CN106792821B - Access control method and device based on virtual gateway - Google Patents

Access control method and device based on virtual gateway Download PDF

Info

Publication number
CN106792821B
CN106792821B CN201611230953.2A CN201611230953A CN106792821B CN 106792821 B CN106792821 B CN 106792821B CN 201611230953 A CN201611230953 A CN 201611230953A CN 106792821 B CN106792821 B CN 106792821B
Authority
CN
China
Prior art keywords
ssid
priority
low
load
pgs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611230953.2A
Other languages
Chinese (zh)
Other versions
CN106792821A (en
Inventor
张少兵
封栋梁
杭跃斌
金波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Jiangsu Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611230953.2A priority Critical patent/CN106792821B/en
Publication of CN106792821A publication Critical patent/CN106792821A/en
Application granted granted Critical
Publication of CN106792821B publication Critical patent/CN106792821B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/02Arrangements for optimising operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/08Load balancing or load distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/06Access restriction performed under specific conditions based on traffic conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W16/00Network planning, e.g. coverage or traffic planning tools; Network deployment, e.g. resource partitioning or cells structures
    • H04W16/14Spectrum sharing arrangements between different networks

Abstract

There is provided an access control method based on a virtual gateway associated with a plurality of Physical Gateways (PGs) providing a plurality of access services through a Service Set Identification (SSID), the access control method including: the SSID of each PG is divided into a high-priority SSID and a low-priority SSID; monitoring the load of each PG and the load of each SSID under each PG; and dynamically adjusting the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required.

