CN102970389A - Outer net access method and system - Google Patents
Outer net access method and system Download PDFInfo
- Publication number
- CN102970389A CN102970389A CN2012104687485A CN201210468748A CN102970389A CN 102970389 A CN102970389 A CN 102970389A CN 2012104687485 A CN2012104687485 A CN 2012104687485A CN 201210468748 A CN201210468748 A CN 201210468748A CN 102970389 A CN102970389 A CN 102970389A
- Authority
- CN
- China
- Prior art keywords
- nat device
- network
- mechanical floor
- flow
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an outer net access system, which comprises a first network device layer coupling an intranet, a plurality of NAT (network address translation) devices, and a second network device layer coupling an outer net, and each network device layer comprises at least one layer of network devices, wherein one end of the first network device layer is respectively coupled to a plurality of NAT devices, and the other end is coupled to an intranet server, to calculate the flow of an access request sent by the intranet server, and allocate the flow to each NAT device according to a predetermined allocation condition using OSPF (open shortest path first) protocol; ach NAT device in the plurality of NAT devices is coupled to the first network device layer, and the other end is coupled to the second network device layer, and the NAT device is configured to receive the flow according to the OSPF protocol, and forward the flow to the second network device layer; and the second network device layer is configured to receive the flow and access the outer net using the access request carried in the flow. By adopting the outer net access system, the operation and maintenance cost can be reduced. The invention also discloses a corresponding method.
Description
Technical field
The present invention relates to the network application field, be specifically related to a kind of extranet access method and a kind of extranet access system.
Background technology
NAT(Network Address Translation, network address translation) server picks out equipment as network, is responsible for the function that privately owned network segment machine provides access the Internet (Internet), must have high availability.
At present high availability is by VRRP(Virtual Router Redundancy Protocol, Virtual Router Redundacy Protocol) heart-beat protocol realizes.The purpose of VRRP Protocol Design is the Single Point of Faliure problem that causes in order to solve static routing.The core of VRRP is a selection protocol, can be in the VRRP router of the responsibility dynamic assignment of a virtual router to the local area network (LAN).Control virtual router IP(Internet Protocol, Internet Protocol) the VRRP router of address is called active router, and it is responsible for the forwarding data bag to these virtual ip address.In case active router is unavailable, this selection course just provides dynamic failover mechanisms, and this just allows the IP address of virtual router to can be used as acquiescence first hop router of end host.The benefit of using VRRP is the availability of higher default path is arranged and to need not in each end host configuration dynamic routing or route discovery protocols.
By the server of NAT device access outer net, needs and NAT device are at the same network segment, and the default gateway of this server is set to the VIP(Virtual IP that NAT device provides, Virtual Service IP simultaneously).
In order to use the VRRP heart-beat protocol, NAT device can have been realized in the operation of user's attitude the Daemon program of the continuous operation of VRRP agreement when operation.This Daemon program can when the VRRP heartbeat changes, be responsible for the management of VIP.
Fig. 1 shows the configuration schematic diagram according to the NAT device of prior art.Referring to Fig. 1, at present NAT device generally is configured to two NAT device.Wherein, adopt the VRRP agreement between two NAT device, bind VIP on the main NAT device of choosing out, and the service of NAT access outer net is provided.Main NAT device can regularly send the VRRP heartbeat, so that standby NAT device knows that main NAT device still lives.Wherein, main NAT device is to decide by the weights in the VRRP agreement (Priority) field, and the NAT device of Priority maximum becomes main NAT device.
Fig. 2 shows according to the configuration schematic diagram after the active and standby NAT switching of prior art.The service routine of main NAT device close collapse or other modes DOWN falls or main NAT device self breaks down etc. can't provide service in; standby NAT device continues to monitor the VRRP heartbeat; do not receive the heartbeat message of main NAT device; then the state of two NAT device can be moved to the state such as Fig. 2: standby NAT device becomes main NAT device automatically; take over VIP, service is provided.Then, standby NAT device regularly sends the VRRP heartbeat message, to allow its existing state of other device learns.
Follow-up, if behind the main NAT device service recovery, can initiatively seize the VIP on the standby NAT device, again become main NAT device, corresponding, flow will come back on the main NAT device.
By above-mentioned process, when a NAT device service went wrong, the adapter server that an other NAT device can be very fast had been realized high availability.
The VRRP agreement is a kind of routing protocol, when carrying out Route Selection, can only have an active router to carry out routing forwarding.Correspond to the scene that NAT device uses, namely a VIP can only be bundled on the NAT device at one time, and this can cause following problem:
1) at first, single NAT device can become performance bottleneck.Concrete, because within a certain period of time, the flow of specific VIP can only be forwarded on the NAT device, and the flow disposal ability of separate unit NAT device is certain, if the flow that this VIP is corresponding is very large, the flow disposal ability of this NAT device will become performance bottleneck.
