNG3 can directly process user services on BNG1, ensuring that users can still access the network normally.
进一步可选的是, 如图 8 所示, 为本发明实施例提供的另一种用户接入 控制的信息交互示意图。  Further, as shown in FIG. 8, FIG. 8 is a schematic diagram of information exchange of another user access control according to an embodiment of the present invention.
801、 LAN Swi tch接收 BNGl、 BNG2、 BNG3发送的 keepa l ive报文。  801. The LAN Swi tch receives the keepa live packet sent by BNG1, BNG2, and BNG3.
802、 LAN Swi tch未接收到 BNGl的 keepa l ive报文, 判断 BNGl故障。 803、 LAN Swi tch将所述 BNGl上用户 UE1所在用户群切换到对应的备份 网关设备 BNG2上; 或者, 根据接收 BNG2和 BNG3发送的负载情况, 根据 BNG2 及 BNG3的负载高低选取其中一个负载低的 BNG用于承载 BNG1上的用户。 下 面以 LAN Swi tch选定将 BNGl上用户 UE1所在用户群切换到 BNG2上来说明。  802. The LAN Swi tch does not receive the keepa live packet of the BNG1 and determines that the BNG1 is faulty. 803. The LAN Swi tch switches the user group where the user UE1 is located on the BNG1 to the corresponding backup gateway device BNG2; or, according to the load condition of receiving the BNG2 and the BNG3, select one of the low load according to the load level of the BNG2 and the BNG3. BNG is used to carry users on BNG1. The following is a description of the LAN Swi tch selected to switch the user group of the user UE1 on BNG1 to BNG2.
804、 LAN Swi tch向 BNG2发送激活消息, 所述激活消息携带 sVlanl。 805、 BNG2向 LAN Swi t ch发送免费 ARP。  804. The LAN Swi tch sends an activation message to the BNG2, where the activation message carries sVlan1. 805. BNG2 sends a free ARP to LAN Swi tch.
806、 UE1与 BNG2完成 DHCP请求过程及 ARP请求过程。  806. The UE1 and the BNG2 complete the DHCP request process and the ARP request process.
通过 801至 806完成了在 G1出现故障时将 UE1所在用户群切换到 BNG2 的流程, 使得用户在接入网关出现故障时, 可以通过动态调整经由其它网关 上线。 Through 801 to 806, the process of switching the user group where UE1 is located to BNG2 when the G1 fails is completed, so that when the access gateway fails, the user can dynamically adjust through other gateways. online.
另外, 需要说明的是, 如果 G2事先备份了用户群 sVlanl 的数据, 则 上述 806过程可以省略, 即用户不需要重新进行上线过程, 即可通过 BNG2保 持对网络的接入。  In addition, it should be noted that if G2 backs up the data of the user group sVlan1 in advance, the above 806 process can be omitted, that is, the user does not need to restart the online process, and the access to the network can be maintained through the BNG2.
本发明实施例提供了一种用户接入控制的网络设备, 如图 9 所示, 所述 网络设备包括: 确定单元 901和第一发送单元 902。  The embodiment of the present invention provides a network device for user access control. As shown in FIG. 9, the network device includes: a determining unit 901 and a first sending unit 902.
所述确定单元 901 , 用于从至少两个网关设备中, 为待接入的用户群确定 接入网关设备。  The determining unit 901 is configured to determine, from the at least two gateway devices, an access gateway device for the user group to be accessed.
所述第一发送单元 902 ,用于向所述确定单元 901确定的接入网关设备发 送激活消息, 所述激活消息中包含所述待接入的用户群的用户群标识, 以使 得所述选取的网关设备为所述用户群标识所标识的用户提供上线接入服务。  The first sending unit 902 is configured to send an activation message to the access gateway device that is determined by the determining unit 901, where the activation message includes a user group identifier of the user group to be accessed, so that the selection is performed. The gateway device provides an online access service for the user identified by the user group identifier.