Description

Access control method and device based on virtual gateway
Technical Field
The present disclosure relates generally to virtual gateways, and more particularly, to a virtual gateway-based access control method and apparatus.
Background
The development of vCPE (Virtual customer Premise Equipment) is a typical case of terminal field virtualization evolution, and its main idea is to move the three-layer function and service processing function of a customer gateway deployed by an operator to a network, operate on a general virtualization server, and simplify the gateway of a user into front street Equipment with two layers as main.
Taking the home gateway as an example, when the original home router fails in broadband, an operator cannot find out the router purchased by the user, the network control is poor, and the operation and maintenance cost is high; due to the limited performance and storage of the home gateway, the caching and content distribution service cannot be effectively provided for large-flow video services such as internet televisions. Meanwhile, the home gateway cannot effectively analyze the internet access behavior of the user due to cost considerations (for example, internet access behavior analysis based on Deep Packet Inspection (DPI)), and cannot provide support for the development of various value-added services. Therefore, operators introduce NFV (network function virtualization) technology into the existing network to implement virtualization of the home gateway.
The logical architecture of the virtual gateway is shown in fig. 1, comprising vCPE, PG (physical gateway) and AN (access point). The PG is a terminal facility inside a broadband network, is deployed in a user home, directly provides broadband access service for home users, provides PON (passive optical network), FE (fast Ethernet), WLAN (wireless local area network) and POTS (traditional telephone service) ports as required, and has the characteristics of diversity access, high specialty, low cost, long life cycle and the like; the vCPE is a facility of a broadband network on one side of an operator, is deployed on the edge of the operator network, provides broadband access gateway service for home users together with the PG, and has the characteristics of unified access, strong universality, higher cost, long life cycle (capacity expansion, reconstruction) and the like; the AN is AN intermediate facility between the PG and the VCPE, plays roles in connection, relay and transmission, and has the characteristics of unified interface standard and strong universality.
Establishing an L2 tunnel between PG and vCPE accessed by a user terminal to realize user isolation, transparently transmitting a user side access application to the vCPE through an L2 tunnel, and taking the vCPE as an access agent point of the terminal: the vCPE supports dial-up access authentication as IPoE (Internet protocol over Ethernet)/PPPoE (Point-to-Point protocol over Ethernet) client to vBRAS (virtual broadband remote access server); the vCPE supports the application of public network addresses to the vBRAS as a DHCP (dynamic host configuration protocol) client; the vCPE supports the allocation of an IP address to the down-hung terminal as a DHCP server; the user accesses the network to perform NAT address translation (network address translation) on the vCPE; the vCPE also supports FW (firewall) and QoS (quality of service) functions as a home gateway.
The vCPE can be defined as an open platform framework, the basic network capability of an operator can be flexibly expanded and customized on the basis of realizing the virtualization of the access network function of the home terminal, and high-quality value-added services are provided for home users.
The gateway function virtualization moves network management to the operator level, enhances the broadband network management function, realizes the monitoring of the full message of the broadband user, makes the pipeline more intelligent and reduces the operation and maintenance cost. Meanwhile, a vCPE open platform is realized based on the virtual home gateway, the network value is expanded through edge calculation, and network value-added functions such as content distribution, firewall, green internet surfing, gateway intelligent control and the like are realized.
Based on vCPE and PG, the WLAN of the operator can cover key areas such as user residential buildings, campuses, office buildings and the like.
Under control of the vCPE, WLAN coverage of one or more SSIDs (service set identifications) may be implemented on multiple PGs (e.g., services providing both SSID1 and SSID2 on one PG). The SSID technology divides a WLAN into a plurality of sub-networks which need different authentication, each sub-network needs independent authentication, and only users who pass the authentication can enter the corresponding sub-network, so that unauthorized users are prevented from entering the network.
Disclosure of Invention
