Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
Fig. 1 is a kind of the application conversion application scenario diagram of Tunnel Identifier shown according to an exemplary embodiment, in Fig. 1
Including client, load-balancing device, more VPN devices (listing 3 VPN devices in figure), servers.Wherein, the visitor
Family end can be PC (Personal Computer, personal computer), mobile phone, tablet device etc., for being using VPN device
Its Tunnel Identifier distributed accesses server, to realize that vpn service accesses;The load-balancing device can be firewall, use
In by the flow scheduling of all clients to different VPN devices, to mitigate the pressure of VPN device;The number of the VPN device
Amount can be arranged according to the quantity of client, for distributing Tunnel Identifier for client, and carry this for what client was sent
The service message of Tunnel Identifier is forwarded to server.
In the prior art, for example, when client 1 and client 2 need to access vpn service, client 1 and client 2
Access request message 1 and access request message 2 are sent to load-balancing device respectively, load-balancing device utilizes load balancing tune
Spending algorithm is that access request message 1 and access request message 2 distribute VPN device, it is assumed that access request message 1 distributes is VPN
Equipment 1, what access request message 2 distributed is VPN device 2, and access request message 1 is forwarded to VPN device 1 by load-balancing device
On, access request message 2 is forwarded to VPN device 2, VPN device 1 and VPN device 2 according to the access request message received,
The information of the client carried in access request message is authenticated, after the authentication has been successful, distributes Tunnel Identifier for client,
Assuming that VPN device 1 is that client 1 distributes Tunnel Identifier 1, VPN device 2 is that client 2 is also assigned with Tunnel Identifier 1, to visitor
When family end responds (alternatively referred to as control message), the response that VPN device 1 returns first passes through load-balancing device, VPN device
Through overload equalizing equipment after 2 responses returned, thus in the list item of load-balancing device final entry be Tunnel Identifier 1 with
The facility information of VPN device 2 can send to load-balancing device and carry after client 1 and client 2 receive response
The service message of Tunnel Identifier 1, load-balancing device get the facility information of corresponding VPN device 2 using Tunnel Identifier 1,
And be forwarded to the service message of client 1 and client 2 in VPN device 2, since the client 1 is not in VPN device
It is authenticated on 2, so not will do it processing when VPN device 2 receives the service message of the transmission of client 1, leads to client
The service exception at end 1.
In the embodiment of the present application, when load-balancing device receives response (the hereinafter referred to as control report of VPN device return
Text) when, the corresponding device identification of IP address of the VPN device is obtained first, and obtains minimum enabled node according to preset rules
Node identification, by the Tunnel Identifier in the Tunnel Identifier replacement control message that is generated using device identification and node identification,
It is that different clients distributes same tunnel mark to avoid different VPN devices, leads to the problem of client traffic exception.
Fig. 2 is a kind of the application embodiment process of the conversion method of Tunnel Identifier shown according to an exemplary embodiment
Figure, in the embodiment of the present application, when client carries out vpn service access, the interaction with VPN device is based on L2TP (Layer
2Tunneling Protocol, Level 2 Tunnel Protocol) carry out interaction, due to L2TP support two-end-point between use Multiple tunnel,
Therefore, client can use Tunnel Identifier and carry out vpn service access by VPN device.As shown in Fig. 2, the embodiment application
In on load-balancing device, comprising the following steps:
Step 201: receiving the control message from VPN device, which carries the IP address and the of VPN device
One Tunnel Identifier.
Before executing step 201, client can send access request to load-balancing device when accessing vpn service,
Load-balancing device is that access request distribution VPN is set by load balance scheduling algorithm (for example, Weight Round Robin algorithm)
It is standby, it then sends the access request in the VPN device of distribution, then VPN device is that the access request of the client is specified
One available first Tunnel Identifier, and first Tunnel Identifier is sent to load-balancing device.
It follows that load-balancing device can receive the control message from VPN device, and taken in the control message
IP address with the first Tunnel Identifier and VPN device.Wherein, the source IP address of the control message is the IP of the VPN device
Location.