进一步的, 如图 10所示, 该设备包括: 获取单元 903、 判断单元 904、 选取单元 905、 第一切换单元 906。  Further, as shown in FIG. 10, the device includes: an obtaining unit 903, a determining unit 904, a selecting unit 905, and a first switching unit 906.
获取单元 903 , 用于获取所述至少两个网关设备的负载信息。  The obtaining unit 903 is configured to acquire load information of the at least two gateway devices.
判断单元 904 , 用于根据所述获取单元 903获取的所述负载信息, 判断所 述至少两个网关设备中是否存在负载超过其对应负载阔值的网关设备。  The determining unit 904 is configured to determine, according to the load information acquired by the acquiring unit 903, whether the at least two gateway devices have a gateway device whose load exceeds a corresponding load threshold.
选取单元 905 ,用于在所述至少两个网关设备中的第一网关设备的负载超 过其对应负载阔值时, 从所述至少两个网关设备中负载没有超过其对应负载 阔值的网关设备中选取负载量最小的网关设备作为第二网关设备。  The selecting unit 905 is configured to: when the load of the first gateway device of the at least two gateway devices exceeds the corresponding load threshold, the load from the at least two gateway devices does not exceed the corresponding load threshold The gateway device with the smallest load is selected as the second gateway device.
第一切换单元 906 ,用于将从所述第一网关设备接入的一个或多个用户群 切换到从所述选取单元 905选取的所述第二网关设备接入, 以使得所述第一 网关设备的负载不超过其对应的负载阔值。  The first switching unit 906 is configured to switch from one or more user groups accessed by the first gateway device to the second gateway device selected by the selecting unit 905, so that the first The load of the gateway device does not exceed its corresponding load threshold.
进一步的,如图 11所示,该设备包括:分配单元 907、第二发送单元 908。 分配单元 907 , 用于为已接入的用户群分配备份网关设备, 所述备份网关 设备用于在为所述已接入的用户群提供上线接入服务的网关出现故障时为所 述已接入的用户群提供上线接入服务。  Further, as shown in FIG. 11, the device includes: an allocating unit 907 and a second transmitting unit 908. The allocating unit 907 is configured to allocate, to the user group that has been accessed, a backup gateway device, where the backup gateway device is configured to be used when the gateway that provides the online access service for the accessed user group fails. The incoming user group provides online access services.
第二发送单元 908 ,用于向为所述已接入的用户群提供上线接入服务的网 关设备发送备份指示消息, 所述备份指示消息中包含所述已接入的用户群的 得所述为所述已接入的用户群提供上线接入服务的网关设备, 将所述已接入 的用户群的用户群标识所标识的用户的数据备份到所述备份网关设备上。 The second sending unit 908 is configured to send a backup indication message to the gateway device that provides the online access service for the accessed user group, where the backup indication message includes the user group that has been accessed. The gateway device that provides the online access service for the accessed user group is backed up, and the data of the user identified by the user group identifier of the accessed user group is backed up to the backup gateway device.
进一步的, 如图 12所示, 该设备还包括: 检测单元 909、 第二切换单元 910、 第三发送单元 911。  Further, as shown in FIG. 12, the device further includes: a detecting unit 909, a second switching unit 910, and a third sending unit 911.
检测单元 909 , 用于检测所述至少两个网关设备的状态。  The detecting unit 909 is configured to detect a status of the at least two gateway devices.