According to an aspect of the present invention, there is provided an access control method based on a virtual gateway, the virtual gateway being associated with a plurality of Physical Gateways (PGs) providing a plurality of access services through a Service Set Identifier (SSID), the access control method comprising: the SSID of each PG is divided into a high-priority SSID and a low-priority SSID; monitoring the load of each PG and the load of each SSID under each PG; and dynamically adjusting the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required.
According to another aspect of the present invention, there is provided an access control apparatus based on a virtual gateway associated with a plurality of Physical Gateways (PGs) providing a plurality of access services through a Service Set Identifier (SSID), the access control apparatus comprising: a dividing unit configured to divide the SSID of each PG into a high-priority SSID and a low-priority SSID; a monitoring unit configured to monitor a load of each PG and a load of each SSID under each PG; and the adjusting unit is configured to dynamically adjust the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required.
According to still another aspect of the present invention, there is provided an access control apparatus based on a virtual gateway associated with a plurality of Physical Gateways (PGs) providing a plurality of access services through a Service Set Identifier (SSID), the access control apparatus comprising: a memory; one or more processors coupled with the memory to: the SSID of each PG is divided into a high-priority SSID and a low-priority SSID; monitoring the load of each PG and the load of each SSID under each PG; and dynamically adjusting the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required.
According to the access control method and device based on the virtual gateway, the resource sharing of public SSIDs (such as CMCC-WEB, GUEST and the like) and local private SSIDs is realized on PGs based on vCPE, a dynamic multi-SSID priority and bandwidth calling mechanism is provided, WLAN services are provided for public users simultaneously under the condition that the local private WLAN coverage of the users is ensured according to needs, and WLAN SSID switching, limitation and the like of certain PGs can be dynamically controlled based on the load condition of each PG under various application scenes.
Drawings
Other features, objects and advantages of the invention will become apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings in which like or similar reference characters refer to the same or similar parts. In the drawings of the accompanying drawings, embodiments are illustrated by way of example and not by way of limitation.
Fig. 1 is a diagram schematically illustrating a logical architecture of a virtual gateway in the related art.
Fig. 2 is a flow diagram of a virtual gateway based access control method according to various embodiments of the present disclosure.
Fig. 3 is a block diagram of a virtual gateway based access control device, according to various embodiments of the present disclosure.
Fig. 4 is an exemplary scene diagram illustrating various embodiments of the present disclosure are applicable.
FIG. 5 is a block diagram of an example computing device that may be used to implement various embodiments described herein.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
Conventional WLAN coverage is only used for coverage of the user's local WLAN network. Although internal and external users (e.g., SSID-LOCAL and SSID-request) can be isolated by different SSIDs, there is currently no invoking mechanism for priority scheduling and bandwidth sharing for the SSIDs of internal and external users.
In view of this, the present invention provides an access control method based on a virtual gateway, where the virtual gateway includes a vCPE and a plurality of PGs, and the PGs provide a plurality of access services through SSIDs, and the method includes the following steps as shown in fig. 2:
step S201, the SSID of each PG is divided into a high-priority SSID and a low-priority SSID;
step S202, monitoring the load of each PG and the load of each SSID under each PG; and
step S203, dynamically adjusting the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required.
In various embodiments of the present invention, one vCPE may have multiple PGs pending down, each PG providing WLAN public access services. The number of PGs has a capacity limit, e.g., 3000. Each PG may provide services through one or more SSIDs. Among them, services including some SSIDs are mandatory, such as local SSIDs; while other SSIDs may provide services when idle, and need to be turned off or restricted when the SSID resources that need to be guaranteed are in short supply, such as common SSIDs (CMCC-WEB, quest), etc.