2) secondly, the expansion of NAT device cluster is comparatively complicated.Generally speaking, consider that the fail safe of a NAT device is relatively poor, prior art all can be used 2 NAT device to form a cluster service is provided.But along with the increase of access outer net number of servers and flow, the cluster performance can run into bottleneck, needs expansion NAT device cluster this moment, has two kinds of means to expand:
The cluster of the first, newly-built 2 NAT device.The problem that these means are brought is to divide artificially business between a plurality of clusters, to carry out flow equalization, if certain Business Stream quantitative change is large, also needs to adjust at any time.
The second, increase the NAT device server to original cluster.The problem that these means are brought is, need to be the weights of each each NAT device of delineation of activities artificially, in order to realize the flow equalization of each NAT device, and the high available generation of each business.Take the cluster of three NAT device (respectively NAT device A, NAT device B, NAT device C) as example, this cluster is born 3 business (professional 1, professional 2, professional 3), and total flow is 270, and then desired configuration is:
Professional 1 weights that arrange are NAT device A-〉110, NAT device B-〉90, NAT device C-〉70;
Professional 2 weights that arrange are NAT device B-〉110, NAT device A-〉90, NAT device C-〉70;
Professional 3 weights that arrange are NAT device C-〉110, NAT device B-〉90, NAT device A-〉70.
In the situation of normal operation, the flow of three business is fallen respectively on three NAT device like this.If but increasing again a NAT device D, upper each the professional weights setting of this NAT device D is just very complicated and loaded down with trivial details.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to provide a kind of extranet access system that overcomes the problems referred to above or address the above problem at least in part and corresponding extranet access method.
According to one aspect of the present invention, a kind of extranet access system is provided, comprise the first network mechanical floor that couples Intranet, a plurality of network address translation device and with the second network mechanical floor that couples outer net, comprise at least one layer network device in each network equipment layer, wherein
The first network mechanical floor, one end is couple to respectively a plurality of NAT device, the other end is couple to interior network server, to add up the flow of the access request that interior network server sends, utilizes the ospf ospf protocol that flow is assigned to each NAT device by predetermined distributive condition;
Each NAT device in a plurality of NAT device, an end is couple to the first network mechanical floor, and the other end is couple to the second network mechanical floor, is configured to receive flow according to ospf protocol; And, with traffic forwarding to the second network mechanical floor;
The second network mechanical floor is configured to receive flow, utilizes the access request access outer net that wherein carries.
Alternatively, when the first network mechanical floor comprises at least two-tier network equipment, there is LA Management Room operation ospf protocol traffic transport, different layers.
Alternatively, the network card configuration of each NAT device is at the different network segments.
Alternatively, the network equipment in the network equipment layer first time is in the different network segments from the ospf protocol of each NAT device operation.
Alternatively, between first network mechanical floor and each NAT device identical zone and Authentication-Type are set.
Alternatively, the network equipment in the first network mechanical floor comprises switch.
Alternatively, predetermined distributive condition comprise following one of arbitrarily:
Quantity mean allocation according to NAT device;
Bearing capacity according to each NAT device is distributed;
Distribute according to preset weights.
Alternatively, when increasing a new NAT device in system, this NAT device one end is couple to the first network mechanical floor, and an end is couple to the second network mechanical floor;
It is the NAT device dispense flow rate that increases newly that the first network mechanical floor also is configured to utilize ospf protocol.
Alternatively, Intranet comprises local area network (LAN), and outer net comprises internet Internet.
According to another aspect of the present invention, a kind of extranet access method is provided, comprising:
Intranet is sent access request by the first network mechanical floor that couples with self;
The flow of the access request that first network mechanical floor statistics Intranet is sent utilizes the ospf ospf protocol that flow is assigned to and each NAT device that self is coupled by predetermined distributive condition;
Each NAT device receives flow and is forwarded to the second network mechanical floor that couples with outer net, is utilized the access request access outer net that carries in the flow by the second network mechanical floor;
Wherein, comprise at least one layer network device in each network equipment layer.
Alternatively, when the first network mechanical floor comprises at least two-tier network equipment, there is LA Management Room operation ospf protocol traffic transport, different layers.
Alternatively, the network card configuration of each NAT device is at the different network segments.
Alternatively, the network equipment in the network equipment layer first time is in the different network segments from the ospf protocol of each NAT device operation.
Alternatively, predetermined distributive condition comprise following one of arbitrarily:
Quantity mean allocation according to NAT device;
Bearing capacity according to each NAT device is distributed;
Distribute according to preset weights.