第二切换单元 910 ,用于在所述检测单元 909检测到所述至少两个网关设 备中第三网关设备发生故障时, 为所述第三网关设备上的一个或多个用户群 切换到切换网关设备, 所述切换网关设备为所述至少两个网关设备中未发生 故障的网关设备上。  The second switching unit 910 is configured to switch to one or more user groups on the third gateway device when the detecting unit 909 detects that the third gateway device in the at least two gateway devices fails. a gateway device, where the handover gateway device is a gateway device that does not fail in the at least two gateway devices.
第三发送单元 911 , 用于向所述切换网关设备发送激活消息, 所述激活信 息包含所述第三网关上的一个或多个用户群的用户群标识, 以使得所述切换 网关设备能够为所述第三网关上的一个或多个用户群的用户群标识所标识的 用户提供上线接入服务。  a third sending unit 911, configured to send an activation message to the switching gateway device, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device can be The user identified by the user group identifier of one or more user groups on the third gateway provides an online access service.
本发明实施例还提供了一种用户接入控制的系统, 如图 1 3所示, 该系统 包括: 用户接入控制的网络设备给和至少两个网关设备, 其中所述用户接入 控制的网络设备为汇聚设备 1101 , 所述至少两个网关设备为网关设备 1102a 和网关设备 1 102b。  The embodiment of the present invention further provides a system for user access control. As shown in FIG. 13 , the system includes: a network device controlled by a user access and at least two gateway devices, where the user access control The network device is a convergence device 1101, and the at least two gateway devices are a gateway device 1102a and a gateway device 1 102b.
所述汇聚设备 1101 , 用于从所述至少两个网关设备中, 为待接入的用户 群确定要接入的网关设备 11 02a , 并向所述网关设备 1102a发送激活消息, 所 述激活消息中包含所述待接入的用户群的用户群标识。  The aggregation device 1101 is configured to determine, from the at least two gateway devices, a gateway device 110a to be accessed for the user group to be accessed, and send an activation message to the gateway device 1102a, where the activation message is sent. The user group identifier of the user group to be accessed is included.
所述网关设备 1102a , 用于接收所述汇聚设备 1101发送的激活消息, 并 为所述用户群标识所标识的用户提供上线接入服务。  The gateway device 1102a is configured to receive an activation message sent by the aggregation device 1101, and provide an online access service for the user identified by the user group identifier.
进一步的, 所述汇聚设备 1101还用于为已接入的用户群分配备份网关设 备 1102b , 并向正在为所述已接入的用户群提供上线接入服务的网关设备 1102a发送备份指示消息。  Further, the aggregation device 1101 is further configured to allocate a backup gateway device 1102b to the accessed user group, and send a backup indication message to the gateway device 1102a that is providing an online access service for the accessed user group.
所述网关设备 1102a , 还用于接收所述汇聚设备 1101发送的备份指示消 息, 所述备份指示消息中包含所述已接入的用户群的用户群标识和所述备份 网关设备 1102b 的网关设备标识, 并将所述已接入的用户群的用户群标识所 标识的用户的数据备份到所述备份网关设备 1102b上。 并当检测到所述至少两个网关设备中网关设备 1102a发生故障时, 将所述网 关设备 1102a上的一个或多个用户群切换到切换网关设备 11 02b ,向所述切换 网关设备 1102b发送激活消息。 The gateway device 1102a is further configured to receive a backup indication message sent by the aggregation device 1101, where the backup indication message includes a user group identifier of the accessed user group and the backup The gateway device identifier of the gateway device 1102b backs up the data of the user identified by the user group identifier of the accessed user group to the backup gateway device 1102b. And when detecting that the gateway device 1102a fails in the at least two gateway devices, switching one or more user groups on the gateway device 1102a to the switching gateway device 102b, and sending the activation to the switching gateway device 1102b. Message.