In various embodiments of the present invention, the vCPE may divide the SSID of the PG into a high-priority SSID and a low-priority SSID, where the high-priority SSID may remain on all the time and provide corresponding bandwidth configuration guarantees. The low priority SSID may be hidden or turned off as needed. In some embodiments, the high priority SSID may be, for example, a LOCAL or private SSID, such as SSID-LOCAL, and the low priority SSID may be, for example, a public SSID, such as CMCC-WEB, SSID-GUEST, or the like.
The vCPE can monitor the total load condition of all PGs and the total load condition of the SSIDs by periodically reading the load of each PG and the load of each SSID under each PG. When the total load of each PG or the load of a single PG exceeds a threshold, the vcep can dynamically adjust the states of the high-priority SSID and the low-priority SSID of each PG to achieve efficient utilization of resources. In particular, the dynamic adjustment may include one or more of the following exemplary ways.
Exemplary mode one
For a single vCPE, traffic of SSIDs that do not need to be provisioned under each PG may be uniformly restricted at the vCPE.
In one embodiment, if the total load of each PG under a vCPE is above a first threshold, the low-priority SSIDs of the lower portion or all PGs of that vCPE may be hidden in steps. The first threshold may for example be a percentage, for example 70%, of the upper load limit of the vCPE. In practice, the threshold value can be configured and adjusted according to actual conditions.
For example, in an office building scenario, low priority SSIDs of PGs at non-significant lobby locations may be hidden preferentially to block visitor access, while low priority SSIDs of PGs at locations such as high-floor conference rooms are not hidden for the moment, all of which are hidden when the load is further increased.
In another embodiment, if the total load of each PG under vCPE is higher than the second threshold, the low-priority SSIDs of all PGs under vCPE may be turned off, and the high-priority SSIDs are guaranteed. Alternatively, the vCPE may step off the low priority SSID. The second threshold is for example a percentage, for example 80%, of the upper load limit of the vCPE. In practice, the threshold value can be configured and adjusted according to actual conditions.
For the exemplary mode, when the traffic generated by the SSID not to be provisioned under some PGs is too large, since the vppe adjusts the states of all SSIDs not to be provisioned, even though the user can access the SSID not to be provisioned under other PGs, the vppe is uniformly adjusted to cause insufficient bandwidth and no access.
Exemplary mode two
For a single PE, the vCPE may limit traffic under the PG that does not require a guaranteed SSID.
In one embodiment, if the load caused by the single PG or the PG to vCPE link is above a third threshold, the vCPE may hide the low priority SSID under the PG to limit traffic. The third threshold may be, for example, a percentage of the upper load limit of the PG, such as 60%. In practice, the threshold value can be configured and adjusted according to actual conditions.
In another embodiment, if the load caused by the single PG or PG to vCPE link is above a fourth threshold, the low priority SSID under the PG may be turned off, only guaranteeing traffic for the high priority SSID. The fourth threshold may be, for example, a percentage of an upper load limit of the PG, such as 00%. In practice, the threshold value can be configured and adjusted according to actual conditions.
For the exemplary manner, when the traffic generated by the SSID not to be provisioned under the single PG is too large, no new user accesses through the SSID not to be provisioned, and resources such as bandwidth are transferred to the SSID to be provisioned.
Exemplary mode three
If the total load of each PG under the vCPE is not high but one or some PGs have high loads, some low-priority SSIDs of the PGs which originally only provide services for the high-priority SSIDs can be dynamically started, so that the PG with the high load can be fully served as the high-priority SSIDs, and new PGs can be received.
In particular, for low priority SSIDs, a vCPE may designate one or some PGs as backup PGs for another PG (hereinafter, referred to as always-on PGs) according to some association relationship, which together form a PG group. The high-priority SSID and the low-priority SSID of the all-normally-open PG are in an open state and are used for simultaneously providing access to the high-priority SSID and the low-priority SSID. The high priority SSID of the standby PG is in an on state, the low priority SSID is in an off state by default, and the standby PG is turned on when the overall load of the vCPE is not high but the load of the always-on PG in the same group is too high. The association of the always-on PG and the standby PG forming a group may be based on the geographical location of each PG, e.g., a hall with one always-on PG providing WLAN access services via a high-priority SSID and a low-priority SSID at any time, and several standby PGs turning on a low-priority SSID and providing WLAN access services only during busy hours. The low priority SSIDs of the WLANs of the PGs in a group are the same, and the WPA/WPA2 passwords are the same, the user does not perceive the state of a PG in a group as being on or off. The number of all-normally-on PGs in a group is not limited to one.
