CN103259736A - Tunnel building method and network equipment - Google Patents

Tunnel building method and network equipment Download PDF

Info

Publication number
CN103259736A
CN103259736A CN2013102010728A CN201310201072A CN103259736A CN 103259736 A CN103259736 A CN 103259736A CN 2013102010728 A CN2013102010728 A CN 2013102010728A CN 201310201072 A CN201310201072 A CN 201310201072A CN 103259736 A CN103259736 A CN 103259736A
Authority
CN
China
Prior art keywords
network equipment
address
tunnel
user
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013102010728A
Other languages
Chinese (zh)
Inventor
梁力文
田浩博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2013102010728A priority Critical patent/CN103259736A/en
Publication of CN103259736A publication Critical patent/CN103259736A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a tunnel building method and network equipment. The tunnel building method comprises the following steps: the IP address of first network equipment is obtained by the network equipment according to the address information of the first network equipment and sent by an authentication server, wherein the first network equipment is network equipment where destination end equipment with which the first network equipment is asked to be connected by a user is located; the IP address of the first network equipment serves as the destination address of the network equipment, a tunnel between the network equipment and the first network equipment is built, and the user and the tunnel are bonded so that the user can access the destination end equipment based on the tunnel. According to the tunnel building method and the network equipment, the network equipment can obtain the IP address of the network equipment where the destination end equipment that the user asks to access is located to build the tunnel used for message transmission for the user, the IP address of the network equipment where the destination end equipment is located does not need to be configured on corresponding network equipment manually when the tunnel is built, the complexity of manual configuration is reduced.