所述网关设备 1102a , 还用于接收所述汇聚设备 1101发送的激活消息, 所述激活信息包含所述网关设备 1102a上的一个或多个用户群的用户群标识, 并为所述网关设备 11 02b上的一个或多个用户群的用户群标识所标识的用户 提供上线接入服务。  The gateway device 1102a is further configured to receive an activation message sent by the aggregation device 1101, where the activation information includes a user group identifier of one or more user groups on the gateway device 1102a, and is the gateway device 11 The user identified by the user group identifier of one or more user groups on 02b provides an online access service.
本发明实施例提供的用户接入控制的方法、 网络设备及系统, 通过从至 少两个网关设备中, 为待接入的用户群确定接入网关设备, 并向所述接入网 关设备发送激活消息, 以使得所述接入网关设备为所述用户群标识所标识的 用户提供上线接入服务, 使得用户可以接入到任意一个网关设备上进行上线, 可以解决用户上线不均匀的问题。 此外, 根据各个网关的负载情况, 将超负 载网关的用户切换到没有超载的网关中, 从而实现各个网关负载的均衡。 并 且在切换过程中, 让超负载网关停止对已切换出去的用户进行服务, 节约了 网关资源。  The user access control method, the network device, and the system provided by the embodiment of the present invention determine an access gateway device for the user group to be accessed from at least two gateway devices, and send an activation to the access gateway device. The message is such that the access gateway device provides an online access service for the user identified by the user group identifier, so that the user can access any gateway device to go online, which can solve the problem that the user goes online unevenly. In addition, according to the load situation of each gateway, the users of the overload gateway are switched to the gateway without overload, thereby achieving the balance of each gateway load. Moreover, during the handover process, the overload gateway stops serving the switched-out users, which saves the gateway resources.
此外, 本发明实施例提供的用户接入控制的方法、 网络设备及系统, 通 过用户数据的备份和网关设备的故障处理, 使得在网关设备出现故障时, 用 户可以始终保持在线状态, 使得用户可以得到较好的上线服务。  In addition, the user access control method, the network device, and the system provided by the embodiment of the present invention, through the backup of the user data and the fault handling of the gateway device, enable the user to remain online during the failure of the gateway device, so that the user can Get a good online service.
通过以上的实施方式的描述, 所属领域的技术人员可以清楚地了解到本 发明可借助软件加必需的通用硬件的方式来实现, 当然也可以通过硬件, 但 很多情况下前者是更佳的实施方式。 基于这样的理解, 本发明的技术方案本 质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来, 该 计算机软件产品存储在可读取的存储介质中, 如计算机的软盘, 硬盘或光盘 等, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例所述的方法。 以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应以所述权利要求的保护范围为准。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is a better implementation. . Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer. A hard disk or optical disk or the like includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention. The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims

权 利 要 求 Rights request
1、 一种用户接入控制的方法, 其特征在于, 包括: A method for user access control, comprising:
从至少两个网关设备中, 为待接入的用户群确定接入网关设备; 向所述接入网关设备发送激活消息, 所述激活消息中包含所述待接入的 用户群的用户群标识, 以使得所述接入网关设备为所述用户群标识所标识的 用户提供上线接入服务。  Determining, by the at least two gateway devices, an access gateway device for the user group to be accessed; sending an activation message to the access gateway device, where the activation message includes the user group identifier of the user group to be accessed And providing the access gateway device with an online access service for the user identified by the user group identifier.
2、 根据权利要求 1所述的用户接入控制的方法, 其特征在于, 所述从至 少两个网关设备中, 为待接入的用户群确定接入网关设备, 具体包括:  The user access control method according to claim 1, wherein the determining, by the at least two gateway devices, the access gateway device for the user group to be accessed, specifically:
获取静态网关分配策略, 并根据所述静态网关分配策略, 从所述至少两 个网关设备中为所述待接入的用户群确定对应的接入网关设备。  Acquiring a static gateway allocation policy, and determining, according to the static gateway allocation policy, a corresponding access gateway device from the at least two gateway devices for the user group to be accessed.
3、 根据权利要求 1所述的用户接入控制的方法, 其特征在于, 所述从至 少两个网关设备中, 为待接入的用户群确定接入网关设备, 包括:  The user access control method according to claim 1, wherein the determining the access gateway device for the user group to be accessed from the at least two gateway devices comprises:
获取所述至少两个网关设备的负载信息;  Obtaining load information of the at least two gateway devices;
根据所述负载信息, 为所述待接入的用户群从所述至少两个网关设备中 选取负载量最小的网关设备作为所述接入网关设备。  And selecting, according to the load information, a gateway device with the smallest load amount from the at least two gateway devices as the access gateway device for the user group to be accessed.
4、根据权利要求 1至 3任一项所述的用户接入控制的方法,其特征在于, 在向所述接入网关设备发送激活消息之后, 所述方法还包括:  The method for user access control according to any one of claims 1 to 3, wherein after the sending the activation message to the access gateway device, the method further includes:
获取所述至少两个网关设备的负载信息;  Obtaining load information of the at least two gateway devices;
根据所述负载信息, 判断所述至少两个网关设备中是否存在负载超过其 对应负载阔值的网关设备;  Determining, according to the load information, whether the at least two gateway devices have a gateway device whose load exceeds a corresponding load threshold;
当所述至少两个网关设备中的第一网关设备的负载超过其对应负载阔值 时, 从所述至少两个网关设备中负载没有超过其对应负载阔值的网关设备中 选取负载量最小的网关设备作为第二网关设备;  When the load of the first gateway device of the at least two gateway devices exceeds its corresponding load threshold, the least load is selected from the gateway devices in which the load does not exceed the corresponding load threshold. The gateway device acts as the second gateway device;
将从所述第一网关设备接入的一个或多个用户群切换到从所述第二网关 设备接入, 以使得所述第一网关设备的负载不超过其对应的负载阔值。  Switching from one or more user groups accessing the first gateway device to accessing from the second gateway device, such that the load of the first gateway device does not exceed its corresponding load threshold.
5、 根据权利要求 4所述的用户接入控制的方法, 其特征在于, 所述将从 所述第一网关设备接入的一个或多个用户群切换到从所述第二网关设备接 入, 具体包括: The method for user access control according to claim 4, wherein the one or more user groups that are to be accessed from the first gateway device are switched to be connected to the second gateway device. Into, including:
向所述第一网关设备发送去激活消息, 所述去激活消息中包含所述一个 或多个用户群的用户群标识, 以使得所述第一网关设备停止为所述一个或多 个用户群的用户群标识所标识的用户提供上线接入服务;  Sending a deactivation message to the first gateway device, where the deactivation message includes a user group identifier of the one or more user groups, so that the first gateway device stops being the one or more user groups The user identified by the user group identifier provides an online access service;
向所述第二网关设备发送激活消息, 所述激活消息中包含所述一个或多 个用户群的用户群标识, 以使得所述第二网关为所述一个或多个用户群的用 户群标识所标识的用户提供上线接入服务。  Sending an activation message to the second gateway device, where the activation message includes a user group identifier of the one or more user groups, such that the second gateway is a user group identifier of the one or more user groups. The identified users provide online access services.