Alternatively, when increasing a new NAT device, this NAT device one end is couple to the first network mechanical floor, and an end is couple to the second network mechanical floor;
It is the NAT device dispense flow rate that increases newly that the first network mechanical floor utilizes ospf protocol.
In embodiments of the present invention, NAT device does not form cluster, but is carried out respectively the access of outer net by single NAT device.In the extranet access system of the embodiment of the invention, the quantity of NAT device is a plurality of, and a plurality of NAT device is connected with Intranet, outer net simultaneously, each NAT device possesses the ability of access outer net, therefore, flow can be diverted on each NAT device, rather than on NAT device.Even this has just guaranteed also can provide the outer net service in the very large situation of flow, can not cause performance bottleneck because of the flow disposal ability of a NAT device.
In addition, because the independence between NAT device when increasing NAT device, only needs to increase independent NAT device and get final product, do not need to increase the cluster that is formed by 2 or more NAT device, the saving cost.And, using ospf protocol between NAT device and first network mechanical floor in the embodiment of the invention, flow can carry out equilibrium automatically to be divided, and does not need to carry out artificially the flow division or is the weights of each each NAT device of delineation of activities.If certain Business Stream quantitative change is large, then ospf protocol can also be adjusted flow, reaches the purpose of flow equalization.
Further, the NAT technical limitations that provides of prior art the network topology of interior network server and NAT device.In order to communicate, the VIP that interior network server must arrange NAT device (being generally main NAT device) to be provided is default gateway, so both must be at the same network segment.If want to support the demand for exports of a plurality of interior network servers, just need to a plurality of Vlan(Virtual Local Area Network, VLAN be set at NAT device), will increase like this O﹠M cost of NAT device.And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, interior network server need not be made as VIP default gateway, also need not with NAT device must be at the same network segment.Accordingly, just a plurality of Vlan need not be set on the NAT device, reduce the O﹠M cost of NTA equipment.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the configuration schematic diagram according to the NAT device of prior art;
Fig. 2 shows according to the configuration schematic diagram after the active and standby NAT switching of prior art;
Fig. 3 shows the structural representation of according to an embodiment of the invention extranet access system; And
Fig. 4 shows the process chart of according to an embodiment of the invention extranet access method.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
When solving the problems of the technologies described above, select existing equipment as far as possible, do not increase extra burden, the embodiment of the invention is improved the framework of the network system of extranet access.Fig. 3 shows the structural representation of extranet access according to an embodiment of the invention system.Referring to Fig. 1, this extranet access system comprises three parts, and a part is the first network mechanical floor 310 that couples Intranet, and a part just connects a plurality of NAT device 320 of Inside and outside network, and a part is the second network mechanical floor 330 that couples outer net in addition.In the practical application, all comprise at least one layer network device in each network equipment layer.The number of plies in the quantity of the NAT device among Fig. 3 and each network equipment layer all is signals, is not exact number, and its concrete quantity is decided according to actual conditions.Now the each several part of improved extranet access system is specifically described.
At first, first network mechanical floor 310 is introduced.Preamble mentions that this network equipment layer is the intermediary of NAT device and Intranet, and an end is coupled the other end and Intranet Coupled processors with each NAT device 320 respectively.When NAT device when being a plurality of, first network mechanical floor 310 can be couple to respectively a plurality of NAT device.First network mechanical floor 310 can statistics in the flow of the access request sent of network server, utilize OSPF(Open Shortest Path First ospf) agreement is assigned to each NAT device 320 with flow by predetermined distributive condition.
Then, referring to Fig. 3, each NAT device 320 in a plurality of NAT device 320, for realizing the purpose of access to netwoks, the one end is couple to first network mechanical floor 310, and the other end is couple to second network mechanical floor 320.Each NAT device 320 can receive corresponding flow according to ospf protocol, so with the traffic forwarding that receives to second network mechanical floor 320.
At last, second network mechanical floor 320 can receive the flow that NAT device 320 is transmitted, and utilizes the access request access outer net that wherein carries.
In embodiments of the present invention, NAT device does not form cluster, but is carried out respectively the access of outer net by single NAT device.In the extranet access system of the embodiment of the invention, the quantity of NAT device is a plurality of, and a plurality of NAT device is connected with Intranet, outer net simultaneously, each NAT device possesses the ability of access outer net, therefore, flow can be diverted on each NAT device, rather than on NAT device.Even this has just guaranteed also can provide the outer net service in the very large situation of flow, can not cause performance bottleneck because of the flow disposal ability of a NAT device.