The multiple PGs hooked down by the vCPE may belong to one or more groups, e.g., according to geographical location distribution, and the vCPE may store information for each PG group. The information includes, for example: which PGs are contained in each group, and which PG or PGs in a group are all always open and which PG or PGs are spare. In some embodiments, the vCPE may set one or more PGs in a group with better performance as all-normally-on PGs and the remaining PGs as standby PGs. For multiple backup PGs, in some embodiments, priority may be recorded according to performance to determine the order of sequential turn-on or turn-off.
Table 1 illustrates the composition of an exemplary group.
Figure BDA0001194122240000071
Figure BDA0001194122240000081
The vcep can periodically read the load of the SSID already turned on under the PG in each group through SNMP (simple network management protocol).
An exemplary method of controlling SSID states in the present invention is described below, with only one all-normally-on PG and one standby PG in a group as an example.
On the premise that the overall load condition of the vCPE is good, when the load of a certain PG exceeds a higher threshold (e.g. 70% of the upper limit of the PG load), the low-priority SSID of the PG may be turned off/hidden, and at the same time, the low-priority SSID of the backup PG in the group where the PG is located is turned on to share a part of traffic. When the sum of the load of the fully-open PG and the load of the low-priority SSID of the standby PG in the group is lower than a lower threshold (e.g., 30% of the upper limit of the load of the fully-open PG), the low-priority SSID of the standby PG can be turned off, and the fully-open PG restarts to provide the low-priority SSID WLAN service, so as to save resources. The threshold value can be configured and optimized according to actual conditions.
For example, taking table 1 above as an example, in a conference room group, when the load of the all-normally-open PG1 exceeds 70% of the upper load limit of PG1, the low-priority SSID of the standby PG2 in the same group as PG1 can be dynamically turned on to share the load of the low-priority SSID of PG1 and turn off the low-priority SSID of PG 1. The low-priority SSID of PG2 may then be turned off when the total load of all loads of PG1 and the low-priority SSID load of PG2 is below 30% of the upper load limit of PG 1.
Under special conditions, when a certain fully-open PG fails, the first standby PG in the group simultaneously opens a high-priority SSID and a low-priority SSID, namely the original first standby PG in the group is changed into a new fully-open PG, and the fully-open PG is replaced to simultaneously provide a high-priority SSID service and a low-priority SSID service. And other standby PGs are sequentially started according to the original sequence and the load, so that the low-priority SSID service is provided.
The vCPE must ensure that a group has at least one always-on PG, and when a group has a always-on PG offline, if there are remaining PGs in the group, the vCPE must select one PG from the remaining PGs as the always-on PG and turn on its low priority SSID to provide WLAN service.
For the case where there are multiple backup PGs in a group, the low priority SSIDs of the backup PGs may similarly be turned on in sequence according to the following formula:
when the sum of the loads of the opened PGs/the sum of the upper limits of the loads of the opened PGs > 70%, the next standby PG is turned on in the low-priority SSID formula 1
Alternatively, the low-priority SSIDs of each backup PG may be turned off in turn according to the following formula:
when (sum of low-priority SSID loads of already-on PGs + sum of high-priority SSID loads of PGs in groups other than the last-on backup PG)/(sum of upper limits of loads of all PGs in groups other than the last-on backup PG) < 30%, turn off low-priority SSID formula 2 of the last-on backup PG
Exemplary SSID state control methods for the case where there is only one all-always-on PG and one or more standby PGs in a group are described above in detail. As described above, there may be multiple all-normally-on PGs in a group. For the case of multiple all-normally-on PGs, one skilled in the art can expand as needed.
Compared with the existing access control method based on the virtual gateway, the access control method based on the virtual gateway realizes the resource sharing of the public SSID (such as CMCC-WEB, GUEST and the like) and the local private SSID in the PG based on the vCPE, provides a dynamic multi-SSID priority and bandwidth calling mechanism, and simultaneously provides WLAN service for the public user under the condition of ensuring the local private WLAN coverage of the user according to the requirement.