The process that available first Tunnel Identifier is specified for the access request that VPN device is the client, one
In a example, desired Tunnel Identifier can be carried in the access request of the client, therefore VPN device can first obtain access and ask
The expectation Tunnel Identifier of middle carrying is sought, if the tunnel that the expectation Tunnel Identifier is directed toward is unavailable, VPN device reassigns one
The tunnel of business transmission can be carried out, which is identified as the first Tunnel Identifier;If the tunnel that the expectation Tunnel Identifier is directed toward
It can use, then VPN device is using the expectation Tunnel Identifier as the first Tunnel Identifier.In another example, VPN device can be direct
Available first Tunnel Identifier is specified for the access request of the client.
Step 202: obtaining the corresponding device identification of IP address of the VPN device, and obtaining minimum according to preset rules can
With the node identification of node.
Before executing step 202, load-balancing device can obtain all VPN from preset VPN device cluster and set
Standby quantity, and determine using the quantity label digit of device identification, is then directed to each VPN device again, according to changing label
Digit is that the VPN device is numbered, and the number is determined as to the device identification of the VPN device, finally by the VPN device
IP address and the device identification are added in address and the corresponding table of mark.
Wherein, preset VPN device cluster refers to all VPN devices connecting with load-balancing device, and VPN is set
Record has the IP address of all VPN devices in standby cluster;The device identification of VPN device can be digital, is also possible to character, can also
To be the combination of number with character, it is illustrated by taking number as an example below, for example, the quantity of the VPN device in VPN device cluster
It is 7, since under normal conditions, storing number in a computer is to be stored in binary form, thus may determine that setting
The label digit of standby mark is 3, that is, can be respectively 000 (number 0), 001 (number 1), 010 (number by 7 VPN device numbers
Word 2), 011 (number 3), 100 (numbers 4), 101 (numbers 5), 110 (numbers 6) be as shown in table 1 a kind of illustrative address
Table corresponding with mark.
The IP address of VPN device |
Device identification |
IP0 |
000 |
IP1 |
001 |
IP2 |
010 |
IP3 |
011 |
IP4 |
100 |
IP5 |
101 |
IP6 |
110 |
Table 1
For the process for the corresponding device identification of IP address for obtaining the VPN device, load-balancing device can use this
The IP address of VPN device searches address table corresponding with mark, and the corresponding device identification of IP address for obtaining the VPN device.Such as
Described in table 1, for example, the IP address of VPN device be IP1, then it is available to corresponding device identification be 001.
For the process for the node identification for obtaining minimum enabled node according to preset rules, load-balancing device can be from number
The address of minimum enabled node is obtained in group chained list, then obtains the section that the node of the address direction of the minimum enabled node is recorded
Point identification.
For the process for the address for obtaining minimum enabled node from array linked list, load-balancing device can be by array chain
Address of the address for next enabled node that first node in table is recorded as minimum enabled node, and can using the minimum
The address for next enabled node that the address replacement first node of the next enabled node recorded with node is recorded.
Wherein, which includes N number of node, and record has this node identification and next enabled node in each node
Address, the N is the marker bit side for several times of the node identification of default value, which can be array linked list interior joint
Digital number, i.e. the subscript of array linked list, due to computer usually storage number in binary form, default value
It is 2, the marker bit for the node identification that the number of nodes of array linked list is 2 is square for several times, and the label digit of the node identification is by the second tunnel
The label digit of road mark and the label digit of device identification determine.
For the node identification label digit by the label digit of the second Tunnel Identifier and the label digit of device identification
Determining process, the second Tunnel Identifier are made of preset mark digit, and the label digit of the node identification is the preset mark position
The difference of several and device identification label digit.Wherein, due in L2TP agreement Tunnel Identifier by 16 for bit array at,
The preset mark digit can be 16, for example, the label digit of device identification is 3, then the label digit of the node identification is 16-
3=13.