Description

A kind of tunnel establishing method and the network equipment
Technical field
The present invention relates to communication technical field, particularly relate to a kind of tunnel establishing method and the network equipment.
Background technology
Tunneling technique is a kind of encapsulation technology, the data message of other procotols can be encapsulated in the message of oneself, transmits in network then.The path that data message after the encapsulation transmits in network is called the tunnel.The tunnel is a virtual point-to-point connection, and the two ends in tunnel need encapsulate and decapsulation the data message.Tunneling technique just refers to comprise that data encapsulation, transmission reconciliation are encapsulated in interior overall process.
At present, the foundation in tunnel is normally manually set up, set up the tunnel before, need be on the network equipment the manual destination address that the tunnel is set, like this, the network equipment just can be set up the network equipment to the tunnel between the destination address based on the destination address that this craft arranges.But, the existing employing when setting up the tunnel by hand, because the destination address human configuration in tunnel, human configuration efficient is low, and the destination address in the tunnel of setting up is fixed, and makes non-this destination address user of visit can't utilize the tunnel to carry out message transmissions.
Summary of the invention
The invention provides a kind of tunnel establishing method and the network equipment, can overcome the existing destination address, human configuration tunnel of adopting and set up the existing problem in tunnel.
The embodiment of the invention provides a kind of tunnel establishing method, comprising:
The IP address that the address information of first network equipment that the network equipment issues according to certificate server is obtained first network equipment, described first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
The described network equipment is destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding, so that described user visits described destination equipment based on described tunnel.
In one embodiment, preferred, the described network equipment is destination address with the IP address of described first network equipment, and the tunnel of setting up between the described network equipment and described first network equipment specifically comprises:
The described network equipment judges whether that the IP address of having set up with described first network equipment is the tunnel of destination address, if, then directly with described user and described tunnel binding; If not, be destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding.
In one embodiment, preferred, described method also comprises:
When the described network equipment detects described user offline, other users and described tunnel binding have been judged whether, if then remove the binding in described user and described tunnel; If not, then delete described tunnel.
In one embodiment, preferred, the address information of first network equipment that the described network equipment issues according to certificate server is obtained before the IP address of first network equipment, and described method also comprises:
The described network equipment is forwarded to the authentication request message that the user sends on the described certificate server, so that described certificate server authenticates described user based on described authentication request message;
The IP address that the address information of first network equipment that the described network equipment issues according to certificate server is obtained first network equipment specifically comprises:
The described network equipment receive described certificate server to described user authenticate by after the authorization response message that returns, and the IP address that obtains described first network equipment that carries in the described authorization response message; Or, the described network equipment receive described certificate server the user is authenticated by after after the authorization response message that returns, by send the mode of address request to described certificate server, obtain the IP address of described first network equipment that described certificate server issues based on described address request, wherein, described address request is for the network equipment at the destination equipment place of asking described user to ask.
In one embodiment, preferred, the described network equipment is destination address with described IP address, sets up after the tunnel between the described network equipment and described first network equipment, and described method also comprises:
When the described network equipment detects described user offline, delete described tunnel.
The embodiment of the invention also provides a kind of network equipment, comprising:
Address acquisition module, for the IP address that the address information of first network equipment that issues according to certificate server is obtained first network equipment, described first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
Module is set up in the tunnel, the IP address that is used for described first network equipment is destination address, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding, so that described user visits described destination equipment based on described tunnel.
In one embodiment, preferred, module is set up in described tunnel, and concrete being used for judges whether that the IP address of having set up with described first network equipment is the tunnel of destination address, if, then directly with described user and described tunnel binding; If not, be destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding.
In one embodiment, preferred, described equipment also comprises:
The first tunnel removing module is used for having judged whether other users and described tunnel binding, if then remove the binding in described user and described tunnel when the described network equipment detects described user offline; If not, then delete described tunnel.
In one embodiment, preferred, described equipment also comprises:
Forwarding module is used for the authentication request message that the user sends is forwarded to described certificate server, so that described certificate server authenticates described user based on described authentication request message;
Described address acquisition module, concrete be used for receiving described certificate server to described user authenticate by after the authorization response message that returns, and the IP address that obtains described first network equipment that carries in the described authorization response message; Or, receive described certificate server the user is authenticated by after after the authorization response message that returns, by send the mode of address request to described certificate server, obtain the IP address of described first network equipment that described certificate server issues based on described address request, wherein, described address request is for the network equipment at the destination equipment place of asking described user to ask.
In one embodiment, preferred, described equipment also comprises:
The second tunnel removing module is used for deleting described tunnel when the described network equipment detects described user offline.
Compared with prior art, tunnel establishing method and the network equipment that the embodiment of the invention provides have the following advantages at least: the embodiment of the invention can be obtained the IP address of the network equipment at the destination equipment place that the user asks from certificate server, thereby can set up corresponding tunnel according to the IP address that gets access to, can make the address of the destination that the network equipment asks according to the user set up corresponding tunnel, in setting up the process in tunnel, need not human configuration destination address information on the corresponding network equipment, reduce the complexity of human configuration, can set up the tunnel that satisfies user's message transmission demand according to the different user request simultaneously.
Description of drawings
Fig. 1 is the schematic flow sheet of a kind of tunnel establishing method of providing of the embodiment of the invention;
Fig. 2 is the schematic flow sheet of a kind of tunnel establishing method of providing of the embodiment of the invention;
Fig. 3 is the schematic flow sheet of a kind of tunnel establishing method of providing of the embodiment of the invention;
Fig. 4 is the networking schematic diagram of the applied VLAN of tunnel establishing method that provides of the embodiment of the invention;
Fig. 5 is the schematic flow sheet of a kind of tunnel establishing method of providing of the embodiment of the invention;
Fig. 6 is the structural representation that the network equipment is set up in a kind of tunnel that the embodiment of the invention provides;
Fig. 7 is the structural representation that the network equipment is set up in a kind of tunnel that the embodiment of the invention provides;
Fig. 8 is the structural representation that the network equipment is set up in a kind of tunnel that the embodiment of the invention provides.
Embodiment
At problems of the prior art, the embodiment of the invention provides a kind of tunnel establishing method, by making the network equipment obtain the IP address of the network equipment at the destination equipment place that the user asks, foundation is the tunnel of destination address with the IP address that gets access to, can realize dynamically building of tunnel, avoided carrying out at the network equipment configuration in tunnel, can satisfy different user and utilize tunneling technique to come the needs of message transmission.
Below in conjunction with accompanying drawing the embodiment of the invention is described in detail.
The embodiment of the invention one provides a kind of tunnel establishing method, be applied to the VPN(Virtual Private Network that authenticates by certificate server, VPN (virtual private network)) in, as shown in Figure 1, the tunnel establishing method that the embodiment of the invention one provides can may further comprise the steps:
The IP address that the address information of first network equipment that step 101, the network equipment issue according to certificate server is obtained first network equipment, first network equipment is asked the network equipment at purpose of connecting end equipment place for the user.
In the present embodiment, described first network equipment is the network equipment at destination equipment place, can refer to that specifically destination equipment and first network equipment are same equipment, perhaps first network equipment is the equipment of destination equipment access network, for example router device etc. is not done special restriction to this present embodiment.
In the present embodiment, can be provided with the address information of the network equipment at destination equipment place on the certificate server in advance, make certificate server to the user of requested service authenticate by after, the user can be asked the address information of the network equipment at purpose of connecting end equipment place to be handed down to the network equipment.Wherein, the address information of the network equipment at described pre-configured destination equipment place, specifically can be the user name corresponding address information with the user, or with the address corresponding address information of the destination equipment of user request, perhaps with type of service corresponding address information of user's request etc.For example, in some applications, because the user is based on the business of user name visit, all corresponding to unique destination equipment (or purpose IP address), at this moment, certificate server makes certificate server just can determine that the user asks the address information of the network equipment at purpose of connecting end equipment place based on user's user name as long as dispose the address information of the network equipment at the destination equipment place corresponding with user's user name; Again for example, in some applications, because the business of user's visit, may be corresponding to different destination equipment, at this moment, the address information of the network equipment at configurable each the destination equipment place corresponding with the address of each destination equipment of certificate server makes certificate server just can determine that the user asks the address information of the network equipment at purpose of connecting end equipment place based on the address of the destination equipment of user's visit; Again for example, business for some particular traffic type, may be corresponding to the destination equipment of unique correspondence, at this moment, the address information that certificate server only need dispose the network equipment at the destination equipment place corresponding with type of service gets final product, and makes certificate server just can determine that the user asks the address information of the network equipment at purpose of connecting end equipment place based on the type of service of user's visit.Wherein, the address information of the described network equipment can be the IP address, perhaps also can be domain-name information etc.
Step 102, the network equipment is destination address with the IP address of first network equipment, sets up the tunnel between self and first network equipment, and with the tunnel binding of this user and foundation, so that this user is based on this tunnel visit destination equipment of institute.
In the practical application, certificate server is when issuing address information to the network equipment, or before issuing address information, can increase respective field by corresponding signaling (for example authorization response message) or in corresponding signaling and come advertised network equipment to set up the tunnel for initiating requesting users, after making that the network equipment receives this signaling, can be destination address based on the IP address of first network equipment that obtains, set up the tunnel; Perhaps, the network equipment is directly set up the tunnel for initiating requesting users after receiving the address information that certificate server issues.
To sum up, present embodiment can obtain the IP address of the network equipment at the destination equipment place that the user asks from certificate server, thereby can set up corresponding tunnel according to the IP address that gets access to, can make the address of the destination that the network equipment asks according to the user set up corresponding tunnel, in setting up the process in tunnel, need not human configuration destination address information on the corresponding network equipment, reduce the complexity of human configuration, can set up the tunnel that satisfies user's message transmission demand according to the different user request simultaneously.
The execution mode that the embodiment of the invention two provides a kind of preferred realization tunnel to set up as shown in Figure 2, can comprise the steps:
After step 201, the network equipment are received the authentication request message that the user sends, this authentication request message is forwarded on the corresponding certificate server authenticates.
In the practical application, the network equipment can be by searching the corresponding certificate server of this authentication request message after receiving the authentication request message that the user sends, and this authentication request message is forwarded on the corresponding certificate server authenticate.
Step 202, certificate server receive this authentication request message, and the user is authenticated by after, to network equipment return authorization response message.
After the network equipment receives the authorization response message of certificate server transmission, namely think this user by checking, the user is allowed to visit the business of its request visit.
In above-mentioned steps 201 and the step 202, the user is carried out verification process can be identical with traditional user authentication process or similar, and present embodiment does not limit.
The IP address that the address information of first network equipment that step 203, the network equipment issue according to certificate server is obtained first network equipment.
In the present embodiment, the network equipment can be directly obtains the IP address that the user asks first network equipment that purpose of connecting end equipment inserts from certificate server, namely, the address information of first network equipment that certificate server issues, it is exactly the IP address of first network equipment, particularly, can comprise following mode:
Mode one, the network equipment receive certificate server to the user authenticate by after the authorization response message that returns, and the IP address that obtains described first network equipment that carries in the authorization response message.The authentication authorization and accounting server receives the user's of network equipment forwarding authentication request, and to the user authenticate by after, can in the authorization response message that returns, add corresponding field or the field in the authorization response message is made amendment, carry the IP address of the destination equipment place network equipment of user's request, i.e. the IP address of first network equipment.
Mode two, the network equipment receive certificate server the user is authenticated by after behind the response message that returns, by send the mode of address request to certificate server, obtain the IP address of first network equipment that certificate server issues based on this address request, wherein, described address request is for the network equipment at the destination equipment place of asking described user to ask.Be that the network equipment receives after certificate server authenticates the required message that passes through to the user, can send address request to this certificate server, obtain the IP address of first network equipment at the destination equipment place that the user will ask with request.Wherein, this address request information, it specifically can be the user name that comprises the user, can also comprise that the user asks the information such as address of purpose of connecting end equipment, like this, certificate server namely can be based on the address of user name or destination equipment, and the address information of the corresponding destination equipment in the pre-configured address with user name or destination equipment, and the network equipment is handed down in the IP address of the network equipment at destination equipment place.
In the present embodiment, certificate server is provided with the address information of the network equipment at the destination equipment place corresponding with the address of destination equipment in advance, and this address information is the IP address.Like this, certificate server can obtain the network equipment corresponding with this address based on the address of the destination equipment that carries in the authentication information when the user is authenticated, the i.e. IP address of first network equipment, and can with this IP address in the above described manner one or mode two be handed down to the network equipment.Wherein, to be forwarded in user's the authentication request information of certificate server be to carry the address that the user asks the destination equipment of visiting to the network equipment.
In the present embodiment, except by the way one or two, directly issued by certificate server outside the IP address of first network equipment, certificate server also can issue other address informations of first network equipment, make the network equipment can obtain the IP address of first network equipment based on this address information, for example the address information of the network equipment can be domain-name information, like this, certificate server just can be based on this domain-name information, mode by the nslookup server, obtain the IP address of this first network equipment, corresponding, the address information of the network equipment of certificate server configuration is exactly domain-name information.As long as can accurately obtain the IP address of first network equipment, can set up the required tunnel of user, specifically adopt which kind of mode not influence the application's protection range.