In addition, because the independence between NAT device when increasing NAT device, only needs to increase independent NAT device and get final product, do not need to increase the cluster that is formed by 2 or more NAT device, the saving cost.And, using ospf protocol between NAT device and first network mechanical floor in the embodiment of the invention, flow can carry out equilibrium automatically to be divided, and does not need to carry out artificially the flow division or is the weights of each each NAT device of delineation of activities.If certain Business Stream quantitative change is large, then ospf protocol can also be adjusted flow, guarantees that the flow of access outer net can be evenly distributed on many NAT device according to equal-cost route, reaches the purpose of flow equalization.
Further, the NAT technical limitations that provides of prior art the network topology of interior network server and NAT device.In order to communicate, the VIP that interior network server must arrange NAT device (being generally main NAT device) to be provided is default gateway, so both must be at the same network segment.If want to support the demand for exports of a plurality of interior network servers, just need to a plurality of Vlan(Virtual Local Area Network, VLAN be set at NAT device), will increase like this O﹠M cost of NAT device.And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, interior network server need not be made as VIP default gateway, also need not with NAT device must be at the same network segment.Accordingly, just a plurality of Vlan need not be set on the NAT device, reduce the O﹠M cost of NTA equipment.
During enforcement, when first network mechanical floor 310 comprises at least two-tier network equipment since interior network server need to through this at least two-tier network equipment with traffic transport to NAT device, therefore, there is traffic transport in the two-tier network equipment room at least.In order to save cost, and can allow flow independently carry out equilibrium to distribute, have LA Management Room operation ospf protocol traffic transport, different layers.
As above said, changed the system architecture of extranet access and adopted after the ospf protocol, even connect same interior network server, the network interface card of each NAT device 320 also can be configured in the different network segments.
And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, that is, the embodiment of the invention provides a kind of new NAT uniform outlet scheme based on OSPF.In this example, interior network server is in order to access the outer net service, and it is default gateway that interior network server need only arrange corresponding switch IP, and the VIP that NAT device need not be provided is made as default gateway, also need not with NAT device must be at the same network segment.The network equipment in the network equipment layer 310 can be in the different network segments from each NAT device 320 so, for the first time.
During enforcement, can normally acquire the neighborhood news that work of going forward side by side in order to make the network equipment in NAT device 320 and the first network mechanical floor 310, both needs arrange identical zone and Authentication-Type.
In the embodiment of the invention, because NAT device 320 does not need to arrange virtual VI P and virtual route again, therefore, the allocating default route gets final product on NAT device 320, and the default route that configures is sent to switch.
The network equipment in the first network mechanical floor 310 can be arbitrarily can delivery flow rate equipment, for example switch, server etc.
Above mention, the distribution of the flow that first network mechanical floor 310 and a plurality of NAT device are 320 can be adopted predetermined distributive condition, so predetermined distributive condition can be the quantity mean allocation according to NAT device, also can be to distribute according to the bearing capacity of each NAT device, can also be to distribute according to preset weights.Only provided several concrete examples herein, predetermined distributive condition has not been limited.
In the time need in the outer net access system, increasing a new NAT device 320, because the independence of each NAT device 320, need not consider other NAT device, can directly these NAT device 320 1 ends be couple to the first network mechanical floor, an end is couple to the second network mechanical floor.After hardware structure was set up, it was NAT device 320 dispense flow rate that increase newly that first network mechanical floor 310 can utilize ospf protocol, and so, flow can be distributed on a plurality of NAT device that increased a NAT device again, can reduce O﹠M cost.
In this example, Intranet comprises local area network (LAN), and outer net comprises internet (Internet).The concept of intranet and extranet is relative concepts, can select according to actual conditions.The present invention goes for utilizing arbitrarily the system of NAT device access outer net.
Based on above-mentioned extranet access system, the embodiment of the invention also provides a kind of extranet access method.Fig. 4 shows the process chart of extranet access method according to an embodiment of the invention.This flow chart comprises that step S402 is to step S406.
Step S402, Intranet are sent access request by the first network mechanical floor that couples with self.
The flow of the access request that step S404, first network mechanical floor statistics Intranet are sent utilizes ospf protocol that flow is assigned to and each NAT device that self is coupled by predetermined distributive condition.
Step S406, each NAT device receive flow and are forwarded to the second network mechanical floor that couples with outer net, are utilized the access request access outer net that carries in the flow by the second network mechanical floor.
Wherein, include at least one layer network device in each network equipment layer of mentioning among Fig. 4.
In embodiments of the present invention, NAT device does not form cluster, but is carried out respectively the access of outer net by single NAT device.In the extranet access system of the embodiment of the invention, the quantity of NAT device is a plurality of, and a plurality of NAT device is connected with Intranet, outer net simultaneously, each NAT device possesses the ability of access outer net, therefore, flow can be diverted on each NAT device, rather than on NAT device.Even this has just guaranteed also can provide the outer net service in the very large situation of flow, can not cause performance bottleneck because of the flow disposal ability of a NAT device.