The acquisition process for illustrating node identification with an example below, for example, what the first node in array linked list was recorded
The address of enabled node is the 4th address of node and this node identification is 0,000 0,000 0,000 0 (numbers 0), then
The node identification that the node that 4th address of node is directed toward is recorded is 0,000 0,000 0,001 1 (numbers 3), indicates node
Mark 1 and node identification 2 are by with the node identification of minimum enabled node is 0,000 0,000 0,001 1 at present, also, negative
Carrying equalizing equipment can be using the address for next enabled node that the 4th node is recorded, i.e. the 5th address of node is replaced
The 4th address of node that first node is recorded is changed, when next time load-balancing device obtains the node of minimum enabled node again
When mark, the node identification 0,000 0,000 0,010 0 (number 4) of the 5th node can be got.
Step 203: obtaining the second Tunnel Identifier using the device identification and the node identification.
Specifically, load-balancing device can carry out the device identification and the node identification according to default built-up sequence
Combination, obtains the second Tunnel Identifier.
Wherein, which can be device identification preceding, and node identification is also possible to device identification and exists rear
Afterwards, node identification is preceding, here and without limitation.
It is illustrated below with an example, for example, device identification is preceding, node identification is rear, and VPN device 1 is for visitor
The control message 1 that family end 1 returns, VPN device 2 are directed to the control message 2 that client 2 returns, control message 1 and control message 2
The first Tunnel Identifier carried is 0,010 0,000 0,010 1101 (numbers 45), it is assumed that for control message 1, load balancing
The node identification that equipment gets minimum enabled node is 0,000 0,000 0,001 1, and the device identification of VPN device 1 is 001;Needle
To control message 2, the node identification for getting minimum enabled node is 0,000 0,000 0,010 0, the device identification of VPN device 2
It is 010, thus, the second Tunnel Identifier for obtaining control message 1 is 0,010 0,000 0,000 0011, controls the second tunnel of message 2
Road is identified as 0,100 0,000 0,000 0100.
It is described by step 201 to step 203 it is found that different VPN devices is directed to, even if the first specified Tunnel Identifier phase
Together, since its device identification difference, and the node identification got are also different, therefore load-balancing device utilizes device identification
The second Tunnel Identifier obtained with node identification is also just different, in this way, even if two clients have been assigned to identical first tunnel
Road mark, corresponding second Tunnel Identifier is different, and it is corresponding not that load-balancing device can also equally distinguish different clients
Same VPN device.
Step 204: replacing the first Tunnel Identifier in control message using second Tunnel Identifier, and by the control message
It is forwarded in client.
For the process that will be controlled message and be forwarded in client, can be forwarded according to existing forwarding process, no
It repeats again.Client can use the second Tunnel Identifier and carry out vpn service access when receiving control message.
Load-balancing device with the second Tunnel Identifier replace the first Tunnel Identifier before, can by the first Tunnel Identifier,
The IP address of second Tunnel Identifier and VPN device is recorded session and keeps in list item, also, load-balancing device is by the control
After message processed is forwarded in client, the service message (positive service message) from the client, the business report are received
Text carries second Tunnel Identifier, can use second Tunnel Identifier and searches session holding list item, obtains corresponding first
The IP address of Tunnel Identifier and VPN device, and the second Tunnel Identifier in the service message is replaced using first Tunnel Identifier,
And in the VPN device for being directed toward the IP address that the service message is sent to the VPN device, in addition, VPN device is again by the forward direction industry
Business message is forwarded on server, and server returns to reverse traffic message to client for the forward direction service message.It is same with this
When, when load-balancing device is received from the reverse traffic message of VPN device forwarding, using the first Tunnel Identifier and it is somebody's turn to do
The IP address of VPN device searches session and keeps list item, gets corresponding second Tunnel Identifier, and replaced with the second Tunnel Identifier
First Tunnel Identifier, and the reverse traffic message is forwarded in the client.To ensure that the business of client is normal.
