Embodiment
Below with reference to accompanying drawing and combine embodiment, specify the present invention.
Fig. 1 shows the flow chart according to the method for controlling network flow of the embodiment of the invention.
With reference to Fig. 1, may further comprise the steps according to the method for controlling network flow of the embodiment of the invention:
Step S102 when user access network, confirms user's user role;
Step S104 searches the corresponding flow control strategy according to user role from pre-configured flow control Policy List; And
Step S106 adopts the flow control strategy that user's network traffics are controlled.
Control user's flow through what come according to user role from pre-configured flow control Policy List, to find corresponding to the flow control strategy of this user role according to the method for controlling network flow of the embodiment of the invention; Thereby avoided together flow control strategy and IP address binding; So can overcome in the correlation technique problem of controlling the network traffics control inconvenience that same user that customer flow causes possibly bring corresponding to different flow control strategies in difference constantly based on the IP address, and then can reach the technique effect that carries out network traffics control flexibly and easily.
Alternatively, also comprise other parameters in this flow control Policy List, so that the network management personnel takes more flexile network traffics control strategy such as interface, application program, source address, destination address.
For example, the IP address of the research and development engineer A of certain company is 10.0.1.0, and bandwidth constraints is 4M/s; The IP address of the employee B of market department is 10.0.2.0, and bandwidth constraints is 2M/s, some day; A need arrive office temporarily on the station of B, during method for controlling network flow in adopting correlation technique, because the IP address modification of A is the IP address of B; So its bandwidth constraints also becomes 2M/s, and no longer be the 4M/s that it should be corresponding, if A need use the bandwidth of 4M/s; Then need the network management personnel that the flow control strategy is tabulated and make amendment, when A reuses original IP address, need the network management personnel once more the flow control strategy to be tabulated and make amendment.When the method for controlling network flow that adopts according to present embodiment; A only need be on the computer of B re-accessing network; The user role that then can confirm A automatically is the research and development engineer, and distributes to the bandwidth of its 4M/s, and need not make amendment to the tabulation of flow control strategy.So the method for controlling network flow according to the embodiment of the invention can bring great convenience to network traffics control.
Preferably, when user access network, confirm that user's user role specifically comprises: when user access network, confirm user role according to user's user property; Wherein, user property comprises at least one in the following attribute: safe condition and the current time of user name, user's group, IP address, security domain, access way, the employed PC of user, PC that the user uses.
Can be provided with specifically to confirm user role according to the actual conditions of this network by the network management personnel according to which parameter in the user property.For example; For the lower network of security requirement; The network management personnel only can be provided with need just can confirm user role according to user name, asks higher network for safe, and the network management personnel can be provided with and need confirm user role together according to user name and user's security territory.Except that above-mentioned several kinds of user properties, also can dispose according to other user properties and confirm user role, for example, other roles' of user combination.Alternatively, can be the user's distributing user role who inserts directly as required also by the network management personnel.
Preferably, the flow control Policy List comprises: a plurality of user roles and each user role be the corresponding flow control strategy respectively.
This flow control Policy List is the tabulation of a static state, is disposed by the network management personnel.Method for controlling network flow according to the embodiment of the invention is realized the network traffics control strategy based on user role through in the flow control Policy List, introducing user role; To reach the purpose that the user with a kind of user role is realized network traffics control; Thereby can avoid the network traffics control inconvenience that causes when changing, to reach the technique effect of being convenient to network traffics control in the IP address.
Preferably, from pre-configured flow control Policy List, search the corresponding flow control strategy according to user role before, also comprise: set up the user role tabulation; And user's IP address and user's user role is inserted in the user role tabulation.
The tabulation of this user role is a dynamic tabulation, wherein, by the network management personnel pre-configured a plurality of user roles.When in the new user access network; According to configuration in advance; Distribute one or more roles to the user; The user's IP address of access newly and the role who is had thereof are inserted in the user role tabulation as a new list item, so that search the corresponding user role of data flow, data flow is taked corresponding flow control strategy.Alternatively, the user role tabulation can also comprise other attributes of user.
Preferably; From pre-configured flow control Policy List, searching the corresponding flow control strategy according to user role specifically comprises: set up in the process in data flow, from the user role tabulation, search the corresponding user role of data flow according to the IP address in the data flow; And from the flow control Policy List, search the corresponding flow control strategy according to the pairing user role of data flow.
Data flow in network is set up in the process; The source address that can carry according to the IP heading of data flow or destination address come from the user role tabulation, to search the corresponding user role of this data flow; From the flow control Policy List, search the corresponding flow control strategy according to this user role then, to reach the purpose of carrying out flow control according to user role.
Preferably, from pre-configured flow control Policy List, search the corresponding flow control strategy according to user role before, also comprise: set up the user role tabulation; And user's IP address and security domain and user's user role is inserted in the user role tabulation.
During respective user list item in user's IP address and security domain being inserted into the user role tabulation; The user role tabulation comprises User IP at least; Security domain and corresponding user role are so that through combining IP address and security domain to come the corresponding user role of inquiring user.Through the IP address is combined to search the user with security domain, can be this distribution of flows flow control strategy more accurately.Alternatively, the user role tabulation can also comprise other attributes of user.
Preferably; From pre-configured flow control Policy List, searching the corresponding flow control strategy according to user role specifically comprises: set up in the process in data flow, from the user role tabulation, search the corresponding user role of data flow according to IP address in the data flow and security domain; And from the flow control Policy List, search the corresponding flow control strategy according to the pairing user role of data flow.
Data flow in network is set up in the process; Can come from the user role tabulation, to search the corresponding user role of this data flow according to IP address and security domain information that data flow is carried; From the flow control Policy List, search the corresponding flow control strategy according to this user role then; Through the IP address is combined to search the user with security domain, can be this distribution of flows flow control strategy more accurately.
Preferably, from pre-configured flow control Policy List, search the corresponding flow control strategy according to user role before, also comprise: set up the user role tabulation; And user's IP address and access way and user's user role is inserted in the user role tabulation.
In the time of in the respective user list item in user's IP address and access way being inserted into the user role tabulation; The user role tabulation comprises User IP at least; Access way and corresponding user role are so that through combining IP address and access way to come the corresponding user role of inquiring user.Through the IP address is combined to search the user with access way, can be this distribution of flows flow control strategy more accurately.Alternatively, the user role tabulation can also comprise other attributes of user.
Preferably; From pre-configured flow control Policy List, searching the corresponding flow control strategy according to user role specifically comprises: set up in the process in data flow, from the user role tabulation, search the corresponding user role of data flow according to IP address in the data flow and access way; And from the flow control Policy List, search the corresponding flow control strategy according to the pairing user role of data flow.
Data flow in network is set up in the process; Can come from the user role tabulation, to search the corresponding user role of this data flow according to IP address and access way that data flow is carried; From the flow control Policy List, search the corresponding flow control strategy according to this user role then; Through the IP address is combined to search the user with access way, can be this distribution of flows flow control strategy more accurately.
Alternatively, also can combine security domain and access way to search user role simultaneously user's IP address as the case may be, search more accurately with realization.
Preferably, above-mentioned user supports a plurality of user roles.
Also support a user to have the situation of a plurality of user roles according to the method for controlling network flow of the embodiment of the invention.When a certain user has a plurality of user role simultaneously; Its network traffics control strategy that adopts is depended on the priority between each user role that the network management personnel disposes in the flow control Policy List, the priority between a plurality of user roles that comprehensively have according to this user is taked corresponding flow control.
In addition, because user role is relevant with the current time,, search the corresponding flow control strategy according to this user role then so can also combine the current time in user list, to search user role according to the IP address in the data flow.
Behind the method for controlling network flow that has adopted according to the embodiment of the invention; The network management personnel only need dispose the tabulation of traffic management Policy List and user role; Just can realize traffic management, thereby can reach the technique effect that carries out network traffics control easily and flexibly to user role.
Fig. 2 shows the sketch map according to the network traffics control of the embodiment of the invention.
As shown in Figure 2, the switch of a company is supported the 802.1x authentication, and behind authentification of user, system gives these user's type ascribed roles according to user's department.Role (department) according to the user determines the bandwidth that they surf the Net then.Its flow control strategy is as shown in table 1:
Table 1 flow control Policy List
The role |
Interface |
Source address |
Destination address |
Use |
The flow control strategy |
Research and development department |
e0/0 |
Any |
Any |
Any |
Every IP bandwidth constraints 2Mbps |
Market department |
e0/0 |
Any |
Any |
Any |
Every IP bandwidth constraints 1Mbps |
Any |
e0/0 |
Any |
Any |
A sudden peal of thunder |
Restriction 10Mbps |
VP |
e0/1 |
Any |
Any |
Any |
High priority |
For engineer (Engineers), system has set up the maximum bandwidth of a 2Mbps to everyone; To market department (Marketing), system has set up the maximum bandwidth of a 1Mbps to everyone; To everyone, the total bandwidth of a sudden peal of thunder can not surpass 10Mbps; The VP of company is on another port e0/1, and flow has high priority.
In addition, role that only need each traffic policy is set to " Any ", promptly matees all user roles, according to the method for controlling network flow of present embodiment just can realize with correlation technique in the traffic policy compatibility.The role is that the flow control strategy of " Any " is degenerated to general traffic policy.
Method for controlling network flow according to present embodiment has combined user role, interface, source address, destination address and application program to decide each user's network traffics control strategy, so can realize the convenient, flexible technique effect that network traffics are controlled.
From above description, can find out that the above embodiments of the present invention are carried out network traffics control according to user role, thereby have realized the technique effect of easily and flexibly network traffics being controlled.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize by calculation element.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.