In addition, because the independence between NAT device when increasing NAT device, only needs to increase independent NAT device and get final product, do not need to increase the cluster that is formed by 2 or more NAT device, the saving cost.And, using ospf protocol between NAT device and first network mechanical floor in the embodiment of the invention, flow can carry out equilibrium automatically to be divided, and does not need to carry out artificially the flow division or is the weights of each each NAT device of delineation of activities.If certain Business Stream quantitative change is large, then ospf protocol can also be adjusted flow, guarantees that the flow of access outer net can be evenly distributed on many NAT device according to equal-cost route, reaches the purpose of flow equalization.
Further, the NAT technical limitations that provides of prior art the network topology of interior network server and NAT device.In order to communicate, the VIP that interior network server must arrange NAT device (being generally main NAT device) to be provided is default gateway, so both must be at the same network segment.If want to support the demand for exports of a plurality of interior network servers, just need to a plurality of Vlan(Virtual Local Area Network, VLAN be set at NAT device), will increase like this O﹠M cost of NAT device.And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, interior network server need not be made as VIP default gateway, also need not with NAT device must be at the same network segment.Accordingly, just a plurality of Vlan need not be set on the NAT device, reduce the O﹠M cost of NTA equipment.
The first network mechanical floor of mentioning among the step S402 is comprised of multitiered network equipment, when it comprises at least two-tier network equipment, is harmony and the automaticity that guarantees assignment of traffic, has LA Management Room operation ospf protocol traffic transport, different layers.When interior network server sends access request, the network equipment direct and the Intranet Coupled processors can receive corresponding flow in the first network mechanical floor, and by ospf protocol with assignment of traffic in the network equipment of the second layer, if there be the 3rd layer, the 4th layer or more, then carry out assignment of traffic with ospf protocol successively, until flow is sent to a plurality of NAT device.
As above said, changed the system architecture of extranet access and adopted after the ospf protocol, even connect same interior network server, each NAT device no longer arranges VIP, no longer be consistent with identical interior network server, and then the network interface card of each NAT device also can be configured in the different network segments.
And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, that is, the embodiment of the invention provides a kind of new NAT uniform outlet scheme based on OSPF.In this example, interior network server is in order to access the outer net service, and it is default gateway that interior network server need only arrange corresponding switch IP, and the VIP that NAT device need not be provided is made as default gateway, also need not with NAT device must be at the same network segment.So, mention among step S402 and the step S404 that the network equipment in the network equipment layer first time can be in the different network segments from each NAT device.
Mention among the step S402, the distribution of the flow between first network mechanical floor and a plurality of NAT device can be adopted predetermined distributive condition, so predetermined distributive condition can be the quantity mean allocation according to NAT device, also can be to distribute according to the bearing capacity of each NAT device, can also be to distribute according to preset weights.Only provided several concrete examples herein, predetermined distributive condition has not been limited.
The extranet access method that adopts the embodiment of the invention to provide, when needs increase a new NAT device, consider the independence between each NAT device, then only need between Inside and outside network, increase a NAT device and get final product, do not need to consider that this NAT device is on the impact of other NAT device.During increase, newly-increased NAT device one end is couple to the first network mechanical floor, and an end is couple to the second network mechanical floor.After framework was set up, it was the NAT device dispense flow rate that increases newly that the first network mechanical floor utilizes ospf protocol, was passed to the flow of outer net and can according to re-starting distribution between a plurality of NAT device that increased a NAT device newly, can be reduced O﹠M cost by Intranet.
Embodiment one
For the extranet access function that realizes that the embodiment of the invention provides, this example specifically provides a kind of concrete processing mode.In this example, focus on the utilization of ospf protocol, this is the basis of the embodiment of the invention.Referring to Fig. 3, the utilization of ospf protocol comprises two parts: first moves ospf protocol at the network equipment with the Intranet coupling, and second portion is to move ospf protocol at NAT device.
Now the realization means in NAT device operation ospf protocol are specifically described.A kind of optional realization means are:
Realize support to ospf protocol with the zebra among the Open-Source Tools quagga and ospfd assembly, wherein zebra is responsible for the renewal of local routing table, and ospfd is responsible for the realization of ospf agreement, and carries out communication with equipment of other operations ospfd.
In addition, when configuration ospfd, need to be put into default route in the region division of ospfd.
Realization means herein only are specific embodiments, the utilization of ospf protocol are not caused restriction, can select the different Open-Source Tools when implementing, and are not limited in Open-Source Tools quagga.