It should be noted that under normal conditions, the message direction that user end to server is sent can be " forward direction ", service
Device can be " reversed " according to the message direction that the positive message received returns.
It should be further noted that can also be recorded in each node in the array linked list other than first node
The address of one enabled node, and will be added in the node with mark, by with later to indicate the node in the node
It has been used, when client disconnects vpn service, node identification in array linked list can be discharged, below to release number
The process of group chained list is described in detail, convenient in order to distinguish description, the previous node that the node having been used is recorded
Address and the latter address of node are properly termed as the ground of upper an address of node and next node that the node is recorded
Location.
When load-balancing device receives the offline message from client, the second tunnel that the offline message carries is obtained
Road mark, and corresponding node identification is obtained according to default built-up sequence, and the node mark is obtained from the node having been used
Know corresponding node, and that deletes that the node recorded has used mark.Then judge the upper node that the node is recorded
The node that address is directed toward whether by with, if being not used by, next enabled node for being recorded using a node on this
The address for the next node that the node is recorded is replaced in address, and replaces a upper node using the address of node and recorded
Next enabled node address;If having been used, it is directed to the node having been used, continues to judge what this had been used
Whether the node that a upper address of node that node is recorded is directed toward is by with being used in combination until finding the node being not used by
Replace the ground for the next node that the node is recorded in the address for next enabled node that the node being not used by is recorded
Location, and replace using the address of node address for next enabled node that the node being not used by is recorded.
It, can be with based on step 204 description it is found that load-balancing device is by node identification in release array linked list
It avoids the node in array linked list from running out, and the second Tunnel Identifier can not be obtained.
As can be seen from the above embodiments, load-balancing device obtains control when receiving the control message from VPN device
Message carries the corresponding device identification of IP address of VPN device, and the node mark of minimum enabled node is obtained according to preset rules
Know, then recycles the device identification and the node identification to obtain the second Tunnel Identifier, and replace using second Tunnel Identifier
The first Tunnel Identifier carried in the control message, and the control message is forwarded in client.Based on above-mentioned implementation,
Since load-balancing device is by obtaining the second Tunnel Identifier using device identification and node identification, for different VPN devices,
Even if identical for the first Tunnel Identifier that two clients are specified, since device identification and node identification are different, obtain the
Two Tunnel Identifiers are also different, thus, this two client can be sent using the second different Tunnel Identifiers to load-balancing device
Service message, load-balancing device can distinguish this corresponding VPN device of two clients by the second different Tunnel Identifiers
IP address and the first Tunnel Identifier, and the second Tunnel Identifier is replaced with the first Tunnel Identifier, and send the VPN for service message
In the VPN device that the IP address of equipment is directed toward, it ensure that the business of client is normal.
Corresponding with the embodiment of the conversion method of aforementioned Tunnel Identifier, present invention also provides the converting means of Tunnel Identifier
The embodiment set.
The embodiment of the conversion equipment of the application Tunnel Identifier can be applied on load-balancing device.Installation practice can
Can also be realized by way of hardware or software and hardware combining by software realization.Taking software implementation as an example, as one
Device on logical meaning is to be referred to computer program corresponding in nonvolatile memory by the processor of equipment where it
It enables and is read into memory what operation was formed.For hardware view, as shown in figure 3, being the application according to an exemplary embodiment
A kind of hardware structure diagram of the load-balancing device shown, in addition to processor shown in Fig. 3, memory, network interface and it is non-easily
Except the property lost memory, the equipment in embodiment where device can also include other generally according to the actual functional capability of the equipment
Hardware repeats no more this.
Fig. 4 is a kind of the application example structure of the conversion equipment of Tunnel Identifier shown according to an exemplary embodiment
Figure, as shown in figure 4, the embodiment be applied to load-balancing device on, the device include: receiving unit 410, acquiring unit 420,
Obtaining unit 430, replacement unit 440, retransmission unit 450.