6、根据权利要求 1至 5任一项所述的用户接入控制的方法,其特征在于, 在向所述接入网关设备发送激活消息之后, 所述方法还包括:  The method of user access control according to any one of claims 1 to 5, wherein after the sending the activation message to the access gateway device, the method further includes:
为已接入的用户群分配备份网关设备, 所述备份网关设备用于在为所述 已接入的用户群提供上线接入服务的网关设备出现故障时为所述已接入的用 户群提供上线接入服务;  Allocating a backup gateway device to the user group that has been accessed, the backup gateway device is configured to provide the accessed user group when the gateway device that provides the online access service for the accessed user group fails Online access service;
向为所述已接入的用户群提供上线接入服务的网关设备发送备份指示消 息, 所述备份指示消息中包含所述已接入的用户群的用户群标识和所述备份 网关设备的网关设备标识, 以使得所述为所述已接入的用户群提供上线接入 服务的网关设备, 将所述已接入的用户群的用户群标识所标识的用户的数据 备份到所述备份网关设备上。  Sending a backup indication message to the gateway device that provides the online access service for the accessed user group, where the backup indication message includes the user group identifier of the accessed user group and the gateway of the backup gateway device The device identifier is configured to enable the gateway device that provides the online access service for the accessed user group, and back up data of the user identified by the user group identifier of the accessed user group to the backup gateway. On the device.
7、根据权利要求 1至 6任一项所述的用户接入控制的方法,其特征在于, 在向所述接入网关设备发送激活消息之后, 所述方法还包括:  The method of user access control according to any one of claims 1 to 6, wherein after the sending the activation message to the access gateway device, the method further includes:
检测所述至少两个网关设备的状态;  Detecting status of the at least two gateway devices;
当检测到所述至少两个网关设备中第三网关设备发生故障时, 将所述第 三网关设备上的一个或多个用户群切换到切换网关设备, 所述切换网关设备 向所述切换网关设备发送激活消息, 所述激活信息中包含所述第三网关 上的一个或多个用户群的用户群标识, 以使得所述切换网关设备为所述第三 网关上的一个或多个用户群的用户群标识所标识的用户提供上线接入服务。  And detecting, when the third gateway device of the at least two gateway devices fails, switching one or more user groups on the third gateway device to the switching gateway device, where the switching gateway device is to the switching gateway The device sends an activation message, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device is one or more user groups on the third gateway. The user identified by the user group identifier provides an online access service.
8、 根据权利要求 7所述的用户接入控制的方法, 其特征在于, 所述切换 网关设备, 包括: 所述第三网关上的一个或多个用户群对应的备份网关设备; 其对应阔值的网关设备。 The user access control method according to claim 7, wherein the switching gateway device comprises: A backup gateway device corresponding to one or more user groups on the third gateway; and a gateway device corresponding to the threshold.
9、 一种用户接入控制的网络设备, 其特征在于, 包括:  A network device for user access control, characterized in that:
确定单元, 用于从至少两个网关设备中, 为待接入的用户群确定接入网 关设备;  a determining unit, configured to determine, from the at least two gateway devices, an access gateway device for the group of users to be accessed;
第一发送单元, 用于向所述确定单元确定的所述接入网关设备发送激活 消息, 所述激活消息中包含所述待接入的用户群的用户群标识, 以使得所述 接入网关设备为所述用户群标识所标识的用户提供上线接入服务。  a first sending unit, configured to send an activation message to the access gateway device that is determined by the determining unit, where the activation message includes a user group identifier of the user group to be accessed, so that the access gateway The device provides an online access service for the user identified by the user group identifier.
10、 根据权利要求 9 所述的用户接入控制的网络设备, 其特征在于, 还 包括:  The network device of the user access control according to claim 9, further comprising:
获取单元, 用于获取所述至少两个网关设备的负载信息;  An obtaining unit, configured to acquire load information of the at least two gateway devices;
判断单元, 用于根据所述获取单元获取的所述负载信息, 判断所述至少 两个网关设备中是否存在负载超过其对应负载阔值的网关设备;  a determining unit, configured to determine, according to the load information acquired by the acquiring unit, whether the at least two gateway devices have a gateway device whose load exceeds a corresponding load threshold;