The access control method based on the virtual gateway according to the embodiment of the present invention is described in detail above with reference to fig. 2, and the access control device based on the virtual gateway according to the embodiment of the present invention is described below with reference to fig. 3.
As shown in fig. 3, the virtual gateway-based access control apparatus 300 according to an embodiment of the present invention may include: a dividing unit 301 configured to divide the SSID of each PG into a high-priority SSID and a low-priority SSID; a monitoring unit 302 configured to monitor a load of each PG and a load of each SSID under each PG; and an adjusting unit 303 configured to dynamically adjust the states of the high-priority SSID and the low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an on state, and the low-priority SSID is hidden or turned off as needed.
According to the access control device based on the virtual gateway, disclosed by the embodiment of the invention, the refined control to the SSID can be realized on each PG hung under the virtual gateway according to the whole load of the virtual gateway, the use of the high-priority SSID can be ensured integrally under a specific scene, and the use of the low-priority SSID can also be ensured flexibly.
FIG. 4 illustrates an example of a scenario in which embodiments of the present invention may be applied.
In an office building, a plurality of PGs are distributed at various locations in the building and are connected to a vCPE, each PG providing services of at least two SSIDs, including SSID-Host, SSID-Guest, and CMCC-WEB. The SSID-Host is used by office building workers, and the identity of the workers needs to be verified; SSID-Guest is used by visitors and visitors, and authentication is not usually set; CMCC-WEB provides public WLAN services.
As shown in fig. 4, two PGs, PG1 and PG2, are arranged in an office building. The PG1 provides WLAN access service through SSID-Host1, SSID-Guest and CMCC-WEB, and the PG2 provides WLAN access service through SSID-Host2, SSID-Guest and CMCC-WEB. In the group formed by PG1 and PG2, PG1 is a totally normally open PG, and PG2 is a standby PG.
And the vCPE monitors the total load of all PGs in real time, and correspondingly hides or closes the low-priority SSIDs (such as SSID-GUIST and CMCC-WEB) under the PG1 when the load of the PG1 is higher than 50% or 70% on the premise that the total load is not over-limit. And the standby PG under the group of PG1, namely the low-priority SSID of PG2, can be further started while the system is closed so as to provide more SSID-GUEST and CMCC-WEB services.
At least a portion of the virtual gateway based access control methods and apparatus described in connection with fig. 2-3 may be implemented by a computing device. Fig. 5 is a block diagram illustrating an exemplary hardware architecture of a computing device 500 capable of implementing a virtual gateway based access control method and apparatus in accordance with embodiments of the present invention. As shown in fig. 5, computing device 500 includes an input device 501, an input interface 502, a central processor 503, a memory 604, an output interface 505, and an output device 506. The input interface 502, the central processing unit 503, the memory 504, and the output interface 505 are connected to each other through a bus 510, and the input device 501 and the output device 506 are connected to the bus 510 through the input interface 502 and the output interface 505, respectively, and further connected to other components of the computing device 500. Specifically, the input device 501 receives input information from the outside and transmits the input information to the central processor 503 through the input interface 502; the central processor 503 processes input information based on computer-executable instructions stored in the memory 504 to generate output information, temporarily or permanently stores the output information in the memory 504, and then transmits the output information to the output device 506 through the output interface 505; output device 506 outputs the output information outside of computing device 500 for use by a user.
That is, the apparatus shown in fig. 4 may also be implemented to include: a memory storing computer-executable instructions; and one or more processors which, when executing computer executable instructions, may implement the virtual gateway-based access control methods and apparatus described in conjunction with fig. 2-3.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. For example, the algorithms described in the specific embodiments may be modified without departing from the basic spirit of the invention. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