Wherein, receiving unit 410, for receiving the control message from VPN device, the control message carries described
The IP address of VPN device and the first Tunnel Identifier;
Acquiring unit 420, the corresponding device identification of IP address for obtaining the VPN device, and according to preset rules
Obtain the node identification of minimum enabled node;
Obtaining unit 430, for obtaining the second Tunnel Identifier using the device identification and the node identification;
Replacement unit 440, for replacing the first Tunnel Identifier in the control message using second Tunnel Identifier;
Retransmission unit 450, for the control message to be forwarded to client.
In an optional implementation, acquiring unit 420, specifically in the IP address for obtaining the VPN device
During corresponding device identification, address table corresponding with mark is searched using the IP address of the VPN device;Described in acquisition
The corresponding device identification of the IP address of VPN device.
In another optional implementation, described device further includes (being not shown in Fig. 4): corresponding table establishes unit;
The corresponding table establishes unit, for obtaining the quantity of all VPN devices from preset VPN device cluster;Benefit
The label digit of device identification is determined with the quantity;It is that the VPN is set according to the label digit for each VPN device
It is standby to be numbered, and described number is determined as the device identification of the VPN device;By the IP address of the VPN device and institute
Device identification is stated to be added in the table corresponding with mark of the address.
In another optional implementation, second Tunnel Identifier is made of preset mark digit, the node
The label digit of mark is the difference of the label digit of the preset mark digit and the device identification;Acquiring unit 420, also has
Body is used for during obtaining the node identification of minimum enabled node according to preset rules, by the first node institute in array linked list
Address of the address of next enabled node of record as minimum enabled node;Wherein, the array linked list includes N number of section
Point, record has the address of this node identification and next enabled node in each node, and the N is the node identification of default value
Marker bit for several times side;The node identification that the node of the address direction of the minimum enabled node is recorded is obtained, and will be described
Node identification is determined as the node identification of minimum enabled node;The next available section recorded using the minimum enabled node
The address for next enabled node that the address replacement first node of point is recorded.
In another optional implementation, obtaining unit 430 is specifically used for according to default built-up sequence, will be described
Device identification is combined with the node identification, obtains the second Tunnel Identifier.
In another optional implementation, described device further includes (being not shown in Fig. 4):
Recording unit, for being replaced in the control message in the replacement unit 440 using second Tunnel Identifier
The first Tunnel Identifier before, by the IP address of first Tunnel Identifier, second Tunnel Identifier and the VPN device
Session is recorded to keep in list item;
Described device further includes (being not shown in Fig. 4):
Service message processing unit, for the control message to be forwarded in client it in the retransmission unit 450
Afterwards, the service message from the client is received, the service message carries the second Tunnel Identifier;Utilize second tunnel
Session described in road identifier lookup keeps list item, obtains the IP address of corresponding first Tunnel Identifier and VPN device;Utilize described
One Tunnel Identifier replaces the second Tunnel Identifier in the service message, and the service message is sent to the VPN device
IP address be directed toward VPN device on.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
As can be seen from the above embodiments, load-balancing device obtains control when receiving the control message from VPN device
Message carries the corresponding device identification of IP address of VPN device, and the node mark of minimum enabled node is obtained according to preset rules
Know, then recycles the device identification and the node identification to obtain the second Tunnel Identifier, and replace using second Tunnel Identifier
The first Tunnel Identifier carried in the control message, and the control message is forwarded in client.Based on above-mentioned implementation,
Since load-balancing device is by obtaining the second Tunnel Identifier using device identification and node identification, for different VPN devices,
Even if identical for the first Tunnel Identifier that two clients are specified, since device identification and node identification are different, obtain the
Two Tunnel Identifiers are also different, thus, this two client can be sent using the second different Tunnel Identifiers to load-balancing device
Service message, load-balancing device can distinguish this corresponding VPN device of two clients by the second different Tunnel Identifiers
IP address and the first Tunnel Identifier, and the second Tunnel Identifier is replaced with the first Tunnel Identifier, and send the VPN for service message
In the VPN device that the IP address of equipment is directed toward, it ensure that the business of client is normal.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.