And at network equipment operation OSPF and equal-cost route, consider that heterogeneous networks equipment has different OSPF and equal-cost route collocation method, but arranging of the route setting on the network equipment and ospf protocol all is prior aries, can get final product with reference to concrete corresponding equipment System Configuration Manual, not do at this and give unnecessary details.
It should be noted that in this example that the network card configuration of each NAT device is at the different network segments, in addition, the network equipment can not be in identical zone with the OSPF of each NAT device operation.
Further, can normally acquire neighborhood and communication in order to make NAT device and the network equipment, both needs arrange identical zone and Authentication-Type.
After the configuration of front all finishes, allocating default route on each NAT device, and default route is sent to switch.The setting of default route also is prior art, does not do at this and gives unnecessary details.
Embodiment two
Now carry out the extranet access service as an example of three NAT device (respectively NAT device A, NAT device B, NAT device C) example, utilize these three NAT device to bear 3 business (professional 1, professional 2, professional 3), current total flow is 360, supposes that predefined flow allocation method is mean allocation.Then in this example,
Professional 1 weights that arrange are NAT device A-〉120, NAT device B-〉120, NAT device C-〉120;
Professional 2 weights that arrange are NAT device B-〉120, NAT device A-〉120, NAT device C-〉120;
Professional 3 weights that arrange are NAT device C-〉120, NAT device B-〉120, NAT device A-〉120.
In the situation of normal operation, the flow of three business is on average fallen respectively on three NAT device like this.If but increasing again a NAT device D, upper each the professional weights setting of this NAT device D just becomes:
Professional 1 weights that arrange are NAT device A-〉90, NAT device B-〉90, NAT device C-〉90, NAT device D-〉90;
Professional 2 weights that arrange are NAT device B-〉90, NAT device A-〉90, NAT device C-〉90, NAT device D-〉90;
Professional 3 weights that arrange are NAT device C-〉90, NAT device B-〉90, NAT device A-〉90, NAT device D-〉90.
Need to prove that NAT device is separately independently in this example, so equipment serial number do not consist of rank or ordering, only be used for and compare with embodiment of the prior art more easily.
The extranet access system and method that adopts the embodiment of the invention to provide can reach following beneficial effect:
In embodiments of the present invention, NAT device does not form cluster, but is carried out respectively the access of outer net by single NAT device.In the extranet access system of the embodiment of the invention, the quantity of NAT device is a plurality of, and a plurality of NAT device is connected with Intranet, outer net simultaneously, each NAT device possesses the ability of access outer net, therefore, flow can be diverted on each NAT device, rather than on NAT device.Even this has just guaranteed also can provide the outer net service in the very large situation of flow, can not cause performance bottleneck because of the flow disposal ability of a NAT device.
In addition, because the independence between NAT device when increasing NAT device, only needs to increase independent NAT device and get final product, do not need to increase the cluster that is formed by 2 or more NAT device, the saving cost.And, using ospf protocol between NAT device and first network mechanical floor in the embodiment of the invention, flow can carry out equilibrium automatically to be divided, and does not need to carry out artificially the flow division or is the weights of each each NAT device of delineation of activities.If certain Business Stream quantitative change is large, then ospf protocol can also be adjusted flow, reaches the purpose of flow equalization.
Further, the NAT technical limitations that provides of prior art the network topology of interior network server and NAT device.In order to communicate, the VIP that interior network server must arrange NAT device (being generally main NAT device) to be provided is default gateway, so both must be at the same network segment.If want to support the demand for exports of a plurality of interior network servers, just need to a plurality of Vlan(Virtual Local Area Network, VLAN be set at NAT device), will increase like this O﹠M cost of NAT device.And in the embodiment of the invention, no longer adopt the VRRP agreement, and adopted ospf protocol, interior network server need not be made as VIP default gateway, also need not with NAT device must be at the same network segment.Accordingly, just a plurality of Vlan need not be set on the NAT device, reduce the O﹠M cost of NTA equipment.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the extranet access system of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (15)
1. extranet access system, comprise the first network mechanical floor that couples Intranet, a plurality of network address translation device and with the second network mechanical floor that couples outer net, comprise at least one layer network device in each network equipment layer, wherein,
Described first network mechanical floor, one end is couple to respectively described a plurality of NAT device, the other end is couple to interior network server, to add up the flow of the access request that described interior network server sends, utilize the ospf ospf protocol that described flow is assigned to each NAT device by predetermined distributive condition;
Each NAT device in described a plurality of NAT device, an end are couple to described first network mechanical floor, and the other end is couple to described second network mechanical floor, are configured to receive described flow according to described ospf protocol; And, with described traffic forwarding to described second network mechanical floor;
Described second network mechanical floor is configured to receive described flow, utilizes the described access request access outer net that wherein carries.