选取单元, 用于在所述至少两个网关设备中的第一网关设备的负载超过 其对应负载阔值时, 从所述至少两个网关设备中负载没有超过其对应负载阔 值的网关设备中选取负载量最小得网关设备作为第二网关设备;  a selecting unit, configured to: when the load of the first gateway device of the at least two gateway devices exceeds a corresponding load threshold, the load from the at least two gateway devices does not exceed the corresponding load threshold Selecting the gateway device with the smallest load as the second gateway device;
第一切换单元, 用于将从所述第一网关设备接入的一个或多个用户群切 换到从所述选取单元选取的所述第二网关设备接入, 以使得所述第一网关设 备的负载不超过其对应的负载阔值。  a first switching unit, configured to switch from one or more user groups accessed by the first gateway device to the second gateway device selected from the selecting unit, so that the first gateway device The load does not exceed its corresponding load threshold.
11、 根据权利要求 9 所述的用户接入控制的网络设备, 其特征在于, 还 包括:  The network device of the user access control according to claim 9, further comprising:
分配单元, 用于为已接入的用户群分配备份网关设备, 所述备份网关设 备用于在为所述已接入的用户群提供上线接入服务的网关出现故障时为所述 已接入的用户群提供上线接入服务;  An allocating unit, configured to allocate a backup gateway device to the accessed user group, where the backup gateway device is configured to be used when the gateway that provides the online access service for the accessed user group fails User groups provide online access services;
第二发送单元, 用于向为所述已接入的用户群提供上线接入服务的网关 设备发送备份指示消息, 所述备份指示消息中包含所述已接入的用户群的用 、 、 、 、' ― ' ― 、 I ? 、 、 、 、 、 、 、 、 为所述已接入的用户群提供上线接入服务的网关设备, 将所述已接入的用户 群的用户群标识所标识的用户的数据备份到所述备份网关设备上。 a second sending unit, configured to send a backup indication message to the gateway device that provides the online access service for the accessed user group, where the backup indication message includes the used, user, and , ' ― ' ― , I ? , , , , , , , , , , A gateway device that provides an online access service for the accessed user group, and backs up data of the user identified by the user group identifier of the accessed user group to the backup gateway device.
12、 根据权利要求 9 所述的用户接入控制的网络设备, 其特征在于, 还 包括:  The network device of the user access control according to claim 9, further comprising:
检测单元, 用于检测所述至少两个网关设备的状态;  a detecting unit, configured to detect a status of the at least two gateway devices;
第二切换单元, 用于在所述检测单元检测到所述至少两个网关设备中第 三网关设备发生故障时, 将所述第三网关设备上的一个或多个用户群切换到  a second switching unit, configured to: when the detecting unit detects that the third gateway device of the at least two gateway devices fails, switch one or more user groups on the third gateway device to
网关设备; Gateway device
第三发送单元, 用于向所述切换网关设备发送激活消息, 所述激活信息 中包含所述第三网关上的一个或多个用户群的用户群标识, 以使得所述切换 网关设备能够为所述第三网关上的一个或多个用户群的用户群标识所标识的 用户提供上线接入服务。  a third sending unit, configured to send an activation message to the switching gateway device, where the activation information includes a user group identifier of one or more user groups on the third gateway, so that the switching gateway device can be The user identified by the user group identifier of one or more user groups on the third gateway provides an online access service.
1 3、 一种用户接入控制的系统, 其特征在于, 包括权利要求 9-12任一项 所述的用户接入控制的网络设备和至少两个网关设备, 其中:  A user access control system, comprising: the user access control network device and the at least two gateway devices according to any one of claims 9-12, wherein:
所述网关设备, 用于接收所述网络设备发送的激活消息, 并为所述用户 群标识所标识的用户提供上线接入服务。  The gateway device is configured to receive an activation message sent by the network device, and provide an online access service for the user identified by the user group identifier.
PCT/CN2012/084636 2011-11-25 2012-11-15 Method, network device and system for user access control WO2013075598A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110381826.3 2011-11-25
CN2011103818263A CN103139023A (en) 2011-11-25 2011-11-25 User access control method, network equipment and system