Whether the IP address that step 204, the network equipment are judged first network equipment is legal and can reach, if, then turn to step 206, if not, then turn to step 205.
Step 205, the network equipment returns the tunnel to the user and sets up failed message, finishes.
In step 204-step 205, it is whether legal by the network equipment was judged before setting up the tunnel as the IP address of first network equipment of purpose IP address, can avoid being established to the tunnel of illegal or inaccessible IP address, save corresponding link circuit resource and the safety in the tunnel that guaranteed to set up.
Step 206, the network equipment is destination address with the IP address of first network equipment, sets up the tunnel between self and first network equipment.
In the practical application, the network equipment is before setting up the tunnel, can be according to the route table items of this locality storage, choose the interface of this IP address correspondence, and after choosing the interface of correspondence, be that destination address is set up gre tunneling with this IP address, and circulate a notice of this interface to the link UP of this IP address to corresponding interface management equipment.Wherein, described is the gre tunneling that destination address is set up with this IP address, sets up the tunnel between the network equipment at the network equipment and destination equipment place exactly.
Preferably, during for fear of user offline, take unnecessary resource, after above-mentioned steps 206, present embodiment can also comprise the steps:
When step 207, the network equipment detect this user offline, delete this tunnel.
On above-described embodiment one or embodiment two technical scheme bases, for reducing the quantity in the tunnel of setting up, further save tunnel resource, the tunnel establishing method that provides in the present embodiment three can comprise step as shown in Figure 3:
After step 301, the network equipment are received the authentication request message that the user sends, this authentication request message is forwarded on the corresponding certificate server authenticates.
Step 302, certificate server receive this authentication request message, and the user is authenticated by after, to network equipment return authorization response message.
The IP address that the address information of first network equipment that step 303, the network equipment issue according to certificate server is obtained first network equipment.
Whether the IP address that step 304, the network equipment are judged first network equipment is legal and can reach, if, then turn to step 306, if not, then turn to step 305.
Step 305, the network equipment returns the tunnel to the user and sets up failed message, finishes.
The tunnel that it is destination address that step 306, the network equipment judge whether to have set up with this IP address; If, then turn to step 307, if not, then turn to step 308.
In this step, if be judged as be, before then being described, the network equipment received the authentication request message that other users send, and after receiving corresponding authorization response message, obtained identical IP address, the tunnel that to have set up with this IP address be destination address, at this moment, the user can share this tunnel, execution in step 307 with other users.
Step 307, the network equipment with this user binding to set up with the tunnel that is destination address, this IP address, turn to step 309.
After step 307, the network equipment follow-up receive the message that this user sends after, adopt this tunnel message to be sent to the network equipment of opposite end.
By the tunnel that direct utilization has been set up, can avoid setting up again identical tunnel, purpose IP address, thereby save tunnel resource, and reduce the work load of the network equipment.
The tunnel that it is destination address that step 308, the network equipment are set up with this IP address, and be the tunnel of destination address on to what set up with this IP address with this user binding.
After step 307 or step 308, when the network equipment detected this user offline, in order to guarantee the corresponding tunnel of the normal use of other users, the embodiment of the invention three can be deleted corresponding tunnel by following steps:
When step 309, the network equipment detect this user offline, judge this tunnel current whether with other user bindings, if, then turn to step 310, if not, then turn to step 311.
Step 310, the network equipment are removed the binding in this user and this tunnel, finish.
Step 311, the network equipment are deleted this tunnel.
In step 309-step 311, both guaranteed that online user can normally use the tunnel of having set up, can not have in the tunnel again when occupied further to have saved tunnel resource in time with the tunnel deletion.
Be elaborated below in conjunction with the flow process of concrete application scenarios to tunnel establishing method provided by the invention, be illustrated in figure 4 as a kind of concrete application scenarios of the tunnel establishing method that the embodiment of the invention four provides, suppose network equipment A and B, C crosses over IP network with user network a, b, c connects into same VPN (virtual private network), network equipment A, B, the tunnel type of consulting between the C is GRE(Generic Route Encapsulation, generic route encapsulation) tunnel, comprise two user terminal a1 among the user network a, a2, and be linked into IP network by network equipment A, comprise a user terminal b1 among the user network b, and be linked into IP network by network equipment B, comprise a user terminal c1 among the user network c, and be linked into IP network by network equipment C, when supposing a1 calling party network b simultaneously, need through AAA((Authentication﹠amp; Authorization﹠amp; Accounting, authentication and authorization charging) authentication of server, the corresponding relation of the IP address of the network equipment of the address of pre-configured user terminal and access on this aaa server, be the address of terminal equipment and the IP address of the terminal equipment place network equipment, as shown in Figure 5, when the user was established to the network connection of user terminal b1 by user terminal a1 request, the embodiment of the invention four provided tunnel establishing method to comprise the steps:
Step 501, the user sends authentication request message based on user terminal a1 to network equipment A, and request is established to the connection of user terminal b1.
Wherein, carried its destination equipment of asking in the authentication request message, i.e. the address of user terminal b1.Certainly, in the practical application, also need in this authentication request message to carry the user profile of initiating the request user by user terminal a1, comprise user name, password etc., so that certificate server is to carrying out corresponding authentication.
Step 502 after network equipment A receives user's authentication request message, is searched the aaa server of this authentication request message correspondence, and is forwarded on the corresponding aaa server.
After step 503, aaa server receive user's authentication request message, this authentication request message is authenticated.
Similar or identical in the processing of step 501-503 and the prior art, do not repeat them here.
Step 504, aaa server passes through the authentication of this user's authentication request message, to network equipment A return authorization response message, has carried the IP address of network equipment B in this authorization response message.
For aaa server, in the authentication request message that receives user's transmission and after getting access to the address of user terminal b1, can obtain the address of network equipment B by searching stored relation.
In the practical application, network equipment A carries the address information of user terminal b1 in this VPN network in the user's who sends to aaa server authentication request message, can be IP address or Mac address.For example, for three-layer VPN, this address information should be the IP address in this VPN of b1 distribution, for two-layer VPN, this address information can be MAC Address of b1 etc., the corresponding relation of the address information that need on aaa server, store b1 in advance this moment and the network equipment B of access, and make aaa server after receiving authentication request message, determine that according to the address information of b1 entrained in the authentication request message network equipment of authentication request message institute requesting users equipment access is B.
In addition, at the server of user by certain particular type among the subscriber equipment a1 accesses network b, during as user terminal b1, the type of service that portability is asked in authentication request message, this moment, the corresponding relation of the network equipment B of the type of service that provides of user terminal b1 and access need be provided on aaa server in advance, and after receiving authentication request message, search the IP address of the network equipment B that user terminal b1 inserts according to type of service wherein.
In this step, need to aaa server to the authentication of authentication request message by after the authorization response message that returns make amendment, make it carry the IP address of network equipment B.
Step 505, network equipment A receives the authorization response message that aaa server sends, and the IP address that obtains the network equipment B that wherein carries.
Step 506, network equipment A has judged whether to set up the tunnel to this IP address, if, then turn to step 507, if not, then turn to step 508.
In the practical application, before carrying out above-mentioned deterministic process, can also make network equipment A judge whether this IP address is legal, and when judgement is legal, execution in step 506 if judge illegally, is then returned the tunnel to user terminal a1 and is set up failed message, process ends is avoided follow-up processing is carried out in illegal or inaccessible IP address afterwards.
If the judged result of step 506 then illustrated before this deterministic process for being, network equipment A has set up the tunnel of network equipment B among the network a other such as the user of user terminal a2 access service by user terminal.
Step 507, network equipment A adds 1 with the number of users in the tunnel of this IP address correspondence, and with user terminal a1 connecting and binding on this tunnel to user terminal b1.
The binding here refers to, set up user terminal a1 to the connection of user terminal b1 and the corresponding relation in this tunnel, in subsequent process, if network equipment A receives the message that user terminal a1 sends to user terminal b1, then this message is carried out corresponding GRE encapsulation, and send on the network equipment B by this tunnel.
For network equipment B, owing to may transmit the message that a plurality of user terminals (such as user terminal a1 and user terminal a2) send on the tunnel between network equipment A and the network equipment B, therefore network equipment B is after receiving network equipment A transmission message, after need carrying out the GRE decapsulation to this message, the IP address information of record network equipment A, and after need carrying out the interior layer solution encapsulation to this message, record the source address of this message reality, be the address information of user terminal a1 or user terminal a2, and set up the address of user terminal a1 or user terminal a2 to the mapping relations of the IP address of network equipment A.Behind the message of the address that the follow-up destination address that receives the user terminal b1 transmission among the network b is user terminal a1 or user terminal a2, corresponding message is carried out the GRE encapsulation, and by the tunnel between network equipment A and the B this message is sent to network equipment A.Same, if the destination address of this message is user terminal c1, then needs this message is carried out the GRE encapsulation, and by the tunnel between network equipment B and the network equipment C this message is sent to network equipment C.
Step 508, network equipment A sets up destination address and is the tunnel of this IP address, and the number of users of this tunnel correspondence is set to 1.
Network equipment A sets up destination address and is the tunnel of this IP address, after namely being established to the tunnel of network equipment B, if receive the address that source address is user terminal a1, destination address is the message of the address of user terminal b1, then this message is carried out the GRE encapsulation, and this message is sent to network equipment B by the tunnel of setting up.
Step 509 when network equipment A detects user terminal a1 and rolls off the production line, subtracts 1 with the number of users in this tunnel, judges afterwards whether the number of users in this tunnel is 0, if then execution in step 510, if not, then execution in step 511.
In the practical application, network equipment A is when detecting user terminal a1 and roll off the production line, also need to search according to the address information of user terminal a1 the tunnel of this address information correspondence, perhaps search user terminal a1 employed tunnel before rolling off the production line, and then the number of users in the tunnel that finds is subtracted 1.
In this step, if the number of users in this tunnel is 0, the current user of not having then is described using this tunnel, if be not 0, then explanation still has the user to use this tunnel.Certainly, in the practical application, those skilled in the art can adopt multiple means to judge whether that other users are using this tunnel in addition.
Step 510, network equipment A deletion destination address is the tunnel of this IP address, finishes.
Step 511, network equipment A keeps destination address and is the tunnel of this IP address.
Among the step 509-511, by the tunnel that deletion does not have user terminal to use, can reclaim corresponding tunnel resource in the network, avoid the waste of corresponding tunnel resource.
In the embodiment of the invention, by making network equipment A in the authorization response message that AAA service is returned, obtain the network equipment B that destination equipment b1 that user terminal a1 asks to set up communication inserts, and be established to the connection of this network equipment B, can be under the prerequisite the IP address of configure network devices B on the network equipment A or not, make network equipment A be established to the tunnel of network equipment B automatically, thereby avoid artificial in the tunnel of network equipment A configure network devices A to network equipment B, reduced the complexity of configuration.In addition, because the foundation in tunnel is dynamically to set up, reduce the fixedly resource occupation in tunnel when the user need carry out message transmissions, improved network utilisation efficient.
It is to be noted; above-described embodiment only is the preferred a kind of execution mode of the present invention; it is not the restriction to protection range of the present invention; in the practical application; the method that the embodiment of the invention provides is not limited to set up gre tunneling; set up under the prerequisite in tunnel at the tunnel establishing method that adopts the embodiment of the invention to provide, the variation of tunnel type does not influence the application's protection range.
Based on identical design, the embodiment of the invention five also provides a kind of tunnel to set up the network equipment, and among the VPN that is applied to authenticate by certificate server, as shown in Figure 6, this network equipment comprises:
Address acquisition module 601, for the IP address that the address information of first network equipment that issues according to certificate server is obtained first network equipment, first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
Module 602 is set up in the tunnel, and the IP address that is used for first network equipment is destination address, sets up the tunnel between this network equipment and first network equipment, and with this user and this tunnel binding, so that this user visits this destination equipment based on this tunnel.
The present embodiment network equipment can realize that its specific implementation process can not repeat them here referring to the explanation of the invention described above method embodiment to the foundation in user's tunnel based on the step of the invention described above embodiment method.
The network equipment is set up in the tunnel that the embodiment of the invention six provides can also specifically comprise as shown in Figure 7 each module:
Address acquisition module 701, for the IP address that the address information of first network equipment that issues according to certificate server is obtained first network equipment, this first network equipment is asked the network equipment at purpose of connecting end equipment place for the user.
Module 702 is set up in the tunnel, and concrete being used for judges whether that the IP address of having set up with this first network equipment is the tunnel of destination address, if, then directly with this user and this tunnel binding; If not, be destination address with the IP address of this first network equipment, set up the tunnel between this network equipment and this first network equipment, and with this user and this tunnel binding.
Preferably, this equipment also can comprise:
The first tunnel removing module 703 is used for having judged whether other users and this tunnel binding, if then remove the binding in this user and this tunnel when this network equipment detects this user offline; If not, then delete this tunnel.
In the present embodiment, the identical user in IP address of the network equipment at request purpose of connecting end equipment place, multiplexing same tunnel jointly, its specific implementation can not repeat them here referring to the explanation of the invention described above method embodiment.
The network equipment is set up in the tunnel that the embodiment of the invention seven provides can also specifically comprise as shown in Figure 8 each module:
Address acquisition module 801, for the IP address that the address information of first network equipment that issues according to certificate server is obtained first network equipment, first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
Module 802 is set up in the tunnel, and the IP address that is used for first network equipment is destination address, sets up the tunnel between this network equipment and first network equipment, and with this user and this tunnel binding, so that this user visits this destination equipment based on this tunnel.
And forwarding module 803 is used for the authentication request message that the user sends is forwarded to this certificate server, so that this certificate server authenticates this user based on this authentication request message;
Wherein, address acquisition module 801, concrete be used for receiving this certificate server to this user authenticate by after the authorization response message that returns, and the IP address that obtains this first network equipment that carries in this authorization response message; Or, receive this certificate server the user is authenticated by after after the authorization response message that returns, by send the mode of address request to this certificate server, obtain the IP address of this first network equipment that this certificate server issues based on this address request, wherein, this address request is for the network equipment at the destination equipment place of asking this user to ask.
Preferably, this equipment also can comprise:
The second tunnel removing module 804 is used for deleting this tunnel when this user offline is arrived in this Equipment Inspection.
Among above-mentioned each network equipment embodiment, each module can be integrated in one, and also can separate deployment.Above-mentioned each module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number does not represent the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (10)

1. a tunnel establishing method is characterized in that, described method comprises:
The IP address that the address information of first network equipment that the network equipment issues according to certificate server is obtained first network equipment, described first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
The described network equipment is destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding, so that described user visits described destination equipment based on described tunnel.
2. the method for claim 1 is characterized in that, the described network equipment is destination address with the IP address of described first network equipment, and the tunnel of setting up between the described network equipment and described first network equipment specifically comprises:
The described network equipment judges whether that the IP address of having set up with described first network equipment is the tunnel of destination address, if, then directly with described user and described tunnel binding; If not, be destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding.
3. method as claimed in claim 2 is characterized in that, described method also comprises:
When the described network equipment detects described user offline, other users and described tunnel binding have been judged whether, if then remove the binding in described user and described tunnel; If not, then delete described tunnel.
4. as each described method of claim 1-3, it is characterized in that the address information of first network equipment that the described network equipment issues according to certificate server is obtained before the IP address of first network equipment, described method also comprises:
The described network equipment is forwarded to the authentication request message that the user sends on the described certificate server, so that described certificate server authenticates described user based on described authentication request message;
The IP address that the address information of first network equipment that the described network equipment issues according to certificate server is obtained first network equipment specifically comprises:
The described network equipment receive described certificate server to described user authenticate by after the authorization response message that returns, and the IP address that obtains described first network equipment that carries in the described authorization response message; Or, the described network equipment receive described certificate server the user is authenticated by after after the authorization response message that returns, by send the mode of address request to described certificate server, obtain the IP address of described first network equipment that described certificate server issues based on described address request, wherein, described address request is for the network equipment at the destination equipment place of asking described user to ask.
5. the method for claim 1 is characterized in that, the described network equipment is destination address with described IP address, sets up after the tunnel between the described network equipment and described first network equipment, and described method also comprises:
When the described network equipment detects described user offline, delete described tunnel.
6. a network equipment is characterized in that, comprising:
Address acquisition module, for the IP address that the address information of first network equipment that issues according to certificate server is obtained first network equipment, described first network equipment is asked the network equipment at purpose of connecting end equipment place for the user;
Module is set up in the tunnel, the IP address that is used for described first network equipment is destination address, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding, so that described user visits described destination equipment based on described tunnel.
7. equipment as claimed in claim 6 is characterized in that, module is set up in described tunnel, and concrete being used for judges whether that the IP address of having set up with described first network equipment is the tunnel of destination address, if, then directly with described user and described tunnel binding; If not, be destination address with the IP address of described first network equipment, set up the tunnel between the described network equipment and described first network equipment, and with described user and described tunnel binding.
8. equipment as claimed in claim 7 is characterized in that, also comprises:
The first tunnel removing module is used for having judged whether other users and described tunnel binding, if then remove the binding in described user and described tunnel when the described network equipment detects described user offline; If not, then delete described tunnel.
9. as each described equipment of claim 6-8, it is characterized in that, also comprise:
Forwarding module is used for the authentication request message that the user sends is forwarded to described certificate server, so that described certificate server authenticates described user based on described authentication request message;
Described address acquisition module, concrete be used for receiving described certificate server to described user authenticate by after the authorization response message that returns, and the IP address that obtains described first network equipment that carries in the described authorization response message; Or, receive described certificate server the user is authenticated by after after the authorization response message that returns, by send the mode of address request to described certificate server, obtain the IP address of described first network equipment that described certificate server issues based on described address request, wherein, described address request is for the network equipment at the destination equipment place of asking described user to ask.
10. equipment as claimed in claim 6 is characterized in that, also comprises:
The second tunnel removing module is used for deleting described tunnel when the described network equipment detects described user offline.
CN2013102010728A 2013-05-24 2013-05-24 Tunnel building method and network equipment Pending CN103259736A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013102010728A CN103259736A (en) 2013-05-24 2013-05-24 Tunnel building method and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013102010728A CN103259736A (en) 2013-05-24 2013-05-24 Tunnel building method and network equipment

Publications (1)

Publication Number Publication Date
CN103259736A true CN103259736A (en) 2013-08-21

Family

ID=48963444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013102010728A Pending CN103259736A (en) 2013-05-24 2013-05-24 Tunnel building method and network equipment

Country Status (1)

Country Link
CN (1) CN103259736A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763145A (en) * 2014-01-27 2014-04-30 上海斐讯数据通信技术有限公司 Tunnel proxy method
CN104683210A (en) * 2015-03-10 2015-06-03 杭州华三通信技术有限公司 Automatic tunnel establishing method and device
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
CN108390811A (en) * 2018-03-28 2018-08-10 新华三技术有限公司 A kind of gre tunneling method for building up and its equipment
CN109600293A (en) * 2018-12-24 2019-04-09 青岛海信电子设备股份有限公司 A kind of gre tunneling method for building up and system
CN109660439A (en) * 2018-12-14 2019-04-19 深圳市信锐网科技术有限公司 A kind of terminal mutual visit management system and method
CN110635986A (en) * 2018-06-25 2019-12-31 中国移动通信有限公司研究院 Network access method and equipment
CN110661632A (en) * 2018-06-28 2020-01-07 中兴通讯股份有限公司 Tunnel processing method, network device and storage medium
CN112165416A (en) * 2020-08-21 2021-01-01 视联动力信息技术股份有限公司 Networking and communication method and device
CN113872844A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Method for establishing VXLAN tunnel and related equipment
CN113872845A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Method for establishing VXLAN tunnel and related equipment
CN113923075A (en) * 2020-07-09 2022-01-11 华为技术有限公司 Data transmission method and device
CN114039798A (en) * 2021-11-30 2022-02-11 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN115065576A (en) * 2022-08-17 2022-09-16 广州赛讯信息技术有限公司 VXLAN tunnel establishment method, device, network system and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6526033B1 (en) * 1999-09-17 2003-02-25 Lucent Technologies Inc. Delivering calls to GSM subscribers roaming to CDMA networks via IP tunnels
US20050160290A1 (en) * 2004-01-15 2005-07-21 Cisco Technology, Inc., A Corporation Of California Establishing a virtual private network for a road warrior
CN1852273A (en) * 2006-04-10 2006-10-25 杭州华为三康技术有限公司 Method and system for communication between gateway device
CN101335676A (en) * 2008-07-30 2008-12-31 中兴通讯股份有限公司 Session control method based on mobile IP
CN101394331A (en) * 2007-09-21 2009-03-25 华为技术有限公司 Non-3GPP access network roaming cling, and roaming withdrawn method and system, roaming system
CN102316602A (en) * 2010-07-09 2012-01-11 中兴通讯股份有限公司 System, device and method for accessing user equipment into mobile network
CN103051545A (en) * 2011-10-13 2013-04-17 中兴通讯股份有限公司 Method and system for establishing optimized path for multicast data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6526033B1 (en) * 1999-09-17 2003-02-25 Lucent Technologies Inc. Delivering calls to GSM subscribers roaming to CDMA networks via IP tunnels
US20050160290A1 (en) * 2004-01-15 2005-07-21 Cisco Technology, Inc., A Corporation Of California Establishing a virtual private network for a road warrior
CN1852273A (en) * 2006-04-10 2006-10-25 杭州华为三康技术有限公司 Method and system for communication between gateway device
CN101394331A (en) * 2007-09-21 2009-03-25 华为技术有限公司 Non-3GPP access network roaming cling, and roaming withdrawn method and system, roaming system
CN101335676A (en) * 2008-07-30 2008-12-31 中兴通讯股份有限公司 Session control method based on mobile IP
CN102316602A (en) * 2010-07-09 2012-01-11 中兴通讯股份有限公司 System, device and method for accessing user equipment into mobile network
CN103051545A (en) * 2011-10-13 2013-04-17 中兴通讯股份有限公司 Method and system for establishing optimized path for multicast data

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763145A (en) * 2014-01-27 2014-04-30 上海斐讯数据通信技术有限公司 Tunnel proxy method
CN103763145B (en) * 2014-01-27 2019-12-13 上海斐讯数据通信技术有限公司 Tunnel proxy method
CN104683210A (en) * 2015-03-10 2015-06-03 杭州华三通信技术有限公司 Automatic tunnel establishing method and device
CN104683210B (en) * 2015-03-10 2018-10-09 新华三技术有限公司 A kind of automatic method and apparatus for establishing tunnel
CN106713057A (en) * 2015-07-30 2017-05-24 华为技术有限公司 Method for performing tunnel detection and device and system thereof
CN106713057B (en) * 2015-07-30 2019-11-29 华为技术有限公司 For carrying out the method, apparatus and system of Tunnel testing
CN108390811A (en) * 2018-03-28 2018-08-10 新华三技术有限公司 A kind of gre tunneling method for building up and its equipment
CN108390811B (en) * 2018-03-28 2020-12-29 新华三技术有限公司 GRE tunnel establishment method and equipment thereof
CN110635986A (en) * 2018-06-25 2019-12-31 中国移动通信有限公司研究院 Network access method and equipment
CN110635986B (en) * 2018-06-25 2021-11-16 中国移动通信有限公司研究院 Network access method and equipment
CN110661632A (en) * 2018-06-28 2020-01-07 中兴通讯股份有限公司 Tunnel processing method, network device and storage medium
CN109660439B (en) * 2018-12-14 2021-08-13 深圳市信锐网科技术有限公司 Terminal mutual access management system and method
CN109660439A (en) * 2018-12-14 2019-04-19 深圳市信锐网科技术有限公司 A kind of terminal mutual visit management system and method
CN109600293A (en) * 2018-12-24 2019-04-09 青岛海信电子设备股份有限公司 A kind of gre tunneling method for building up and system
CN109600293B (en) * 2018-12-24 2021-06-04 青岛海信电子设备股份有限公司 GRE tunnel establishment method and system
CN113872845A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Method for establishing VXLAN tunnel and related equipment
CN113872844A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Method for establishing VXLAN tunnel and related equipment
CN113923075A (en) * 2020-07-09 2022-01-11 华为技术有限公司 Data transmission method and device
CN112165416A (en) * 2020-08-21 2021-01-01 视联动力信息技术股份有限公司 Networking and communication method and device
CN112165416B (en) * 2020-08-21 2023-09-29 视联动力信息技术股份有限公司 Networking and communication method and device
CN114039798A (en) * 2021-11-30 2022-02-11 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN114039798B (en) * 2021-11-30 2023-11-03 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN115065576A (en) * 2022-08-17 2022-09-16 广州赛讯信息技术有限公司 VXLAN tunnel establishment method, device, network system and storage medium
CN115065576B (en) * 2022-08-17 2022-11-04 广州赛讯信息技术有限公司 VXLAN tunnel establishment method, device, network system and storage medium

Similar Documents

Publication Publication Date Title
CN103259736A (en) Tunnel building method and network equipment
EP3327992B1 (en) Method of selecting network slice and system utilizing same
US7020084B1 (en) Communication system, a communication method and communication terminal
CN103841560B (en) Strengthen the method and apparatus of SIM card reliability
CN109981373B (en) Communication flow charging method and system
CN101692652B (en) Method and device for preventing interrupt of traffics in aggregation link
CN101860856B (en) Method and equipment for providing differentiated service in wireless local area network
CN109831752B (en) Communication flow control method and system
CN103067416A (en) Virtual private cloud (VPC) access authentication method and correlation apparatus
CN109361526A (en) Method for routing, PCRF/PCF and the DRA of policy control
CN106789526A (en) Method and device for connecting multiple system networks
CN102055816A (en) Communication method, business server, intermediate equipment, terminal and communication system
CN104811371A (en) Brand-new instant messaging system
CN103441932A (en) Host routing table entry generating method and device
CN103368780B (en) A kind of service control method and equipment
CN105939240A (en) Load balancing method and device
CN107040495A (en) It is a kind of to be applied to industrial communication and the multi-stage combination identity identifying method of business
CN105592180A (en) Portal authentication method and device
CN103906055A (en) Service data distribution method and service data distribution system
CN102014376B (en) Attaching method, paging method, detaching method and relevant equipment
CN107135506A (en) A kind of portal authentication methods, apparatus and system
CN102761940A (en) 802.1X authentication method and equipment
CN106130926A (en) A kind of processing method and processing device of message
CN104272860A (en) Efficient distribution of signaling messages in a mobility access gateway or|local mobility anchor
CN106209750A (en) A kind of network allocation method, server, network access equipment and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20130821

RJ01 Rejection of invention patent application after publication