2. system according to claim 1 is characterized in that, when described first network mechanical floor comprises at least two-tier network equipment, exists LA Management Room traffic transport, different layers to move described ospf protocol.
3. system according to claim 1 is characterized in that, the network card configuration of described each NAT device is at the different network segments.
4. according to claim 1 to 3 each described systems, it is characterized in that the network equipment in the described first time network equipment layer is in the different network segments from the ospf protocol of described each NAT device operation.
5. according to claim 1 to 4 each described systems, it is characterized in that, between described first network mechanical floor and described each NAT device identical zone and Authentication-Type are set.
6. according to claim 1 to 5 each described systems, it is characterized in that the network equipment in the described first network mechanical floor comprises switch.
7. according to claim 1 to 6 each described systems, it is characterized in that, described predetermined distributive condition comprise following one of arbitrarily:
Quantity mean allocation according to described NAT device;
Bearing capacity according to described each NAT device is distributed;
Distribute according to preset weights.
8. according to claim 1 to 7 each described systems, it is characterized in that when increasing a new NAT device in described system, this NAT device one end is couple to described first network mechanical floor, an end is couple to described second network mechanical floor;
Described first network mechanical floor also is configured to utilize described ospf protocol to be newly-increased NAT device dispense flow rate.
9. according to claim 1 to 8 each described systems, it is characterized in that described Intranet comprises local area network (LAN), described outer net comprises internet Internet.
10. extranet access method comprises:
Intranet is sent access request by the first network mechanical floor that couples with self;
The flow of the access request that described first network mechanical floor statistics Intranet is sent utilizes the ospf ospf protocol that described flow is assigned to and each NAT device that self is coupled by predetermined distributive condition;
Described each NAT device receives described flow and is forwarded to the second network mechanical floor that couples with outer net, is utilized the described access request access outer net that carries in the described flow by described second network mechanical floor;
Wherein, comprise at least one layer network device in each network equipment layer.
11. method according to claim 10 is characterized in that, when described first network mechanical floor comprises at least two-tier network equipment, exists LA Management Room traffic transport, different layers to move described ospf protocol.
12. method according to claim 10 is characterized in that, the network card configuration of described each NAT device is at the different network segments.
13. to 12 each described methods, it is characterized in that according to claim 10 the network equipment in the described first time network equipment layer is in the different network segments from the ospf protocol of described each NAT device operation.
14. to 13 each described methods, it is characterized in that according to claim 10, described predetermined distributive condition comprise following one of arbitrarily:
Quantity mean allocation according to described NAT device;
Bearing capacity according to described each NAT device is distributed;
Distribute according to preset weights.
15. to 14 each described methods, it is characterized in that according to claim 10 when increasing a new NAT device, this NAT device one end is couple to described first network mechanical floor, an end is couple to described second network mechanical floor;
Described first network mechanical floor utilizes described ospf protocol to be newly-increased NAT device dispense flow rate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210468748.5A CN102970389B (en) | 2012-11-19 | 2012-11-19 | Extranet access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210468748.5A CN102970389B (en) | 2012-11-19 | 2012-11-19 | Extranet access method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102970389A true CN102970389A (en) | 2013-03-13 |
| CN102970389B CN102970389B (en) | 2015-12-02 |
Family
ID=47800268
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210468748.5A Active CN102970389B (en) | 2012-11-19 | 2012-11-19 | Extranet access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102970389B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102970388A (en) * | 2012-11-19 | 2013-03-13 | 北京奇虎科技有限公司 | Method and system for managing outer net access |
| CN105515979A (en) * | 2015-12-29 | 2016-04-20 | 新浪网技术(中国)有限公司 | Open shortest path first (OSPF) over-network balanced forwarding method and OSPF over-network balanced forwarding system |
| CN106603746A (en) * | 2016-12-23 | 2017-04-26 | 郑州云海信息技术有限公司 | Method and system of multiple external networks erection at private cloud platform |