Claims (19)

1. A virtual gateway based access control method, the virtual gateway being associated with a plurality of physical gateways PG, the plurality of PGs providing a plurality of access services over a service set identification, SSID, the access control method comprising:
the SSID of each PG is divided into a high-priority SSID and a low-priority SSID;
monitoring the load of each PG and the load of each SSID under each PG; and
dynamically adjusting the states of a high-priority SSID and a low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required;
the dynamic adjustment includes: when the total load is lower than a first threshold and the load of a first PG is higher than a third threshold, turning on a low-priority SSID of a second PG associated with the first PG to share the load of the low-priority SSID of the first PG;
the high priority SSID comprises: a local or private SSID, the low priority SSID comprising: a common SSID.
2. The access control method of claim 1, wherein the dynamically adjusting comprises:
hiding or turning off a low priority SSID of part or all PGs when the total load is above a first threshold.
3. The access control method according to claim 2, wherein said hiding or turning off comprises hiding or turning off the low priority SSID of part or all of the PGs in steps when the total load is above a first threshold.
4. The access control method of claim 1, wherein the dynamically adjusting comprises:
hiding or turning off a low priority SSID of a first PG when a load of the first PG is above a second threshold.
5. The access control method of claim 1, wherein the dynamically adjusting further comprises: sequentially turning on one or more PGs associated with the first PG and the second PG as follows:
in the group consisting of the first PG, the second PG, and the another one or more PGs, turning on a low-priority SSID of a next PG of the another one or more PGs when a sum of loads of all already turned on SSIDs is higher than a first percentage of a sum of upper load limits of all already turned on SSIDs.
6. The access control method of claim 5, wherein the dynamically adjusting further comprises:
hiding or turning off the low-priority SSID of the PG that turns on the last low-priority SSID when the sum of the loads of the already-turned on low-priority SSIDs in the group plus the sum of the loads of the high-priority SSIDs of the PGs other than the PG that turns on the last low-priority SSID in the group is less than a second percentage of the upper limit of the sum of the loads of the PGs other than the PG that turns on the last low-priority SSID in the group.
7. The access control method according to any of claims 1, 2 or 3, wherein the first, second and third thresholds comprise a percentage of the total upper load limit, a first percentage of the upper load limit of the first PG and a second percentage of the upper load limit of the first PG, respectively.
8. The access control method according to any one of claims 1 or 5, wherein the association is based on a geographical location.
9. The access control method of claim 5, wherein the order in which the one or more PGs are turned on in sequence is based on the performance of the one or more PGs being good or bad.
10. An access control apparatus based on a virtual gateway, the virtual gateway being associated with a plurality of physical gateways PG, the plurality of PGs providing a plurality of access services through a service set identification, SSID, the access control apparatus comprising:
the system comprises a dividing unit, a judging unit and a judging unit, wherein the dividing unit is used for dividing the SSID of each PG into a high-priority SSID and a low-priority SSID;
the monitoring unit is used for monitoring the load of each PG and the load of each SSID under each PG; and
the adjusting unit is used for dynamically adjusting the states of a high-priority SSID and a low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required;
the adjusting unit further includes: a fourth adjusting subunit, configured to, when the total load is lower than the first threshold and the load of the first PG is higher than the third threshold, turn on a low-priority SSID of a second PG associated with the first PG to share the load of the low-priority SSID of the first PG;
the high priority SSID comprises: a local or private SSID, the low priority SSID comprising: a common SSID.
11. The access control device of claim 10, wherein the adjustment unit comprises:
a first adjusting subunit for hiding or turning off a low priority SSID of part or all of the PGs when the total load is above a first threshold.
12. The access control device according to claim 11, wherein the first adjusting subunit comprises a second adjusting subunit for hiding or turning off the low priority SSID of part or all of the PGs in steps when the total load is above a first threshold.
13. The access control device of claim 10, wherein the adjustment unit comprises:
a third adjusting subunit, configured to hide or turn off a low-priority SSID of the first PG when a load of the first PG is higher than a second threshold.
14. The access control device of claim 10, wherein the fourth adjustment subunit comprises: a fifth adjustment subunit to sequentially turn on one or more PGs associated with the first PG and the second PG as follows:
in the group consisting of the first PG, the second PG, and the another one or more PGs, turning on a low-priority SSID of a next PG of the another one or more PGs when a sum of loads of all already turned on SSIDs is higher than a first percentage of a sum of upper load limits of all already turned on SSIDs.
15. The access control device of claim 14, wherein the fourth adjustment subunit further comprises:
a sixth adjustment subunit configured to hide or turn off the low-priority SSID of the PG that turns on the last low-priority SSID when a sum of loads of the already-turned on low-priority SSIDs in the group plus a sum of loads of high-priority SSIDs of PGs other than the PG that turns on the last low-priority SSID in the group is less than a second percentage of an upper limit of a sum of loads of PGs other than the PG that turns on the last low-priority SSID in the group.
16. The access control device of any of claims 10, 11, or 12, wherein the first, second, and third thresholds comprise a percentage of the total upper load limit, a first percentage of the upper load limit of the first PG, and a second percentage of the upper load limit of the first PG, respectively.
17. The access control device according to any one of claims 10 or 14, wherein the association is based on a geographical location.
18. The access control device of claim 14, wherein the order in which the one or more PGs are turned on in sequence is based on the performance of the one or more PGs being good or bad.
19. An access control apparatus based on a virtual gateway associated with a plurality of Physical Gateways (PGs) providing a plurality of access services through a Service Set Identification (SSID), the access control apparatus comprising:
a memory;
one or more processors coupled with the memory to:
the SSID of each PG is divided into a high-priority SSID and a low-priority SSID;
monitoring the load of each PG and the load of each SSID under each PG; and
dynamically adjusting the states of a high-priority SSID and a low-priority SSID under each PG according to the total load of all PGs and the load of each SSID under each PG, wherein the high-priority SSID is always kept in an open state, and the low-priority SSID is hidden or closed as required;
the dynamic adjustment includes: when the total load is lower than a first threshold and the load of a first PG is higher than a third threshold, turning on a low-priority SSID of a second PG associated with the first PG to share the load of the low-priority SSID of the first PG;
the high priority SSID comprises: a local or private SSID, the low priority SSID comprising: a common SSID.
CN201611230953.2A 2016-12-27 2016-12-27 Access control method and device based on virtual gateway Active CN106792821B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611230953.2A CN106792821B (en) 2016-12-27 2016-12-27 Access control method and device based on virtual gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611230953.2A CN106792821B (en) 2016-12-27 2016-12-27 Access control method and device based on virtual gateway