Publications (1)

Publication Number Publication Date
WO2013075598A1 true WO2013075598A1 (en) 2013-05-30

Family

ID=48469106

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/084636 WO2013075598A1 (en) 2011-11-25 2012-11-15 Method, network device and system for user access control

Country Status (2)

Country Link
CN (1) CN103139023A (en)
WO (1) WO2013075598A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4040731A4 (en) * 2019-10-28 2022-11-16 Huawei Technologies Co., Ltd. Network traffic migration method and apparatus

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015100570A1 (en) * 2013-12-30 2015-07-09 华为技术有限公司 Gre tunnel determination method, gateway device and access station
WO2018196468A1 (en) 2017-04-27 2018-11-01 华为技术有限公司 Method, device and terminal for realizing data service
CN114124737B (en) * 2020-08-25 2023-07-11 华为技术有限公司 Method and device for controlling user equipment to access network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1682487A (en) * 2003-05-15 2005-10-12 松下电器产业株式会社 Radio lan access authentication system
CN201290123Y (en) * 2008-07-02 2009-08-12 福建先创电子有限公司 Device for sharing wireless network resource
CN101674223A (en) * 2008-09-13 2010-03-17 华为技术有限公司 Gateway equipment load processing method, network equipment and network system
CN101686498A (en) * 2008-09-28 2010-03-31 上海华为技术有限公司 Method and device for realizing load transfer
CN102196499A (en) * 2010-03-17 2011-09-21 杭州华三通信技术有限公司 Method for realizing access control, central controller and access point (AP) device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7694011B2 (en) * 2006-01-17 2010-04-06 Cisco Technology, Inc. Techniques for load balancing over a cluster of subscriber-aware application servers
CN101471898B (en) * 2007-12-28 2011-12-28 华为技术有限公司 Protection method, system and virtual access edge node for access network
CN101217448B (en) * 2008-01-18 2013-01-30 福建星网锐捷网络有限公司 Method and system to realize gateway dynamic load sharing
US8401028B2 (en) * 2008-01-23 2013-03-19 Telefonaktiebolaget Lm Ericsson (Publ) Selection of an edge node in a fixed access communication network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1682487A (en) * 2003-05-15 2005-10-12 松下电器产业株式会社 Radio lan access authentication system
CN201290123Y (en) * 2008-07-02 2009-08-12 福建先创电子有限公司 Device for sharing wireless network resource
CN101674223A (en) * 2008-09-13 2010-03-17 华为技术有限公司 Gateway equipment load processing method, network equipment and network system
CN101686498A (en) * 2008-09-28 2010-03-31 上海华为技术有限公司 Method and device for realizing load transfer
CN102196499A (en) * 2010-03-17 2011-09-21 杭州华三通信技术有限公司 Method for realizing access control, central controller and access point (AP) device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4040731A4 (en) * 2019-10-28 2022-11-16 Huawei Technologies Co., Ltd. Network traffic migration method and apparatus
US11811635B2 (en) 2019-10-28 2023-11-07 Huawei Technologies Co., Ltd. Network traffic migration method and apparatus

Also Published As

Publication number Publication date
CN103139023A (en) 2013-06-05

Similar Documents

Publication Publication Date Title
US11963242B2 (en) Communication method and apparatus
US20190028538A1 (en) Method, apparatus, and system for controlling service traffic between data centers
US11734138B2 (en) Hot standby method, apparatus, and system
US10122679B2 (en) Method, relay agent, and system for acquiring internet protocol address in network
JP5727055B2 (en) System and method for session resiliency in a geographically redundant gateway
US9917724B2 (en) Access method and system of customer premise equipment, and broadband network gateway
EP3310025B1 (en) User migration
CN101316236B (en) Vrrp backup group load sharing method and router
WO2004084496A1 (en) A method for implementing gateway dynamic load distribution
JP2020524448A (en) Service quality control method and related apparatus
JP4431094B2 (en) Communication with roaming wireless clients
US7849127B2 (en) Method and apparatus for a distributed control plane
US20080159125A1 (en) Network connection restoration method, AAA server, and radio access network gateway apparatus
WO2004082222A1 (en) Communication method having the function of partaking the network load
US10367680B2 (en) Network relay apparatus, gateway redundancy system, program, and redundancy method
JP2012249213A (en) Ip address assignment system and ip address assignment method
WO2011026437A1 (en) User side multicast service primary and standby protection system, method and route device
CN109150808B (en) Communication method, device and system
WO2009030173A1 (en) Processing method and device for qinq termination configuration
WO2011147312A1 (en) Method, device and system for port backup of service access router
US9591034B2 (en) Method and gateway device for managing address resource
WO2018103665A1 (en) L2tp-based device management method, apparatus and system
WO2007033519A1 (en) A method for updating the access of virtual private dial-network dynamically
WO2013075598A1 (en) Method, network device and system for user access control
WO2008141572A1 (en) Method and system for performing keepalive monitoring on client sessions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12851192

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12851192

Country of ref document: EP

Kind code of ref document: A1