| CN107276846A (en) * | 2017-06-07 | 2017-10-20 | 腾讯科技(深圳)有限公司 | A kind of gateway disaster recovery method, device and storage medium |
| CN110602149A (en) * | 2019-10-11 | 2019-12-20 | 北京字节跳动网络技术有限公司 | External network access method, system, shunt server and internal network equipment |
| CN110830527A (en) * | 2018-08-07 | 2020-02-21 | 阿里巴巴集团控股有限公司 | Method and device for data communication between networks and data communication system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060294584A1 (en) * | 2005-06-22 | 2006-12-28 | Netdevices, Inc. | Auto-Configuration of Network Services Required to Support Operation of Dependent Network Services |
| CN101599899A (en) * | 2009-07-06 | 2009-12-09 | 杭州华三通信技术有限公司 | The access method of employing network address translation (NAT) device for supporting multi-networking and equipment |
| CN101697528A (en) * | 2009-10-30 | 2010-04-21 | 杭州华三通信技术有限公司 | Method and device for sharing loads between NAT gateway devices |
-
2012
- 2012-11-19 CN CN201210468748.5A patent/CN102970389B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060294584A1 (en) * | 2005-06-22 | 2006-12-28 | Netdevices, Inc. | Auto-Configuration of Network Services Required to Support Operation of Dependent Network Services |
| CN101599899A (en) * | 2009-07-06 | 2009-12-09 | 杭州华三通信技术有限公司 | The access method of employing network address translation (NAT) device for supporting multi-networking and equipment |
| CN101697528A (en) * | 2009-10-30 | 2010-04-21 | 杭州华三通信技术有限公司 | Method and device for sharing loads between NAT gateway devices |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102970388A (en) * | 2012-11-19 | 2013-03-13 | 北京奇虎科技有限公司 | Method and system for managing outer net access |
| CN102970388B (en) * | 2012-11-19 | 2017-02-08 | 北京奇虎科技有限公司 | Method and system for managing outer net access |
| CN105515979A (en) * | 2015-12-29 | 2016-04-20 | 新浪网技术(中国)有限公司 | Open shortest path first (OSPF) over-network balanced forwarding method and OSPF over-network balanced forwarding system |
| CN105515979B (en) * | 2015-12-29 | 2019-05-21 | 新浪网技术(中国)有限公司 | Ospf OSPF inter-network equilibrium retransmission method and system |
| CN106603746A (en) * | 2016-12-23 | 2017-04-26 | 郑州云海信息技术有限公司 | Method and system of multiple external networks erection at private cloud platform |
| CN107276846A (en) * | 2017-06-07 | 2017-10-20 | 腾讯科技(深圳)有限公司 | A kind of gateway disaster recovery method, device and storage medium |
| CN107276846B (en) * | 2017-06-07 | 2022-03-08 | 腾讯科技(深圳)有限公司 | Gateway disaster tolerance method, device and storage medium |
| CN110830527A (en) * | 2018-08-07 | 2020-02-21 | 阿里巴巴集团控股有限公司 | Method and device for data communication between networks and data communication system |
| CN110602149A (en) * | 2019-10-11 | 2019-12-20 | 北京字节跳动网络技术有限公司 | External network access method, system, shunt server and internal network equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102970389B (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102821044B (en) | Method and device for configuring server cluster | |
| CN102970389B (en) | Extranet access method and system | |
| CN111165019B (en) | Controller in access network | |
| CN107078969B (en) | Realize computer equipment, the system and method for load balancing | |
| US9659075B2 (en) | Providing high availability in an active/active appliance cluster | |
| EP2619662B1 (en) | In-service software upgrade of control and line cards of network element | |
| US11442791B2 (en) | Multiple server-architecture cluster for providing a virtual network function | |
| US7940694B2 (en) | Intelligent filtering of redundant data streams within computer networks | |
| US20150117216A1 (en) | Method and system for load balancing at a data network | |
| Qi et al. | Data center network architecture in cloud computing: review, taxonomy, and open research issues | |
| CN114500523B (en) | Fixed IP application publishing method based on container cloud platform | |
| CN104065553B (en) | Virtual network moving method and relevant device | |
| RU2761186C1 (en) | Method and device for traffic exchange of the data processing center, device and data carrier | |
| CN102970388A (en) | Method and system for managing outer net access | |
| US20200204481A1 (en) | Fast redirect of traffic when pods fail | |
| JP5775473B2 (en) | Edge device redundancy system, switching control device, and edge device redundancy method | |
| CN105245447A (en) | Device and method for supporting ECMP (Equal Cost Multipath) chip on ToR in data centre | |
| US20230092836A1 (en) | Ordered stack formation with reduced manual intervention | |
| CN104243304A (en) | Data processing method, device and system of locally-connected topological structure | |
| JP2006235837A (en) | Load balancing system, load balancer management server, switching method for load balancer and program | |
| CN112019601B (en) | Two-node implementation method and system based on distributed storage Ceph | |
| CN114390101A (en) | Kubernetes load balancing method based on BGP networking | |
| CN114466007B (en) | SDN controller protocol capability unified scheduling method and device | |
| US10728155B2 (en) | Inter-datacenter multicast system | |
| JP5947752B2 (en) | Network control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220801 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |