CN102724087A - Method and system for realizing network resource sharing - Google Patents

Method and system for realizing network resource sharing Download PDF

Info

Publication number
CN102724087A
CN102724087A CN2011100772696A CN201110077269A CN102724087A CN 102724087 A CN102724087 A CN 102724087A CN 2011100772696 A CN2011100772696 A CN 2011100772696A CN 201110077269 A CN201110077269 A CN 201110077269A CN 102724087 A CN102724087 A CN 102724087A
Authority
CN
China
Prior art keywords
access
network
enterprise network
information
vlan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011100772696A
Other languages
Chinese (zh)
Other versions
CN102724087B (en
Inventor
顾忠禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110077269.6A priority Critical patent/CN102724087B/en
Priority to PCT/CN2012/072322 priority patent/WO2012130041A1/en
Publication of CN102724087A publication Critical patent/CN102724087A/en
Application granted granted Critical
Publication of CN102724087B publication Critical patent/CN102724087B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method and a system for realizing network resource sharing. The method comprises: that a user device is accessed to an access device of a first enterprise network and an access authentication of the first enterprise network is performed by an authentication system; that an access authentication of the network resource sharing is carried out to a user by the authentication system when the access authentication of the first enterprise network is failed; that information of access position of the user device, demand information of network resource sharing of the user and network access information of the network needing to be accessed are notified to a corresponding business gateway by the authentication system after the access authentication of the network resource sharing is passed; and that resource sharing is realized by the business gateway. Through the method and the system in the invention, a user device of a second enterprise network can realize a network connection to the Internet by the access device of the first enterprise network or realize a network connection to the second enterprise network with no influence of safety of the first enterprise network.

Description

Implementation method and system that Internet resources are shared
Technical field
The present invention relates to the communications field, relate more specifically to implementation method and system that a kind of Internet resources are shared.
Background technology
INTERNET has become the part of the modern life, and People more and more be unable to do without INTERNET.People can pass through the broadband infrastructure of office, public place/focus, hotel or family, insert INTERNET, and with acquired information, exchange, and accomplish relevant task or the operation of other diverse networks, like online game, or the like.
Fig. 1 is that typical network connects sketch map.For for simplicity; Enterprise network can be the internal network of relevant enterprise/public institution, the internal network in hotel; And hot zones network; For example network that network insertion is provided of network/teahouse, airport or coffee shop or the like etc. is a general designation, and not only is defined as the internal network of enterprise.
Because its construction level of infrastructure, and the reason of aspect such as management philosophy, present INTERNET inserts, and also receives certain restriction, and in other words, general network insertion target does not also realize.Certainly, this has the problem of the restriction of network coverage, technological realization aspect on the one hand; Simultaneously, on the thinking/theory of network management, certain restriction is arranged also.
For example, when enterprise of customer visit, generally speaking, from the consideration of network security/information privacy or the like aspect, the enterprise of being visited can not connect the client who particularly makes occasional visits to for this user provides network.Perhaps, only through the Network Isolation measure, provide basic INTERNET to connect.In this case, client's network uses, and receives bigger restriction, on the one hand in most of the cases, is that no network can be used at all, and the enterprise that is visited does not provide this function; Perhaps, only can visit INTERNET.And more satisfactory situation is; The client connects through the network that visit enterprise provides; Not only can insert oneself the enterprise network under it; Also can visit simultaneously the network portion that can visit of visit enterprise, certainly, this is because requirements of one's work carry out the needed access to netwoks of information/information sharing.
Fig. 2 is typically the network diagram that the client provides INTERNET to connect.As shown in Figure 2, network need carry out special design, mainly is the requirement that will satisfy network security.The client can only be in the client area, and for example reception room/hall is used for their ad hoc network, and only with visit INTERNET, and other parts that cannot accesses network, certainly, and other network portions, equipment that also cannot access customer.
This has bigger space (Administrative Area) to large enterprise, and the ability that reasonable IT service and network management are arranged, and is only feasible.And, realize such function to little company or mininet, no small cost is still arranged.Even connect basic quarantine measures, often also be difficult to realize.
Further, under other situation, the user can pass through the public broadband access network, through specific program, generally is dial-up program, inserts the network of its owned enterprise.This generally is to realize through L2TP (Layer2Tunneling Protocol, Level 2 Tunnel Protocol).Need broadband services provider to support function associated; Perhaps through after obtaining common INTERNET connection, the client is again through connections such as IPsec, and being connected of foundation and own enterprise network realizes information interaction.
Fig. 3 is typical broadband dial user, inserts the connection sketch map of enterprise network.
Generally speaking, the bandwidth that this network connects can receive certain restriction, may have influence on user's service efficiency.And need many functions in the network design, and the functional requirement of BRAS (BroadbandRemote Access Server, BAS Broadband Access Server) for example, the functional requirement of user client software, or the like.And this function neither a kind of general service, and relative cost is also than higher.
At present commonplace way is, the user after obtaining INTERNET and inserting, the program of the uniqueness through enterprise, remote dial gets into enterprise network again.But the function that this network uses is limited often, and promptly the user can not obtain the use than more comprehensive internal enterprise resources.
More and more general along with network technology and application and development and network design, and under the big background of cloud computing development; Enterprise is contracted out to the third party through the IT function with oneself; Perhaps rent cloud computing service provider's business, realize under the situation of IT function of oneself shared network resource; Providing general network to connect, will be the important need that future network is built.
Particularly at the network of some medium-sized and small enterprises, itself just be based under the situation of cloud computing/network provider realization, more the scheme that inserts is shared in development provides certain technical support and advantage.
Summary of the invention
The technical problem that the present invention will solve provides implementation method and the system that a kind of Internet resources are shared, and can't realize the problem that Internet resources are shared to solve in existing enterprise's network.
For solving above technical problem; The invention provides the implementation method that a kind of Internet resources are shared; Be applicable to the network environment that comprises first enterprise network and second enterprise network, said first enterprise network and second enterprise network comprise access device, and this method comprises:
Subscriber equipment inserts the access device of first enterprise network, and Verification System is carried out the first enterprise network access authentication to the user of said subscriber equipment;
If the failure of the first enterprise network access authentication, Verification System is carried out the shared access authentication of Internet resources to the user of said subscriber equipment;
After the shared access authentication of Internet resources passed through, said Verification System was shared the accessing position information of subscriber equipment, user's Internet resources demand information and is needed the network access information of access network to notify the corresponding business gateway;
The network information that said Service Gateway is shared demand information and needs access according to said accessing position information, Internet resources realizes resource-sharing.
Further; Said accessing position information, Internet resources are shared demand information and needed the network access information of access network is pre-configured or before said Verification System is notified said Service Gateway; Verification System and subscriber equipment obtain alternately, and said user's Internet resources are shared demand information and comprised the information that is used to show the needs access or second enterprise network; The realization resource-sharing refers to, the network that access device and the Service Gateway of said subscriber equipment through first enterprise network is implemented to the internet connects, and the network that perhaps is implemented to second enterprise network connects.
Further; Before said Internet resources are shared access authentication; Said Verification System is obtained the accessing position information of said subscriber equipment; And confirm the corresponding business gateway according to the accessing position information of said subscriber equipment, said accessing position information comprises the address or the numbering of access device and/or Service Gateway.
Further; Initiate the user of said subscriber equipment is carried out the first enterprise network access authentication to said Verification System when detecting that the interface link connection status changes or insert the user changes by the user or by access device; Said access device forbids that subscriber equipment carries out service communication or only handles the protocol massages relevant with authentication before the user is through authentication.
Further, the said network access information of access network that needs comprises said access interface information and/or the virtual interface information that needs vlan information with this VLAN of access network; When the shared demand information of said Internet resources shows that needs enter the Internet; Said Service Gateway realizes that resource-sharing comprises: said Service Gateway generates VLAN between the access interface of the access device of the said Service Gateway and first enterprise network, and said Service Gateway is realized the access of internet;
Said Internet resources are shared demand information and are shown when needs insert second enterprise network, and said Service Gateway realizes that resource-sharing comprises:
Judge whether first enterprise network and said second enterprise network that said subscriber equipment inserts are total to the location;
If location altogether, then between the access interface of the access device of the said Service Gateway and first enterprise network, generate said VLAN, and be established to the tunnel of said second enterprise network, and with the VLAN corresponding realization network connection of said tunnel with generation;
If location altogether, the VLAN of said second enterprise network of the access interface adding location common of access device that then will said first enterprise network with it; Perhaps, use the aforementioned implementation method that is not total to the location;
The mode that generates VLAN comprises dynamic-configuration VLAN or the VLAN that said access interface adding has been disposed; Said dynamic-configuration is meant, realizes through the equipment that VLAN generation/adding configuration template is sent to corresponding access device and VLAN place interface.
Further; The said network access information of access network that needs also comprises the said accessing position information that needs access network; Whether the accessing position information of the more said subscriber equipment of said Service Gateway is consistent with the said accessing position information of access network that needs; If unanimity then is to be total to the location, otherwise non-location altogether.
Further, said Verification System comprises the Verification System of the first/the second enterprise network and the Verification System of service provider/operator; Said Service Gateway is gone up extension realization at BAS Broadband Access Server (BRAS); Said Service Gateway comprises the first/the second enterprise network and service provider's Service Gateway.
Further, when said subscriber equipment need insert said internet, user's access interface of the VLAN of generation included only the access interface that said subscriber equipment inserts.
Further; Said first enterprise network comprises the resource management module that is used for being responsible for resource management; After the shared authentication of said Internet resources was passed through, said Verification System also notified the resource management module record of said first enterprise network to be shared the access-in resource information that takies.
For solving above technical problem, the present invention also provides a kind of Internet resources shared realization system, and this system runs in the network environment that comprises first enterprise network and second enterprise network, and this system comprises:
The access device of first enterprise network is used to insert subscriber equipment, and sends access authentication request to Verification System;
Verification System; Be used to receive the access authentication request of the access device of said first enterprise network; And the user of said subscriber equipment carried out the access authentication of first enterprise network; After the failure of the access authentication of said first enterprise network, the user of said subscriber equipment is carried out Internet resources share access authentication; Also be used for after the shared access authentication of Internet resources passes through, the accessing position information of subscriber equipment, user's Internet resources are shared demand information and needed the network access information of access network to notify the corresponding business gateway;
Said Service Gateway is used for sharing demand information and needing the network access information of access network to realize resource-sharing according to said accessing position information, Internet resources.
Further,
Said accessing position information, Internet resources are shared demand information and needed the network access information of access network is pre-configured or before said Verification System is notified said Service Gateway; Said Verification System and user obtain alternately, and said user's Internet resources are shared demand information and comprised the information that is used to show the needs access or second enterprise network; The realization resource-sharing refers to, the network that access device and the Service Gateway of said subscriber equipment through first enterprise network is implemented to the internet connects, and the network that perhaps is implemented to second enterprise network connects.
Further; Before said Internet resources are shared access authentication; Said Verification System also is used to obtain the accessing position information of said subscriber equipment; And confirm the corresponding business gateway according to the accessing position information of said subscriber equipment, said accessing position information comprises the address or the numbering of access device and/or Service Gateway.
Further; The said network access information of access network that needs also comprises the said accessing position information that needs access network; Whether the accessing position information of the said more said subscriber equipment of location judge module altogether is consistent with the said accessing position information of access network that needs; If unanimity then is to be total to the location, otherwise non-location altogether.
Adopt the inventive method and system; The network that the second enterprise network subscriber equipment can be implemented to the internet through the access device of first enterprise network connects; The network that perhaps is implemented to second enterprise network connects; And not influencing the safety of first enterprise network, the user of second enterprise network and safety do not receive the influence of first network yet simultaneously.
Description of drawings
Fig. 1 is that typical network connects sketch map;
Fig. 2 is typically the network diagram that the client provides INTERNET to connect;
Fig. 3 is typical broadband dial user, inserts the connection sketch map of enterprise network;
The implementation method sketch map that Fig. 4 Internet resources of the present invention are shared;
Fig. 5 is the configuration diagram of the shared realization system embodiment of Internet resources of the present invention;
Fig. 6 is the configuration diagram of shared another embodiment of realization system of Internet resources of the present invention;
The concrete example schematic diagram of realization system that Fig. 7 shares for Internet resources of the present invention;
Another concrete example schematic diagram of realization system that Fig. 8 shares for Internet resources of the present invention;
Fig. 9 is the position view of Service Gateway in the shared realization system of Internet resources of the present invention;
Figure 10 is the modular structure sketch map of access device of the present invention;
Figure 11 is the modular structure sketch map of Service Gateway;
Figure 12 shares schematic flow sheet for the Internet resources that insert enterprise network 2;
The shared schematic flow sheet of Internet resources that Figure 13 inserts for realizing INTERNET.
Embodiment
The implementation method that Internet resources of the present invention are shared is applicable to the network environment that comprises first enterprise network and second enterprise network, and said first enterprise network is connected carrier network respectively with second enterprise network, realizes that INTERNET inserts.First enterprise network and second enterprise network comprise including but not limited to the equipment of various composition networks: switch, router, fire compartment wall, various servers or the like.Said realization resource-sharing refers to; The network that the second enterprise network subscriber equipment can be implemented to the internet through the access device of first enterprise network connects; The network that perhaps is implemented to second enterprise network connects; And not influencing the safety of first enterprise network, the user of second enterprise network and safety do not receive the influence of first network yet simultaneously.
Method of the present invention both had been applicable to the network that enterprise oneself disposes, and also was applicable to the network that enterprise utilizes service provider/operator to dispose.
As shown in Figure 4, the implementation method that Internet resources are shared may further comprise the steps:
Step 401: after subscriber equipment inserted the access device of first enterprise network, Verification System was carried out the first enterprise network access authentication to the user of said subscriber equipment;
For realizing described resource-sharing, and realize that the safety of network inserts, particularly under the situation of shared resource, core problem is will analyze which potential security threat is arranged.For example; A user is in the very short time; Carry out the network plug, and carry out equipment replacement, so just possibly cause network to be inserted by illegal; Promptly wait and palm off legal users through configuration MAC (Medium/MediaAccess Control, medium access control) address the same and IP address with validated user.
Said access device forbids that subscriber equipment carries out service communication or only handles the protocol massages relevant with authentication before the user is through authentication; Only after the user is through authentication, just allow the service traffics of subscriber equipment to pass through, otherwise refuse all service traffics.
In addition, need restriction be, can only insert subscriber equipment (like PC) on the access interface of access device, and can not access switch etc. equipment.If what can not distinguish access is switch, then such situation can appear, the subscriber equipment that promptly inserts through switch, therein a subscriber equipment through authentication after, can access network.This arrives network security with serious threat.Preferably; Through to forbidding STP (Spanning Tree Protocol in the exchange interface; Spanning-Tree Protocol) protocol massages BPDU (BridgeProtocol Data Unit; Bridge Protocol Data Unit) processing and and/or relevant other mechanism-for example switch ports themselves is set to edge interface etc., thereby can prevent access through switch.
Usually, can initiate access authentication to Verification System, also can initiate by access device by the user.Because the user before not through authentication, can not communicate, therefore generally speaking, need the user initiatively to initiate authentication.Existing authentication method under the situation of user's exclusive resource, can satisfy relevant demand for security.But, under the situation of shared resource, must handle certain situation.Typical situation is through behind the access authentication, under the situation of carrying out proper communication, if be replaced with other equipment suddenly, then possibly form safe leak at subscriber equipment on certain interface, so need handle this situation.Concrete, when the Interface status of access device changes, need report Verification System immediately, carry out user's authentication again, insert and use with the safety that guarantees network.
As far as Ethernet interface; Preferably; Whether whether access device can be discerned to have subscriber equipment to insert or detect and insert the user and change through detecting the interface link connection status, and the interface link connection status changes or when inserting the user and changing, initiate access authentication to said Verification System detecting; Preferably, following detection method is arranged:
LINK DOWN/UP mechanism (promptly through detecting connection status) through interface is discerned the access whether subscriber equipment is arranged.
Concrete, again behind the LINK UP, need carry out authentication again at link LINK DOWN to access device/user identity, insert to prevent personation.
Step 402: if the failure of the first enterprise network access authentication, Verification System is carried out the shared access authentication of Internet resources to the user of said subscriber equipment;
Among the present invention, be used to realize that the Verification System of access authentication can be divided into two parts from functional perspective, the one, to the authentication of enterprise network (like the internal network of enterprise) internal user equipment; The 2nd,, to the authentication of Internet resources sharing users equipment.Concrete, comprise, company/Intranet user's authentication, and the support of passing through service provider/carrier network, realization is carried out authentication to the user's of resource-sharing identity.
Need different implementations according to the various network deployment strategy.Particularly, Verification System includes but not limited to following two kinds of schemes:
Scheme one is the independently Verification System that each enterprise network uses a cover oneself.To the network user/user of this enterprise, generally speaking, can be through authentication.To can not then with relevant authentication function, forwarding a mechanism that can carry out authentication to and carry out through the user (the current enterprise network user and the non-current enterprise customer that comprise authentication information input errors such as user name or password) of current enterprise authentication.Here, generally speaking this mechanism is service provider's (also can be Virtual network operator/INTERNET link service provider), and the Verification System that promptly forwards shared service provider network to is carried out authentication; And further, optional, possibly need Verification System through second enterprise network, realize authentication to the user.Like Fig. 5 and shown in Figure 7.
Scheme two, through a unified customer certification system, promptly the Verification System of enterprise network and service provider's Verification System is same set of system, carries out authentication, after authentication, the user is transferred to corresponding network gets on.As shown in Figure 6.
Understandably, more than two schemes be the difference that physics is provided with, but be identical based on the thinking that the present invention carries out authentication, promptly carry out the authentication of the current enterprise network of access device earlier, authentication is obstructed out-of-date, carries out internet resource again and shares access authentication.
These two kinds of schemes respectively have pluses and minuses, can select according to concrete deployment scenario.Higher to security requirement, perhaps enterprise thinks to carry out more independently Network Management, and during fewerly by means of service provider's ability, can selection scheme one.If enterprise wants to practice thrift cost, perhaps related network has been contracted out to the service provider, then can take scheme two.
Under the situation of resource-sharing, the all-network access interface that enterprise network is inner can be opened to the exterior of enterprise user, realize that resource-sharing inserts, or only makes some particular network interface can realize that resource-sharing inserts through configuration.For realizing sharing, need verify the subscriber equipment of each access, to guarantee the fail safe of network insertion.That is, realizing under the situation that Internet resources are shared that the most basic requirement is, can not the wrong network; Be after subscriber equipment passes through the access authentication of current enterprise network, show it is the user of this enterprise network, just can insert this enterprise network; Otherwise, all should refuse the inaccessible Internet resources.
This situation is different with the situation of existing enterprise own building network.Generally speaking, enterprise network physically is deployed in the inside of own enterprise office; The external staff, generally cannot/also be arbitrarily to get into network basically, and generally network insertion is not provided to the outside yet; Therefore, can the terminal equipment that insert not done authentication.Because, access all be the employee of this enterprise, user's identity is believable.Certainly, information being protected, is other problem, is not each employee who inserts enterprise network, can visit all information, and this is the general knowledge in the network design.Certainly,, also can carry out authentication, just increase cost user's access for the user is realized stronger management, and the complexity of management, general enterprise does not do like this.
Access device inserts subscriber equipment through the network insertion interface, and supports to realize the authentication to the user.For example, interface/cable interface of the switch through inserting the user inserts the user, and supports to realize the authentication to the user.When support realizing authentification of user, the accessing position information of subscriber equipment need be provided, like the position of concrete access device and port/interface number etc.
And to the authentication of particular user equipment; The access interface that mainly is based on access device is done access authentication; The said access interface of the present invention; Be meant the access point that subscriber equipment can access network, got rid of the situation that subscriber equipment is transferred through other equipment (for example switch) at access interface.
Concrete, can realize authentication through usemame/password mechanism.Certainly, also can pass through mechanism such as USB (Universal Serial BUS, USB) Key, strengthen the intensity of relevant authentication.
Different according to the measure that inserts, can realize sharing of resource through different schemes, for example pass through the inside Ethernet interface of WLAN (Wireless LAN (Local Area Network), wireless enterprise network) and enterprise, or the like.To the former, can limit through the user name/password of WLAN; And to the internal network interface, particularly Ethernet interface of enterprise, realizing in the authentication; Need comprehensively consider, to prevent illegal access, particularly not in place in the measure of management; Non-employee of company is linked in the network of company, and its harm is self-evident; Therefore on the safety measure of network, need strict design.
Under present technical background; Alternatively, the scheme of multiple realization authenticating user identification is arranged, comprising: PPPoE (Point-to-Point Protocol over Ethernet; Peer-peer protocol on the Ethernet); 802.1x, and IPoE (IP over Ethernet also claims DHCP+Web Portal (pressure interface) sometimes) or the like.
Specifically, the equipment that PPPoE need be special carries out authentication with the dial-up program of relevant client; And the switch support that 802.1x need insert.Therefore, from the consideration of cost, can increase the cost that network is realized.And the IPoE scheme can be passed through software systems, and the support of hardware, realizes; Comparatively speaking, IPoE is not very big to existing network insertion influence, therefore to following discussion, mainly is based on IPoE and describes.To selecting other certificate scheme, can also do brief description.
Basic verification process is, and is as shown in Figure 7, a user PC (computer) 1 who powers on, and the Ethernet interface of the switch 1 through enterprise network 1 carries out network insertion.Here suppose that system forbids that through relevant mechanism the switch on the port inserts; And under the situation of virtual support machine, many every of virtual machine account for a virtual port.For guaranteeing not inserted by user counterfeit, in existing authentification of user mechanism, new authentication trigger condition of extra increase, promptly after port plugs, prevent to be palmed off access, so will trigger authentication again to access device/user.At this moment; Switch 1 knows that through LINK UP variation has taken place Interface status, need be with this event notice upper layer application, and concrete is Verification System (the following description that will notify current enterprise network 1 (first enterprise network); Adopt the scheme one of aforementioned Verification System; Be that enterprise network and service provider are deployed with Verification System), need carry out certification work.Switch 1 need carry the accessing position information of relevant this subscriber equipment, mainly comprises corresponding access interface.The Verification System of enterprise network 1 is initiated the authenticating user identification to access device, under the situation of IPoE is to eject relevant interface of carrying out authenticating user identification, and the prompting user carries out authentication.To the Verification System of enterprise network 1, only support authentication to this enterprise customer; But; Share in the scheme at Internet resources; The Verification System of enterprise network 1 needs to carry out alternately with the Verification System of outside network provider, and the Verification System of network provider also can be carried out authentication processing to the user of enterprise network 1 that unusual authentication takes place.In concrete realization, through the software upgrading of switch, switch can dispose its interface is allocated to other specific enterprise customer networks.Like this, can optimally at first arrive the Verification System of this locality/enterprise, and need not go authentication, thereby save time to the Verification System of operator.
Insert the user to sharing, owing to be not the user of company's internal network, (have a prerequisite to be here, there are an agreement in service provider and enterprise; Generally speaking, the particular port of some switch is set some attributes, for example some interface; Be that the network of transferring to the said firm carries out authentification of user, certainly, support the shared access of these ports simultaneously), generally speaking; He (also possibly be her, follow-up no longer explanation, equivalent in meaning) can not be through the network authentication of our company, therefore; According to hypothesis, he possibly be the sharing users of other enterprises, therefore needs further to carry out alternately with the service provider, to carry out the resource-sharing authentication.A problem is arranged here, if the user of local enterprise, but he attempts the password failure, and cause relevant authentication, transfer to and go in service provider's network, cause a large amount of unusual authentications.Certainly, in operation subsequently, he equally can not be through authentication.Can think illegal trial, thereby will not further handle.If can not then think the disabled user through authentication, refuse this user's access.
Step 403: after the shared access authentication of Internet resources passed through, said Verification System was shared the accessing position information of subscriber equipment, user's Internet resources demand information and is needed the network access information of access network to notify the corresponding business gateway;
Before the resource-sharing authentication; Verification System is obtained the accessing position information of said subscriber equipment; And confirm the corresponding business gateway according to the accessing position information of said subscriber equipment; After the resource-sharing authentication is passed through, the accessing position information of subscriber equipment, Internet resources are shared demand information and needed the network access information of access network to send to the Service Gateway of present position.
Understandably; Under unspecified situation; The said Service Gateway of the present invention is a logic function; In concrete network environment framework, the logic business gateway function can be realized by one or more modules (each functional module can be realized by a physical entity) with Service Gateway function.
If have only a Service Gateway functional module; Be under the situation of disposing then through the service provider at enterprise network; Because access device carries out unified numbering with this Service Gateway function, module or equipment; The particular location of Service Gateway can be through the user the numbering of access device directly obtain, perhaps obtain through simple conversion; Be under the situation of the network disposed of user oneself perhaps at (first) enterprise network; When perhaps adopting the PPPoE certificate scheme; Need to dispose the Service Gateway functional module (can realize) of oneself in the enterprise network by the BRAS device extension; Dispose the positional information of relevant this Service Gateway functional module in the first enterprise network Verification System, when the resource-sharing access authentication, this information has been sent to the resource-sharing Verification System.
Need the network access information of access network to comprise said accessing position information (such as corresponding business gateway numbering or zone number) and/or the concrete network insertion/link information that needs access network; Like the vlan information and access interface information and/or the virtual interface information that insert, said virtual interface information includes but not limited to: interface position definition information and relevant IP address information thereof.
It is pre-configured or acquisition alternately in access authentication procedure that user's Internet resources are shared demand information.
Step 404: said Service Gateway is shared demand information according to said accessing position information, Internet resources and is needed the information of access network to realize resource-sharing.
The position of Service Gateway in network can further be explained through Fig. 7.Generally speaking, existing network is all taked modularized design scheme, a Service Gateway, and the general switch that connects 2 cores down is at following many convergence switches, the access switch of connecing of level.In order to represent the accessing position information of subscriber equipment, can number a such Service Gateway module.If the numbering of the accessing position information corresponding service gateway module of subscriber equipment is identical with the numbering of the enterprise network corresponding service gateway that subscriber equipment need insert, abbreviation is common location, otherwise is called non-altogether location.
If the enterprise network that the user need insert (second enterprise network); With via the enterprise network (first enterprise network) that inserts be common location; Then only need be in this Service Gateway module; According to access VLAN that returns and network insertion interface message thereof, generate an access VLAN and can realize inserting.Concrete, Service Gateway judges whether and the same location of Service Gateway (to catenet, having a plurality of addresses) according to the enterprise network information that user's needs insert.If same location then according to the network insertion vlan information received, generates this VLAN with configuration between the access interface of first enterprise network and the second enterprise network access interface and realizes inserting.Concrete method can be to be configured generation dynamically, and perhaps pre-configured relevant VLAN is configured into this VLAN with access interface, thereby realizes connecting.
If different locations; Then need further to handle, at first between the access interface of the access device of the said Service Gateway and first enterprise network, generate the VLAN an of this locality, realize that local safety connects; Further pass through tunneling technique again; Set up a tunnel, and this VLAN is carried out correspondence with this tunnel, thereby realize the access of (second enterprise network) user to second enterprise network.
If it is that requirement realizes that INTERNET inserts that Service Gateway, is known the user according to the user's request information that obtains.The VLAN and the corresponding access interface information thereof that then insert according to the INTERNET that returns generate a VLAN, perhaps through a VLAN who pre-sets, with this VLAN of interface adding of access device, thereby directly insert INTERNET.The fail safe that inserts for guaranteeing, and prevent that different user under the situation that inserts INTERNET, realizing the L2 intercommunication, therefore to each user who inserts INTERNET, can use one independently/different VLAN realizes.
The realization system that Internet resources of the present invention are shared runs in the network environment that comprises first enterprise network and second enterprise network, with the present invention especially relatively, like Fig. 5, shown in 6, this system comprises:
The access device of first enterprise network is used to insert subscriber equipment, and sends access authentication request to Verification System;
Verification System; Be used to receive the access authentication request of the access device of said first enterprise network; The user of said subscriber equipment is carried out the access authentication of first enterprise network; If the failure of the first enterprise network access authentication, the user to said subscriber equipment carries out the shared access authentication of Internet resources again; Also be used for after the shared access authentication of Internet resources passes through, the accessing position information of said subscriber equipment, user's Internet resources are shared demand information and needed the network access information of access network to notify the corresponding business gateway;
The network access information of said accessing position information, the shared demand information of Internet resources and need access network thereof is pre-configured or before said Verification System was notified said Service Gateway, said Verification System and user obtained alternately.
Said Service Gateway is used for sharing demand information and needing the network access information of access network to realize resource-sharing according to said accessing position information, Internet resources.
User's Internet resources are shared demand information and comprised: be used to show the information of needs access, promptly common INTERNET inserts; Or show that needs insert the information of its owned enterprise's network.The realization resource-sharing refers to, the subscriber equipment of said second enterprise network is implemented to the connection of internet through the access device of first enterprise network, and the network that perhaps is implemented to second enterprise network connects.
Fig. 7 has provided a network configuration instance graph of realizing that Internet resources are shared.Wherein, enterprise 1 and 2 realizes its network through the service provider.The network of enterprise 3 is networks of oneself realizing.To concrete enterprise network; Like enterprise network 1/2/3; Can be by switch, router, fire compartment wall; And equipment such as server and application program form, and can use one or more and concrete quantity in the listed equipment also not to have what restriction according to the concrete situation such as demand of enterprise.Through system and method for the present invention, can realize that the Internet resources of enterprise network are shared.
Below each function network element is specified:
Access device includes but not limited to switch, with the present invention especially relatively, shown in figure 10, said access device includes but not limited to: access interface, detection module, the authentication initiation module, wherein:
Whether whether whether detection module is used to detect the interface link connection status and changes, have subscriber equipment to insert or detect the access user with identification to change.
The authentication initiation module is used for when detecting that the interface link connection status changes or insert the user changes, initiating access authentication to said Verification System.
Service Gateway can be gone up extension realization at BAS Broadband Access Server (BRAS), and its position in system is as shown in Figure 7, also can be provided with like Fig. 8 or shown in Figure 9.Wherein, Fig. 7 mainly illustrates this Service Gateway to be positioned at the carrier network of service provider's framework.Fig. 8 mainly illustrates to come the common logic business gateway of realizing the realization system that Internet resources of the present invention are shared by two physical entities of Service Gateway of the Service Gateway of enterprise network 1 (first enterprise network) and operator; And these two Service Gateways (module) are intercommunications at the IP layer, can be through setting up user that relevant IP tunnel guarantees second enterprise network can obtain safety in first enterprise network resource-sharing service.Understandably, the Service Gateway function of logic can also realize that above Fig. 7, Fig. 8 are two different concrete examples, can not be as the qualification to logic business gateway among the present invention by a plurality of different physical equipment combinations.The place that does not specify among this paper all is that the situation that is directed against the logic business gateway of a physical entity realization describes.Fig. 9 mainly illustrates the annexation of Service Gateway and switch or backbone switch.
Shown in figure 11, said Service Gateway is divided by functional module and is included but not limited to: set up module and respective modules with location judge module, VLAN generation module, tunnel, wherein:
Be total to the location judge module; Be used for when the shared demand information of said Internet resources shows that needs insert second enterprise network; Judge whether first enterprise network and said second enterprise network that said subscriber equipment inserts are total to the location, and particularly, relatively whether the accessing position information of subscriber equipment is consistent with the accessing position information that needs access network; If unanimity then is to be total to the location, otherwise non-location altogether;
The VLAN generation module is used for when location altogether, between the access interface of the access device of the said second enterprise network access interface and first enterprise network, generates VLAN; Not altogether during the location, between the access interface of the access device of the said Service Gateway and first enterprise network, generate VLAN, the mode that generates VLAN comprises that dynamic-configuration generates VLAN or said access interface is added and disposed the VLAN of generation;
Concrete VLAN generation method can be to be configured generation dynamically, and perhaps pre-configured relevant VLAN is configured into this VLAN with access interface.And dynamic-configuration generates VLAN, can send to corresponding access device and realizes with the equipment that VLAN belongs to interface through VLAN being generated template.
When said subscriber equipment need insert said internet; For preventing that this user and other users from communicating at local two layers; User's access interface of the VLAN that the VLAN generation module generates includes only the access interface that said subscriber equipment inserts; And terminate on the Service Gateway, and further carry out providing support of IP address, realize that INTERNET inserts by Service Gateway.
Module is set up in the tunnel, is used for when the shared demand information of said Internet resources shows that needs access second enterprise network and the judgement of said location judge module altogether or not the location, being established to the tunnel of said second enterprise network;
Especially; When first enterprise network is the network of first enterprise oneself deployment; Set up the first enterprise network Service Gateway to the tunnel between the Service Gateway of operator, and realize that through the Service Gateway of operator INTERNET inserts, and perhaps is implemented to the connection of second enterprise network.Under this situation, be to realize the logic business gateway function together by the Service Gateway of first enterprise network and the Service Gateway of operator.
Concrete realization, Service Gateway is through the connecting interface information of second enterprise network received, and generally speaking, this is a virtual interface/virtual interface, between this virtual interface and Service Gateway, sets up the tunnel, inserts with second enterprise network of realizing the user.
And concrete tunneling technique can be a gre tunneling, perhaps MPLS tunnel etc.This is a prior art, as long as provide relevant parameter, and enterprise network supports the network interface of this shared access, promptly can realize.
Respective modules is used for when the shared demand information of said Internet resources shows that needs access second enterprise network and the judgement of said location judge module altogether or not the location, with the VLAN of generation and the tunnel correspondence of foundation; Share demand information at said Internet resources and show and need to enter the Internet, the VLAN that generates is entered the Internet.
Especially; If the logic business gateway has two entities to realize; And two entities connect through the tunnel, are also needing the tunnel between these two entities with corresponding to the tunnel between second enterprise network, and promptly tunnel and two entities between two entities constitute the logic business gateway together.
Below in conjunction with accompanying drawing and embodiment the present invention is done further detailed explanation.This implementation method just realizes instantiation of the present invention.
Through two concrete embodiment, specify concrete implementation below.
Embodiment 1
In this embodiment, based on framework shown in Figure 7, the access interface of subscriber equipment through enterprise network 1 realizes that the Internet resources that are linked into enterprise network 2 share.Shown in figure 12, this flow process is based on IPoE, and concrete realization flow comprises with crucial technology point:
S1201, subscriber equipment are through access device (like switch) interface, and for example Ethernet interface (cable) is realized inserting;
S1202, switch detect subscriber equipment and insert;
Switch has detected subscriber equipment and has inserted through the LINK UP process on the interface.Here suppose that system forbids that through relevant mechanism the switch on the port inserts; And under the situation of virtual support machine, many every of virtual machine account for a virtual port, guarantee the uniqueness of access interface, thereby guarantee that Any user inserts, all must be through authentication.
S1203, switch send an authentication request to (configuration information comprises owned enterprise's network and port status) Verification System of (pre-configured) enterprise network 1 according to the pre-configure information of interface;
Among the present invention, port is also referred to as interface or access interface, and port status comprises enterprise network state and shared state.Usually, the port initial condition is configured to the enterprise network state.
This authentication request can be notified the Verification System of enterprise network 1 through the mode of event report.
S1204, the mutual access authentication of realizing the user of the Verification System of enterprise network 1 and subscriber equipment;
Concrete, can to carry out authentication information mutual through force to push authentification of user interface and user to subscriber equipment, information such as usemame/password for example.
S1205 if the user explains then that through the access authentication of enterprise network 1 this user belongs to local enterprise network 1, is the non shared resources user, if the state of port status is an enterprise network, then directly inserts enterprise network 1; Otherwise, if the state of port status for sharing, then need change port status is enterprise network, and this port is joined again among the VLAN of enterprise network 1 and go, handling process finishes, otherwise, if not through authentication, then carry out S106;
The VLAN that is provided with in the enterprise network 1 can have a plurality of, and when port status was enterprise network, different ports can dispose into different VLAN.
The present invention what will consider is that to the shared resource user, the authentication that this user generally can not be through the enterprise network Verification System needs to continue next step operation;
S1206, the Verification System of enterprise network 1 is initiated access authentication to shared Verification System;
Under the situation of enterprise network 1 authentification failure, might this user be the shared network user then, the Verification System of enterprise network 1 is sent user authentication request to service provider's shared Verification System.
In the authentication request, carry the MAC Address of subscriber equipment, and relevant access-in point information, include but not limited to the address/number information of access device and/or Service Gateway.
S1207, service provider's shared Verification System is shared access authentication to the user;
S1208, service provider's shared Verification System possibly need and the Verification System of user owned enterprise network 2 (second enterprise network) is carried out alternately, to implement the authentication to the user;
According to the difference to the concrete configuration of sharing Verification System, step S108 is optional.
S1209; If authentication is passed through, then obtain the accessing position information of subscriber equipment, the network access information of enterprise network 2 that the user need insert, comprise the interface message of VLAN of vlan information and second enterprise network of positional information, the access of enterprise network 2; Or/and virtual interface information etc.; And further resource-sharing demand information, comprising: insert INTERNET, perhaps insert enterprise network etc.;
These information generally are the concrete conditions of carrying out according to business, are provided with through configuration.Optional, to user's demand information, can be through obtaining alternately with the user;
S1210 shares Verification System and sends Verification System and the Service Gateway that the network access information of accessing position information, the shared demand information of Internet resources and enterprise network 2 is given enterprise network 1;
If subscriber equipment not through authentication, does not then send information to Service Gateway, only send information to the Verification System of enterprise network 1, and the access of refusing user's equipment, process finishes.
S1211, enterprise network 2 is total to the location with enterprise network 1, then according to the access VLAN and the second enterprise network access interface information returned, and between the access interface of enterprise network 1, generates an access VLAN and can realize inserting, and changes S1213;
Service Gateway is shared demand information according to the Internet resources that return, and at first judges equipment is that the network that will insert its enterprise is an enterprise network 2.Then Service Gateway judges in this locality whether this enterprise network 2 is arranged according to the information that obtains, and judges whether promptly whether enterprise network 2 and Service Gateway are total to location (to catenet, having a plurality of addresses), if there is enterprise network 2 this locality, then the present invention is called common location.Be not total to the location otherwise be called, carry out S1212.
The essence of location is altogether, and enterprise network 2 and enterprise network 1 have common access or have common converging/core switch network facilitiess such as (like Fig. 5) at least.As long as carry out simple VLAN division/configuration.
If be total to the location; Then the vlan information according to the network insertion enterprise network of receiving 2 generates VLAN between the access interface of the access device of enterprise network 2 access interfaces and enterprise network 1, and the mode that generates VLAN comprises that dynamic-configuration generates VLAN or the VLAN of generation has been disposed in said access interface adding;
Concrete VLAN generation method can be to be configured generation dynamically, and perhaps pre-configured relevant VLAN is configured into this VLAN with access interface.And dynamic-configuration generates VLAN, can realize through the equipment that VLAN generation/adding configuration template is sent to corresponding access device and VLAN place interface.
In addition, under the situation of location, also can realize connecting altogether according to the described mode of following steps S1212.
S1212, Service Gateway and enterprise network 2 are not total to the location, then generate the VLAN of the access device access interface of enterprise network 1 to this Service Gateway; And be established to the tunnel of enterprise network 2; And the VLAN that will generate or dispose is corresponding with the tunnel, realizes that network connects, and changes S1213;
At first, generate the VLAN an of this locality, realize local connection as being total to the situation of location; Further through tunneling technique, set up a tunnel again, be connected to its non-enterprise network 2 of location altogether.Concrete realization, through the network connection interface information of receiving, generally speaking, this is a void/virtual interface, between this virtual interface and Service Gateway, sets up the tunnel, and this VLAN is carried out correspondence with this tunnel, thus the enterprise network of realizing the user inserts.
And concrete tunneling technique includes but not limited to GRE (Generic RoutingEncapsulation, generalized routing protocol encapsulation) or MPLS (Multiprotocol Label Switching, multiprotocol label switching) tunnel alternatively.This is a prior art, and through relevant parameter, and enterprise network supports the network interface of this shared access, promptly can realize.What be worth explanation is that the tunnel of being built here generally need pass through carrier network.
Step 1211 and step 1212 are that Service Gateway is realized the method for network connection of the access device of said first enterprise network to second enterprise network under the different situations.
S1213, the Verification System of enterprise network 1 is carried out some settings and work of treatment according to the authentication result of returning;
See from the simplicity and the homogeneity that realize, handle relatively goodly through the Verification System of enterprise network 1,,, still realize through enterprise network 1 to authentication next time even promptly after relevant port quilt is shared away.Handle if change into the Verification System of enterprise network 2, need relevant state, particularly relevant link information need be kept at the there, perhaps need set up temporarily, has the time-delay in the processing, and is therefore, not too reasonable.But, can do some marks, particularly, there is resource shared in the enterprise network 1 by sharing users equipment, aspect accurate charging, remain with relevant state information.
And aspect concrete realization, need the flow of enterprise network 1 be limited.Shared when certain interface, promptly the VLAN under this port reconfigures, and this port is deleted from this VLAN, and at this moment, other network traffics of enterprise network 1 then can not be forwarded to this port again and get on.See from interface, close the flow on the relevant interface.
Record is by the state information of the port of sharing.This port has been used as shared resource and has used, and then the state information of port is marked as shared.When the user reuses this port, also need carry out the modification of port status at this enterprise network (enterprise network 1), and need this port joined among the enterprise network VLAN and go, certainly, these operations are after the enterprise network user is through authentication.
S1214, subscriber equipment and enterprise network 2 communicate.
Embodiment 2
Among this embodiment, the access interface of the subscriber equipment of other enterprise networks (second enterprise network) through enterprise network 1 realizes that the Internet resources that are linked into the internet share.Shown in figure 13, the concrete realization flow of this flow process comprises with crucial technology point:
Step S1301-S1310 is identical with step S1201-S1210 respectively; Different is, the user network demand of returning is different and insert the vlan information of INTERNET and relevant interface message thereof, and concrete situation is participated in following step.
S1311, the access interface of the access switch (access device) of Service Gateway generation enterprise network 1 is to the VLAN of this Service Gateway;
Service Gateway knows that according to the user's request information that obtains the user is that requirement INTERNET inserts.Through a VLAN who pre-sets, directly insert INTERNET.Concrete, the service provider, through this user port is added, a specific VLAN can realize.For preventing that this user and other users from communicating at local two layers; Therefore, user's access interface of this VLAN includes only this user's access interface, and terminates on the Service Gateway; And further carry out providing support of IP address by Service Gateway, realize that by Service Gateway INTERNET inserts.
S1312, Service Gateway inserts INTERNET;
Generally speaking, Service Gateway has the ability that inserts INTERNET, therefore can guarantee to realize the access of INTERNET, with the corresponding INTERNET that inserts of the VLAN that generates;
S1313, same S1213;
S1314, user are implemented to the access of INTERNET.
Aforementioned two embodiment are primarily aimed at the situation of IPoE, and for the resource-sharing scheme of the identity verification scheme of PPPoE and 802.1x, simply are described below.Because PPPoE authentication; Can implement relatively stricter authentication and management to the user; Particularly, come the user is realized isolating, so the PPPoE certificate scheme is more suitable for supporting to realize sharing of Internet resources through VLAN of each user aspect the flow control and in broadband access network.Aspect concrete realization, after the user is through authentication,, directly realize the access of INTERNET by BRAS (the termination equipment of PPPoE).And to inserting the demand of enterprise network, can pass through BRAS (in fact, can be exactly the function embodiment of aforesaid Service Gateway) to use tunneling technique, be linked in the enterprise network, and do not need further to distinguish again location altogether, the perhaps non-situation of location altogether.
802.1x be based on the authentification of user scheme of port, after the access device on the port is through authentication, open port, clearance user's flow, otherwise refuse all user service flow amounts, and only handle the signaling traffic relevant with authentication.This looks, is more suitable for the realization in resource-sharing of the present invention.But, realize the present invention, to the 802.1x certificate scheme, also need do many further work.Concrete, the user also needs the relevant INTERNET of concrete realization to connect through after the 802.1x authentication, and the concrete connection work that inserts enterprise network.
The point that needs of these two kinds of certificate schemes strengthen is, after access interface generation state changes, need carry out compulsory access authentication, and promptly the state change time of the interface through access device triggers.Other concrete realization content and aforementioned IPoE identical/similar, but reference implementation.
Previous embodiment mainly is to be the situation (principal character is between enterprise network 1 and the enterprise network 2, can directly connect through VLAN, and can the common business gateway) through carrier network realization to enterprise network 1 and 2.But, also have other situation to be, promptly enterprise network is the network that enterprise oneself realizes, rather than the network that adopts the service provider to realize.Then on network design, do corresponding processing with regard to the Service Gateway that does not have carrier network.As shown in Figure 8, in enterprise network 1, need to increase a Service Gateway.And concrete handling process comprises that the method for access authentication and flow process are similarly, and difference comprises following:
One), authentication result information returns to the Service Gateway of enterprise network 1;
Two), adopt the method for setting up VLAN and tunnel of location altogether, realize sharing of resource.
The present invention, to some the concrete restrictions in the present network design, the implementation method that provides a kind of Internet resources to share, this method and system can provide general broadband access INTERNET method, or directly inserts its enterprise network.

Claims (17)

1. the implementation method that Internet resources are shared is applicable to the network environment that comprises first enterprise network and second enterprise network, and said first enterprise network and second enterprise network comprise access device, it is characterized in that, this method comprises:
Subscriber equipment inserts the access device of first enterprise network, and Verification System is carried out the first enterprise network access authentication to the user of said subscriber equipment;
If the failure of the first enterprise network access authentication, Verification System is carried out the shared access authentication of Internet resources to the user of said subscriber equipment;
After the shared access authentication of Internet resources passed through, said Verification System was shared the accessing position information of subscriber equipment, user's Internet resources demand information and is needed the network access information of access network to notify the corresponding business gateway;
The network information that said Service Gateway is shared demand information and needs access according to said accessing position information, Internet resources realizes resource-sharing.
2. the method for claim 1 is characterized in that:
Said accessing position information, Internet resources are shared demand information and needed the network access information of access network is pre-configured or before said Verification System is notified said Service Gateway; Verification System and subscriber equipment obtain alternately, and said user's Internet resources are shared demand information and comprised the information that is used to show the needs access or second enterprise network; The realization resource-sharing refers to, the network that access device and the Service Gateway of said subscriber equipment through first enterprise network is implemented to the internet connects, and the network that perhaps is implemented to second enterprise network connects.
3. the method for claim 1; It is characterized in that: before said Internet resources are shared access authentication; Said Verification System is obtained the accessing position information of said subscriber equipment; And confirm the corresponding business gateway according to the accessing position information of said subscriber equipment, said accessing position information comprises the address or the numbering of access device and/or Service Gateway.
4. the method for claim 1; It is characterized in that: when detecting that the interface link connection status changes or insert the user changes, initiate the user of said subscriber equipment is carried out the first enterprise network access authentication to said Verification System by the user or by access device; Said access device forbids that subscriber equipment carries out service communication or only handles the protocol massages relevant with authentication before the user is through authentication.
5. the method for claim 1 is characterized in that: the said network access information of access network that needs comprises said access interface information and/or the virtual interface information that needs vlan information with this VLAN of access network; When the shared demand information of said Internet resources shows that needs enter the Internet; Said Service Gateway realizes that resource-sharing comprises: said Service Gateway generates VLAN between the access interface of the access device of the said Service Gateway and first enterprise network, and said Service Gateway is realized the access of internet;
Said Internet resources are shared demand information and are shown when needs insert second enterprise network, and said Service Gateway realizes that resource-sharing comprises:
Judge whether first enterprise network and said second enterprise network that said subscriber equipment inserts are total to the location;
If location altogether, then between the access interface of the access device of the said Service Gateway and first enterprise network, generate said VLAN, and be established to the tunnel of said second enterprise network, and with the VLAN corresponding realization network connection of said tunnel with generation;
If location altogether, the VLAN of said second enterprise network of the access interface adding location common of access device that then will said first enterprise network with it; Perhaps, use the aforementioned implementation method that is not total to the location;
The mode that generates VLAN comprises dynamic-configuration VLAN or the VLAN that said access interface adding has been disposed; Said dynamic-configuration is meant, realizes through the equipment that VLAN generation/adding configuration template is sent to corresponding access device and VLAN place interface.
6. method as claimed in claim 5; It is characterized in that: the said network access information of access network that needs also comprises the said accessing position information that needs access network; Whether the accessing position information of the more said subscriber equipment of said Service Gateway is consistent with the said accessing position information of access network that needs; If unanimity then is to be total to the location, otherwise non-location altogether.
7. method as claimed in claim 5 is characterized in that: said Verification System comprises the Verification System of the first/the second enterprise network and the Verification System of service provider/operator; Said Service Gateway is gone up extension realization at BAS Broadband Access Server (BRAS); Said Service Gateway comprises the first/the second enterprise network and service provider's Service Gateway.
8. method as claimed in claim 5 is characterized in that: when said subscriber equipment need insert said internet, user's access interface of the VLAN of generation included only the access interface that said subscriber equipment inserts.
9. the method for claim 1; It is characterized in that: said first enterprise network comprises the resource management module that is used for being responsible for resource management; After the shared authentication of said Internet resources was passed through, said Verification System also notified the resource management module record of said first enterprise network to be shared the access-in resource information that takies.
10. the realization system that Internet resources are shared is characterized in that this system runs in the network environment that comprises first enterprise network and second enterprise network, and this system comprises:
The access device of first enterprise network is used to insert subscriber equipment, and sends access authentication request to Verification System;
Verification System; Be used to receive the access authentication request of the access device of said first enterprise network; And the user of said subscriber equipment carried out the access authentication of first enterprise network; After the failure of the access authentication of said first enterprise network, the user of said subscriber equipment is carried out Internet resources share access authentication; Also be used for after the shared access authentication of Internet resources passes through, the accessing position information of subscriber equipment, user's Internet resources are shared demand information and needed the network access information of access network to notify the corresponding business gateway;
Said Service Gateway is used for sharing demand information and needing the network access information of access network to realize resource-sharing according to said accessing position information, Internet resources.
11. system as claimed in claim 10 is characterized in that:
Said accessing position information, Internet resources are shared demand information and needed the network access information of access network is pre-configured or before said Verification System is notified said Service Gateway; Said Verification System and user obtain alternately, and said user's Internet resources are shared demand information and comprised the information that is used to show the needs access or second enterprise network; The realization resource-sharing refers to, the network that access device and the Service Gateway of said subscriber equipment through first enterprise network is implemented to the internet connects, and the network that perhaps is implemented to second enterprise network connects.
12. system as claimed in claim 10; It is characterized in that: before said Internet resources are shared access authentication; Said Verification System also is used to obtain the accessing position information of said subscriber equipment; And confirm the corresponding business gateway according to the accessing position information of said subscriber equipment, said accessing position information comprises the address or the numbering of access device and/or Service Gateway.
13. system as claimed in claim 10 is characterized in that, said access device forbids that subscriber equipment carries out service communication or only handles the protocol massages relevant with authentication, comprising before the user is through authentication:
Access interface;
Whether whether detection module is used to detect the interface link connection status and changes, have subscriber equipment to insert or detect the whether change that inserts the user with identification;
The authentication initiation module is used for when detecting that the interface link connection status changes or insert the user changes, initiating access authentication to said Verification System.
14. system as claimed in claim 10 is characterized in that, the said network access information of access network that needs comprises the said vlan information of access network and interface message and/or the virtual interface information of VLAN of needing; Said Service Gateway comprises: set up respective modules with location judge module, VLAN generation module, tunnel, wherein:
The location judge module is used for when the shared demand information of said Internet resources shows that needs insert second enterprise network altogether, judges whether first enterprise network and said second enterprise network that said subscriber equipment inserts are total to the location;
The VLAN generation module is used for when location altogether, between the access interface of the access device of the said second enterprise network access interface and first enterprise network, generates VLAN; Not altogether during the location, between the access interface of the access device of the said Service Gateway and first enterprise network, generate VLAN, the mode that generates VLAN comprises that dynamic-configuration generates VLAN or said access interface is added and disposed the VLAN of generation;
Module is set up in the tunnel, is used for when the shared demand information of said Internet resources shows that needs access second enterprise network and the judgement of said location judge module altogether or not the location, being established to the tunnel of said second enterprise network;
Respective modules is used for when the shared demand information of said Internet resources shows that needs access second enterprise network and the judgement of said location judge module altogether or not the location, with the VLAN of generation and the tunnel correspondence of foundation;
Share demand information at said Internet resources and show and need to enter the Internet, enter the Internet the VLAN that generates is corresponding.
15. want 14 described systems like right; It is characterized in that: the said network access information of access network that needs also comprises the said accessing position information that needs access network; Whether the accessing position information of the said more said subscriber equipment of location judge module altogether is consistent with the said accessing position information of access network that needs; If unanimity then is to be total to the location, otherwise non-location altogether.
16. system as claimed in claim 14 is characterized in that: when said subscriber equipment need insert said internet, user's access interface of the VLAN that said VLAN generation module generates included only the access interface that said subscriber equipment inserts.
17. system as claimed in claim 10; It is characterized in that: said system also comprises the resource management module that is positioned at first enterprise network; After the shared authentication of said Internet resources was passed through, said Verification System also was used to notify the resource management module record of said first enterprise network to be shared the access-in resource information that takies.
CN201110077269.6A 2011-03-29 2011-03-29 The method and system of network resources locating Expired - Fee Related CN102724087B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110077269.6A CN102724087B (en) 2011-03-29 2011-03-29 The method and system of network resources locating
PCT/CN2012/072322 WO2012130041A1 (en) 2011-03-29 2012-03-14 Method and system for network resource sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110077269.6A CN102724087B (en) 2011-03-29 2011-03-29 The method and system of network resources locating

Publications (2)

Publication Number Publication Date
CN102724087A true CN102724087A (en) 2012-10-10
CN102724087B CN102724087B (en) 2017-03-29

Family

ID=46929427

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110077269.6A Expired - Fee Related CN102724087B (en) 2011-03-29 2011-03-29 The method and system of network resources locating

Country Status (2)

Country Link
CN (1) CN102724087B (en)
WO (1) WO2012130041A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078779A (en) * 2012-12-28 2013-05-01 太仓市同维电子有限公司 Method for realizing different internet businesses based on vlan (virtual local area network) at same interface
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN106789470A (en) * 2016-12-23 2017-05-31 Tcl海外电子(惠州)有限公司 terminal resource sharing method, device and system
CN107005456A (en) * 2015-02-27 2017-08-01 奥迪股份公司 Vehicle communication network with switch
CN108566442A (en) * 2018-06-29 2018-09-21 上海连尚网络科技有限公司 A kind of method and apparatus for providing network connection

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453119A (en) * 2016-11-18 2017-02-22 杭州华三通信技术有限公司 Authentication control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889485A (en) * 2005-06-30 2007-01-03 西门子(中国)有限公司 Distributing resource sharing method between reciprocal network entity and resoure sharing system
US20070157296A1 (en) * 2005-12-01 2007-07-05 Marcello Lioy Method and apparatus for supporting different authentication credentials
CN101039227A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Communication system of sharing access network and method for performing service message interaction
CN101047587A (en) * 2006-06-30 2007-10-03 华为技术有限公司 System and method for access external network of non-radio local network terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296084B (en) * 2008-06-18 2012-05-23 中兴通讯股份有限公司 Method for implementing IAS system and Radius system integration

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889485A (en) * 2005-06-30 2007-01-03 西门子(中国)有限公司 Distributing resource sharing method between reciprocal network entity and resoure sharing system
US20070157296A1 (en) * 2005-12-01 2007-07-05 Marcello Lioy Method and apparatus for supporting different authentication credentials
CN101039227A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Communication system of sharing access network and method for performing service message interaction
CN101047587A (en) * 2006-06-30 2007-10-03 华为技术有限公司 System and method for access external network of non-radio local network terminal

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078779A (en) * 2012-12-28 2013-05-01 太仓市同维电子有限公司 Method for realizing different internet businesses based on vlan (virtual local area network) at same interface
CN103825901A (en) * 2014-03-04 2014-05-28 杭州华三通信技术有限公司 Network access control method and equipment
CN107005456A (en) * 2015-02-27 2017-08-01 奥迪股份公司 Vehicle communication network with switch
CN107005456B (en) * 2015-02-27 2018-10-19 奥迪股份公司 The method and switch of switch for running vehicle communication network
US10110599B2 (en) 2015-02-27 2018-10-23 Audi Ag Motor vehicle communication network with switch device
CN106789470A (en) * 2016-12-23 2017-05-31 Tcl海外电子(惠州)有限公司 terminal resource sharing method, device and system
CN108566442A (en) * 2018-06-29 2018-09-21 上海连尚网络科技有限公司 A kind of method and apparatus for providing network connection

Also Published As

Publication number Publication date
CN102724087B (en) 2017-03-29
WO2012130041A1 (en) 2012-10-04

Similar Documents

Publication Publication Date Title
US9015855B2 (en) Secure tunneling platform system and method
CN100594476C (en) Method and apparatus for realizing network access control based on port
EP2253123B1 (en) Method and apparatus for communication of data packets between local networks
EP2840743B1 (en) Method and system for realizing virtual network
US20070127500A1 (en) System, device, method and software for providing a visitor access to a public network
EP2051473B1 (en) Method and system to trace the ip traffic back to the sender or receiver of user data in public wireless networks
CN101022340B (en) Intelligent control method for realizing city Ethernet exchanger switch-in security
US8804562B2 (en) Broadband network system and implementation method thereof
CN102724087A (en) Method and system for realizing network resource sharing
CN101309284B (en) Remote access communication method, apparatus and system
CN103858387A (en) Architecture for virtualized home IP service delivery
US20060221955A1 (en) IP addressing in joined private networks
EP1881654A1 (en) Peer-to-peer communication method and system enabling call and arrival
EP3224993B1 (en) Improvements in communication systems
EP2838242B9 (en) Method and apparatus for preventing network-side media access control address from being counterfeited
CN102714651A (en) Method for connecting a first computer network to at least a second extended computer network
CN100490393C (en) Method for accessing user network management platform
CN114556868A (en) Private sub-network for Virtual Private Network (VPN) clients
CN102447710B (en) A kind of access privilege control method and system
CN100477609C (en) Method for implementing dedicated network access
WO2001086906A2 (en) Server and method for providing specific network services
US20010037384A1 (en) System and method for implementing a virtual backbone on a common network infrastructure
KR102386386B1 (en) Router with selective VPN connection function of terminal and VPN connection method of terminal using the same
JP5982706B2 (en) Secure tunneling platform system and method
Hata A bridging VPN for connecting wireless sensor networks to data centers

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170329

Termination date: 20190329