Publications (2)

Publication Number Publication Date
CN106792821A CN106792821A (en) 2017-05-31
CN106792821B true CN106792821B (en) 2020-02-21

Family

ID=58922347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611230953.2A Active CN106792821B (en) 2016-12-27 2016-12-27 Access control method and device based on virtual gateway

Country Status (1)

Country Link
CN (1) CN106792821B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109428881B (en) * 2017-09-05 2021-10-26 中国移动通信有限公司研究院 Network security protection method, network element equipment, system and computer storage medium
CN109462652B (en) * 2018-11-21 2021-06-01 杭州电子科技大学 Terminal gateway load distribution method based on Hash algorithm in intelligent home system
CN111277481B (en) * 2020-01-09 2021-09-24 奇安信科技集团股份有限公司 Method, device, equipment and storage medium for establishing VPN tunnel

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686851A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Method, device and system for shunting to hotspot 2.0 access network
CN103747486A (en) * 2013-12-30 2014-04-23 上海华为技术有限公司 Method and device for shunting services among different networks
CN104995960A (en) * 2012-10-12 2015-10-21 诺基亚通信公司 Method and apparatus for access network selection
CN107113306A (en) * 2014-12-31 2017-08-29 班德韦斯克公司 System and method for controlling the access to wireless service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686851A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Method, device and system for shunting to hotspot 2.0 access network
CN104995960A (en) * 2012-10-12 2015-10-21 诺基亚通信公司 Method and apparatus for access network selection
CN103747486A (en) * 2013-12-30 2014-04-23 上海华为技术有限公司 Method and device for shunting services among different networks
CN107113306A (en) * 2014-12-31 2017-08-29 班德韦斯克公司 System and method for controlling the access to wireless service

Also Published As

Publication number Publication date
CN106792821A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
US10931577B2 (en) Ultra high-speed mobile network based on layer-2 switching
US8380819B2 (en) Method to allow seamless connectivity for wireless devices in DHCP snooping/dynamic ARP inspection/IP source guard enabled unified network
JP6718966B2 (en) Methods for establishing a roaming connection
US20030120821A1 (en) Wireless local area network access management
US20110235502A1 (en) Communication relay device, communication relay method, and storage medium having communication relay program stored therein
US9408061B2 (en) Distributed network layer mobility for unified access networks
US8611358B2 (en) Mobile network traffic management
CN113765874B (en) Private network and dual-mode networking method based on 5G mobile communication technology
EP2075959A1 (en) Apparatus amd method for concurently accessing multiple wireless networks (WLAN/WPAN)
US20130308565A1 (en) Virtual radio networks
CN111756565B (en) Managing satellite devices within a branched network
CN106792821B (en) Access control method and device based on virtual gateway
US9992706B2 (en) HQoS control method, RSG and HQoS control system
US20140362870A1 (en) Method and gateway device for managing address resource
US9591562B2 (en) Provisioning access point bandwidth based on predetermined events
US7372828B2 (en) Wireless access point management in a campus environment
US20200336411A1 (en) Management of the connection with other residential gateways of a residential gateway implementing link aggregation
US20100085940A1 (en) Handoff procedures and intra-network data routing for femtocell networks
CN109905298B (en) Home base station, system and method for accessing home base station to network
JP5937563B2 (en) Communication base station and control method thereof
JP2005064783A (en) Public internet connection service system and access line connection device
US9231862B2 (en) Selective service based virtual local area network flooding
Nakauchi et al. Virtual cognitive base station: Enhancing software-based virtual router architecture with cognitive radio
CN217116413U (en) Private network architecture
EP4300899A1 (en) Device and method for constructing virtual enterprise network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant