CN108011759B - VPN management method, device and system - Google Patents

VPN management method, device and system Download PDF

Info

Publication number
CN108011759B
CN108011759B CN201711267327.5A CN201711267327A CN108011759B CN 108011759 B CN108011759 B CN 108011759B CN 201711267327 A CN201711267327 A CN 201711267327A CN 108011759 B CN108011759 B CN 108011759B
Authority
CN
China
Prior art keywords
vpn
devices
target
management
centralized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711267327.5A
Other languages
Chinese (zh)
Other versions
CN108011759A (en
Inventor
黄庆新
林镜华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201711267327.5A priority Critical patent/CN108011759B/en
Publication of CN108011759A publication Critical patent/CN108011759A/en
Application granted granted Critical
Publication of CN108011759B publication Critical patent/CN108011759B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0896Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput

Abstract

The embodiment of the invention provides a VPN management method, a device and a system, which relate to the technical field of communication, can quickly construct a VPN and can more flexibly manage the VPN service. The VPN management method is applied to a centralized management and control device included in a VPN management system, and the VPN management system further comprises the following steps: the system comprises at least two CE devices, at least two PE devices and a P device, wherein the at least two PE devices are respectively connected with the P device to form a backbone network; the VPN management method comprises the following steps: the centralized control device receives the VPN construction request, determines a target CE device for constructing the first VPN from the at least two CE devices according to the VPN requirement in the VPN construction request, and sends a tunnel construction message to the target CE device, so that tunnel communication is established between the target CE devices, and the first VPN is constructed.

Description

VPN management method, device and system
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a Virtual Private Network (VPN) management method, a device and a system.
Background
In the field of communication technology, a Multi Protocol Label Switching (MPLS) technology may be used to construct a VPN on a backbone network (i.e., a public network), thereby implementing cross-regional, secure, high-speed, and reliable service communication.
As shown in fig. 1, a networking schematic diagram of an MPLS L3VPN is currently commonly used (where, L3VPN refers to layer 3VPN, that is, three-layer VPN), a customer Edge (Client Edge) device shown in fig. 1 is a device (which may be a host or a router, etc.) at an Edge of a customer network (that is, VPN), a network formed by a Provider Edge (PE) device and a Provider (P) device is a backbone network (that is, the above-mentioned public network), each of the PE device and the P device may be a router and both support MPLS functionality, and a PE may be connected to at least one CE to construct at least one VPN.
Specifically, taking the VPN 1 shown in fig. 1 as an example, in a process of constructing the VPN 1 (which may also be understood as implementation or opening of the VPN 1), a certain port of the PE device 1 is connected to the CE device 1, and a certain port of the PE device 2 is connected to the CE device 2, then the P device and the PE device (including the PE device 1 and the PE device 2) in the bone network need to be configured, and the CE devices (including the CE device 1 and the CE device 2) in the VPN 1 need to be configured, for example, MPLS capability configuration of the P device (including configuration of an Identifier (ID) of a Label Switching Router (LSR) and configuration of a Label Distribution Protocol (LDP)); MPLS capability configuration of PE devices, configuration of VPN Routing and Forwarding tables (VRFs), Routing configuration between PE devices and CE devices, Routing configuration between PE devices and PE devices, and the like; and configuring a routing protocol of the CE equipment, thereby realizing that the VPN 1 of the user is accessed to the backbone network, and realizing the communication between the user equipment positioned at two ends of the backbone network in the VPN 1 by adopting a tunnel technology according to the configuration of each equipment.
However, in the above method, due to the complexity of the backbone network, when a new VPN is constructed each time, multiple departments of the operator need to perform scheme verification, evaluation, debugging, and the like, the construction process of the VPN is relatively long, and the service management of the VPN is handled by the equipment in the backbone network, so that the flexibility of the service management is relatively poor.
Disclosure of Invention
Embodiments of the present invention provide a VPN management method, apparatus, and system, which can quickly construct a VPN and can manage a VPN service more flexibly.
In order to achieve the purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a VPN management method is provided, which is applied to a centralized management and control apparatus included in a VPN management system, where the VPN management system may further include at least two CE devices, at least two PE devices, and a P device, where the at least two PE devices are respectively connected to the P device to form a backbone network, one of the at least two CE devices is connected to a corresponding one of the at least two PE devices, and a bandwidth required by at least one VPN is configured on the at least two PE devices, and the at least two CE devices have public network IP addresses, and the VPN management method may include: receiving a VPN construction request, wherein the VPN construction request comprises VPN requirements; determining a target CE device for constructing a first VPN from at least two CE devices according to the VPN requirement; and sending a tunnel construction message to the target CE equipment according to the VPN requirement so as to establish tunnel communication between the target CE equipment and construct a first VPN.
In a second aspect, a VPN management method is provided, where the VPN management method is applied to at least two CE devices included in a VPN management system to construct a target CE device of a first VPN, and the VPN management system may further include a centralized management and control apparatus, at least two PE devices, and a P device, where the at least two PE devices are respectively connected to the P device to form a backbone network, one of the at least two CE devices is connected to a corresponding one of the at least two PE devices, and a bandwidth required by at least one VPN is configured on the at least two PE devices, and the at least two CE devices have public network IP addresses, and the VPN management method may include: a first CE device receives a tunnel construction message sent by a centralized control device, wherein the first CE device is one of target CE devices; and establishing tunnel communications with other ones of the destination CE devices to construct the first VPN.
In a third aspect, a VPN management apparatus is provided, which is applied to a centralized management and control apparatus included in a VPN management system, where the VPN management system further includes at least two CE devices, at least two PE devices, and a P device, where the at least two PE devices are respectively connected with the P device to form a backbone network, one of the at least two CE devices is connected with a corresponding one of the at least two PE devices, the at least two PE devices are configured with a bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses; the VPN management device comprises a receiving module, a determining module and a sending module. The receiving module can be used for receiving a VPN construction request, wherein the VPN construction request comprises VPN requirements; the determining module may be configured to determine, according to a VPN requirement, a target CE device that constructs a first VPN from the at least two CE devices; the sending module may be configured to send a tunnel construction message to the target CE device according to VPN requirements, so that tunnel communication is established between the target CE devices, and a first VPN is constructed.
In a fourth aspect, a VPN management apparatus is provided, where the VPN management apparatus is applied to a target CE device that constructs a first VPN among at least two CE devices included in a VPN management system, the VPN management system further includes a centralized management and control apparatus, at least two PE devices, and a P device, where the at least two PE devices are respectively connected to the P device to form a backbone network, one of the at least two CE devices is connected to a corresponding one of the at least two PE devices, the at least two PE devices are configured with a bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses; the VPN management apparatus may include a receiving module and a constructing module. The receiving module may be configured to receive a tunnel construction message sent by the centralized management and control device; the construction module may be configured to establish tunneling with other CE devices in the destination CE device to construct the first VPN.
In a fifth aspect, a VPN management apparatus is provided, where the VPN management apparatus is applied to a centralized management and control apparatus included in a VPN management system, and the centralized management and control apparatus may include a processor and a memory coupled to the processor. The memory may be used to store computer instructions. When the centralized management and control device runs, the processor executes the computer instructions stored in the memory, so that the centralized management and control device executes the VPN management method according to the first aspect.
In a sixth aspect, a computer-readable storage medium is provided, which includes computer instructions, when the computer instructions are executed on a centralized management and control device, the centralized management and control device is caused to execute the VPN management method according to the first aspect.
In a seventh aspect, a computer program product is provided, which includes computer instructions, and when the computer program product runs on a centralized management and control device, the computer program product causes the centralized management and control device to execute the VPN management method according to the first aspect.
In an eighth aspect, a VPN management apparatus is provided, where the VPN management apparatus is applied to a destination CE device that constructs a first VPN among at least two CE devices included in a VPN management system, and a destination CE device where the VPN management apparatus is located may include a processor and a memory coupled to the processor. The memory may be used to store computer instructions. When the target CE device where the VPN management apparatus is located is running, the processor executes the computer instructions stored in the memory, so that the target CE device where the VPN management apparatus is located executes the VPN management method according to the second aspect.
A ninth aspect provides a computer readable storage medium comprising computer instructions which, when run on a CE device, cause the CE device to perform the VPN management method of the second aspect described above.
A tenth aspect provides a computer program product comprising computer instructions which, when run on a CE device, causes the CE device to perform the VPN management method of the second aspect described above.
An eleventh aspect provides a VPN management system, where the VPN management system includes a centralized management and control apparatus, at least two CE devices, at least two PE devices, and a P device, where the centralized management and control apparatus includes the VPN management apparatus described in the third aspect, a target CE device in the at least two CE devices, which is used to construct a first VPN, includes the VPN management apparatus described in the fourth aspect, the at least two PE devices are respectively connected with the P device to form a backbone network, one CE device in the at least two CE devices is connected with one PE device in the at least two PE devices, the at least two PE devices configure a bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses.
In the VPN management system, because at least two PE devices in a backbone network are configured with bandwidths required by at least one VPN, and at least two CE devices in the backbone network have public network IP addresses of at least one VPN, when a first VPN is constructed, and a centralized management and control apparatus in the VPN management system receives a VPN construction request, a target CE device that constructs the first VPN can be determined from the at least two CE devices according to a construction requirement in the VPN construction request, and a tunnel construction message is sent to the target CE device according to the VPN requirement, so that tunnel communication is established between the target CE devices, and the first VPN is constructed. Compared with the prior art, in the process of constructing the VPN, a long-term and complex construction process in the prior art is not needed, so that the VPN can be constructed quickly.
Furthermore, the centralized management and control device may send policy information to the at least one target CE device to adjust the policy of the VPN, and the centralized management and control device may receive the network traffic and the link anomaly notification message sent by the at least one target CE device to monitor the network traffic of the VPN and update the routing configuration information, so that the service of the VPN can be managed more flexibly.
Drawings
Fig. 1 is a first schematic diagram of a VPN management system architecture according to an embodiment of the present invention;
fig. 2 is a hardware schematic diagram of a server carrying an SDN controller according to an embodiment of the present invention;
fig. 3 is a hardware schematic diagram of a router according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a VPN management system architecture according to an embodiment of the present invention;
fig. 5 is a first schematic diagram illustrating a VPN management method according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a VPN management method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a VPN management apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another VPN management apparatus according to an embodiment of the present invention.
Detailed Description
The following describes a VPN management method, apparatus, and system according to an embodiment of the present invention in detail with reference to the accompanying drawings.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the embodiments of the present invention, the meaning of "a plurality" means two or more unless otherwise specified. For example, a plurality of processing units refers to two or more processing units; the plurality of systems refers to two or more systems.
Furthermore, the terms "comprising" and "having" and any variations thereof as referred to in the description of the invention are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some concepts involved in the embodiments of the present invention are explained.
Backbone network: the high-speed network is used for connecting a plurality of areas or regions, the backbone networks are generally wide area networks, the coverage range of the backbone networks is from dozens of kilometers to thousands of kilometers, and different network providers have own backbone networks for connecting the networks in different areas.
MPLS: the method is a new generation of high-speed backbone network switching standard which is used for the fast switching and routing of data packets. MPLS uses labels (labels) for data forwarding. When a data message enters a network, a short label with a fixed length is allocated to the data message, that is, an Internet Protocol (IP) address of the data message is mapped to a label with a fixed length, and the label and the data message are packaged together, and in the process of forwarding the data message, the switching device can forward the data message according to the label of the data message.
VPN: refers to the establishment of virtual private networks by devices in different areas on a common network (i.e., backbone network). The connection between any two devices in different areas does not have an end-to-end physical link required by a traditional private network, but is a logical network constructed on a network platform provided by a public network service provider, and user data is transmitted in the logical link. The data transmission among the devices in different areas can be realized by adopting a tunnel technology, an encryption and decryption technology, a key management technology and the like.
The tunnel technology comprises the following steps: a tunnel is understood to be a point-to-point connection channel, and the essence of the tunneling technique is to use a tunneling protocol to transmit one network layer protocol to another network layer protocol, so as to implement secure communication between two nodes, i.e. to transmit data packets in a dedicated tunnel on a public network. For example, a node (node 1) at one end of the VPN re-encapsulates a data packet of another protocol into a data packet of another protocol by using a tunneling protocol, the re-encapsulated data packet may be transmitted to another node (node 2) of the VPN in a tunnel between the two nodes, and then the node 2 de-encapsulates the received data packet by using the same tunneling protocol, thereby completing transmission of the data packet.
Based on the problems existing in the background art, the VPN management method, apparatus and system provided in the embodiments of the present invention configure the bandwidth of at least one VPN (a VPN that may need to be constructed in a future period of time) on the PE device of the backbone network, and configure the public network IP address of the CE device of the at least one VPN, so that the centralized management and control apparatus can implement fast construction of the VPN, and can more flexibly manage the service of the VPN after the VPN construction is completed.
The VPN management system according to an embodiment of the present invention may include a centralized management and control apparatus, a CE device, a PE device, and a P device, and the VPN management system according to the present invention will be described in detail in the following embodiments, where structures of respective devices involved in the VPN management system are exemplarily described below.
In an embodiment of the present invention, a centralized management and control device of the VPN management system may be a physical management and control device and also a virtual management and control device, and with rapid development of a communication technology, in order to save hardware cost and resources, it is more and more common to virtualize a physical device into a Software application.
The SDN controller is a software application that may be carried in a server to implement the functions of the SDN controller. Each component of the server carrying the SDN controller according to the embodiment of the present invention is specifically described below with reference to fig. 2. As shown in fig. 2, the server may include: a processor 10, a memory 11, and a communication interface 12.
The processor 10: is a core component of the server, which is used to run an operating system of the server and applications (including system applications and third party applications, such as SDN controllers) on the server.
In this embodiment of the present invention, the Processor 10 may specifically be a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof, which may implement or execute various exemplary logic blocks, modules, and circuits described in connection with the disclosure of the embodiment of the present invention; a processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.
The memory 11: may be used to store software programs and modules, and the processor 10 executes various functional applications of the server and data processing by operating the software programs and modules stored in the memory 11. Memory 11 may include one or more computer-readable storage media. In an embodiment of the present invention, the memory 11 may include an application program of an SDN controller, and the core switching device is configured to perform the flow direction to each service node by running the application program of the SDN controller to control other devices (e.g., core switches and computing nodes) in a service chain topology, where the flow direction is implemented by the core switching device to each service node.
In this embodiment of the present invention, the Memory 11 may specifically include a Volatile Memory (Volatile Memory), such as a Random-Access Memory (RAM); the Memory may also include a Non-Volatile Memory (Non-Volatile Memory), such as a Read-Only Memory (ROM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, HDD) or a Solid-State Drive (SSD); the memory may also comprise a combination of memories of the kind described above.
The communication interface 12: the interface circuit is used for the server to communicate with other devices, the communication interface can be a transceiver, a transceiving circuit and other structures with transceiving functions, and the communication interface comprises a serial communication interface and a parallel communication interface.
Optionally, the communication interface 12 may further include a user interface, which may enable interaction between a server (a server carrying the SDN controller) and a user, for example, receiving an instruction of the user to construct a VPN, and the like.
In this embodiment of the present invention, the CE device in the VPN management system may be a host or a routing device, and an exemplary description is given to a hardware structure of the routing device by taking the routing device as a router. Fig. 3 is a hardware schematic diagram of a router provided in an embodiment of the present invention, and as shown in fig. 3, the router provided in the embodiment of the present invention includes: processor 20, memory 21, and interface 22. The following is an exemplary description of each constituent element of the router.
The processor 20: the router is responsible for exchanging routing information, searching routing tables and forwarding data packets, such as processing various tables and routing operations required by the router.
The memory 21: for storing the configuration of the router, the operating system, routing protocol software, etc. The router may have various memories such as ROM, RAM, etc.
Interface 22: for routers to send and receive data packets. The interfaces 22 in the router include a lan interface and a wan interface, and in addition, the router itself has no input and terminal display devices, and the router interface also includes a control port for a user or an administrator to communicate with the router by using a terminal to complete the router configuration.
The embodiment of the invention provides a VPN management system, which can comprise a centralized management and control device, at least two CE devices, at least two PE devices and a P device. The at least two PE devices are respectively connected with the P device to form a backbone network, one of the at least two CE devices is connected with one of the at least two PE devices, at least two PE devices are configured with bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses.
For example, taking the construction of a VPN, the VPN is a VPN for implementing communication established based on a backbone network in three regions (for example, beijing, shanghai, and guangzhou), that is, the VPN includes 3 CE devices, and assuming that the number of CE devices in the VPN management system is 3 and the number of PE devices is 3, fig. 4 is a schematic diagram of an architecture of a VPN management system according to an embodiment of the present invention. In fig. 4, the VPN management system includes: the apparatus 100 includes a centralized management and control apparatus, 3 CE devices (respectively denoted as CE device 101, CE device 102, and CE device 103), 3 PE devices (respectively denoted as PE device 104, PE device 105, and PE device 106), and a P device 107. The PE device 104, the PE device 105, and the PE device 106 are connected to the P device 107, respectively, to form a backbone network; the CE device 101 is connected to the PE device 104, the CE device 102 is connected to the PE device 105, and the CE device 103 is connected to the PE device 106. The bandwidth required by the VPN constructed this time has been configured in advance on each PE device, and the public network IP address of the CE device (including the CE device 101, the CE device 102, and the CE device 103) of the VPN has been configured in advance, that is, the public network IP address of the CE device 101 connected to the PE device is reserved on the PE device 104, the public network IP address of the CE device 102 connected to the PE device 105 is reserved on the PE device 105, and the public network IP address of the CE device 103 connected to the PE device 106 is reserved.
It should be noted that, in the embodiments of the present invention, a plurality of VPNs may be constructed according to a requirement of a user, and in the following embodiments, construction of one VPN is taken as an example, and an exemplary description is given to a VPN management method, apparatus, and system provided in the embodiments of the present invention.
An embodiment of the present invention provides a method for managing a VPN, which may be applied to a VPN management system provided in the foregoing embodiment, and as shown in fig. 5 in combination with fig. 4, the method may include S101 to S105:
s101, the centralized management and control device receives a VPN construction request, wherein the VPN construction request comprises VPN requirements.
In the embodiment of the present invention, an operator may estimate, through an evaluation manner such as market research, VPN conditions (for example, the number of VPNs, bandwidth, and the like) that may need to be constructed in a certain area in a future period of time, and thus, in a process of configuring a backbone network based on the MPLS technology, perform relevant resource configuration in the backbone network, including pre-configuring, on each PE device of a backbone network, a bandwidth required by at least one VPN (that is, at least one VPN that may need to be constructed in the future), and pre-configuring a public network IP address of a CE device, so that when a user proposes a request for constructing a new VPN to the operator, the CE device may be accessed to a port of the PE device corresponding to each area, and a public network IP address of the CE device is set according to the pre-configured public network IP address of the CE device, so that a path between the CE device and the PE device may be reached.
In this embodiment of the present invention, a user (e.g., a network administrator) may input an instruction to construct a VPN (i.e., a VPN construction request) to the centralized management and control apparatus through a user interface in the centralized management and control apparatus, where the VPN construction request includes a VPN requirement, and the VPN requirement may be a number of VPNs, a bandwidth, an identifier of a specified VPN, and so on, so that the centralized management and control apparatus may construct a specified number of CE devices (i.e., target CE devices) in the VPN management system into one VPN.
S102, the centralized management and control device determines target CE equipment for constructing the first VPN from the at least two CE equipment according to the VPN requirement.
S103, the centralized management and control device sends a tunnel construction message to the target CE equipment according to the VPN requirement.
The tunnel construction message includes a tunnel protocol, and the number of the target CE devices is greater than or equal to 2.
In the embodiment of the present invention, after receiving the VPN construction request, the centralized management and control apparatus may determine, according to a VPN requirement in the VPN request, a target CE device for constructing a first VPN from at least two CE devices in the VPN management system, and then establish a connection with each of the CE devices in the target CE device, so that the centralized management and control apparatus may communicate with each of the CE devices in the target CE device, and further, the centralized management and control apparatus sends a tunnel construction message to the target CE device according to the VPN requirement, so that tunnel communication is established between the target CE devices, thereby completing construction of the first VPN.
Optionally, in this embodiment of the present invention, the tunneling protocol may include any one of the following protocols: a General Routing Encapsulation (GRE) Protocol, an IP in IP, an IP Security (IPSec), a Virtual extended Local Area Network (VxLAN) Protocol, and the like, and a suitable tunnel Protocol may be selected and used according to actual use requirements.
Specifically, the GRE Protocol may be used to encapsulate any one of other network layer protocols (e.g., Internet Control Message Protocol (ICMP)) on any one of network layer protocols (e.g., IP Protocol), and the IPinIP IP may be used to encapsulate an IP packet in an IP packet, that is, an IP packet to be encapsulated is encapsulated in an outer IP packet; the encrypted message content can be packaged in an IP message for transmission by using IP Protocol Security (IPSec), and the data message can be transmitted safely; VxLAN may encapsulate a two-layer message in a User Datagram Protocol (UDP).
It should be noted that, in the embodiment of the present invention, the centralized management and control apparatus establishes a connection with the target CE device, and the action of sending the tunnel construction message to the target CE device is executed by the construction and maintenance module in the centralized management and control apparatus.
Optionally, the construction and maintenance module of the centralized control device may further maintain the connection established between the centralized control device and the target CE device, set a keep-alive period, and monitor whether the connection established between the centralized control device and the target CE device is interrupted; the construction and maintenance module can also centralize the encryption of messages or information transmitted between the control device and the target CE, thereby improving the transmission safety.
S104, each CE device in the target CE device receives the tunnel construction message sent by the centralized control device.
S105, each CE device in the target CE device establishes tunnel communication with other CE devices in the target CE device to construct a first VPN.
In the embodiment of the present invention, each of the target CE devices receives the tunnel construction message sent by the centralized control apparatus, and each of the target CE devices establishes tunnel communication with other CE devices in the target CE device. Illustratively, taking one of the target CE devices (hereinafter, referred to as a first CE device) as an example, the first CE device may establish tunneling communication with other CEs of the target CE devices based on a tunneling protocol in the tunneling construction message, so that the first CE device may communicate with the other target CE devices. In summary, the target CE device receives the tunnel construction message sent by the centralized management and control apparatus, so that tunnel communication can be established between the target CE devices, and thus, the first VPN is successfully constructed, and the user devices (or terminals and other devices) in the first VPN can communicate in the VPN constructed based on the backbone network, thereby implementing traffic.
For example, as shown in fig. 4, in the process of constructing a VPN including the CE device 101, the CE device 102, and the CE device 103, after each CE device is connected to a corresponding PE device, the centralized management and control apparatus 100 sends a tunnel construction message to the CE device 101, the CE device 102, and the CE device 103, respectively, so as to establish tunnel communication among the CE device 101, the CE device 102, and the CE device 103, that is, any two CE devices in the three CE devices may communicate with each other, and it may also be understood that each site of the VPN (each site of the VPN refers to VPN internal networks of different regions, for example, in fig. 4, an internal network of a region served by the CE device 101 is VPN _ a, an internal network of a region served by the CE device 102 is VPN _ b, an internal network of a region served by the CE device 103 is VPN _ c) a user device in the region may route through each CE device, the constructed VPNs communicate with each other (i.e., access each other, transfer data, etc.).
Optionally, with reference to fig. 5, as shown in fig. 6, after the foregoing S105, the VPN management method according to the embodiment of the present invention may further include S106 and S107:
and S106, the centralized management and control device sends the routing configuration information to the target CE equipment.
The routing configuration information includes static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for a target CE device of the first VPN to acquire the dynamic routing information.
In the embodiment of the present invention, after the first VPN is successfully constructed, in order to ensure that sites of the first VPN can access each other, the centralized management and control apparatus may send routing configuration information to all target CE devices, and configure routing information (i.e., a routing table) for each site of the first VPN, so that after a data packet of a user device in a corresponding site is received by a target CE device, the data packet may be forwarded according to the routing information, or after a data packet sent by a PE device is received by a target CE device, the data packet may be forwarded to a user device in a corresponding site according to the routing information, thereby implementing communication inside each site.
Optionally, in the embodiment of the present invention, the centralized control device configures routing information of each site of the first VPN, where the routing information may be configured statically and dynamically, and if the centralized control device configures routing information for each site of the first VPN in a static configuration manner, the centralized control device configures routing information according to network segment information of an internal network of each site, which is submitted when a user applies for opening the first VPN, and sends the routing information to a CE device (i.e., the target CE device) corresponding to each site of the first VPN; if the centralized control device configures routing information for each site of the first VPN in a dynamic configuration manner, the centralized control device sends a dynamic routing protocol to the target CE devices, and the target CE devices can learn routing information of each other (i.e., exchange routing information with each other), and generate respective routing information according to a routing algorithm in the dynamic routing protocol and the learned routing information.
In this embodiment of the present invention, the dynamic routing protocol may include, but is not limited to, the following routing protocols: an Open Shortest Path First (OSPF) Protocol, a Border Gateway Protocol (BGP), a Routing Information Protocol (RIP), an Intermediate System to Intermediate System (ISIS) Routing Protocol, and the like. Specifically, a suitable dynamic routing protocol may be selected according to actual usage requirements, and the embodiment of the present invention is not limited in particular.
S107, the target CE equipment receives the routing configuration information sent by the centralized control device.
It can be understood that each of the target CE devices receives the routing configuration information transmitted by the centralized control apparatus. Illustratively, taking one of the target CE devices (for example, the first CE device) as an example, the first CE device receives the routing configuration information sent by the centralized management and control apparatus, and the first CE device may determine the routing information according to the routing configuration information, so as to implement smooth routing or forwarding of data according to the routing information.
In the embodiment of the present invention, after the first VPN is constructed, the centralized management and control device may further manage a service of the first VPN, and specifically, the centralized management and control device may include policy management, network traffic management, and routing information management.
In the embodiment of the present invention, the policy management on the first VPN by the centralized management and control device specifically includes: the centralized control device sends policy information to the at least one target CE device, wherein the policy information comprises at least one item of access policy information, bandwidth policy information and QoS policy information; the at least one target CE device receives policy information sent by the centralized management and control apparatus, where the policy information is used for the at least one target CE device to adjust the policy of the first VPN.
In the following, taking the example that the centralized management and control apparatus transmits policy information to one target CE device (for example, the first CE device), the centralized management and control apparatus will be described to manage the traffic of the VPN.
Optionally, the centralized management and control apparatus sends access policy information to the first CE device, where the access policy information is used to indicate an access right of the first CE device, and after receiving the access policy information, the first CE device may access other CEs in the target CE device according to the access right indicated by the access policy information.
The centralized management and control device may set access policy information according to characteristics of each site of the first VPN. For example, the VPN _ a is a headquarter site of a certain enterprise, the CE device of the site VPN _ a is CE _ a, the VPN _ b and the VPN _ c are branch sites of the enterprise, the CE device of the site VPN _ b is CE _ b, and the CE device of the site VPN _ c is CE _ c, and the centralized management and control apparatus may set: CE _ a of the headquarter site has authority to access CE _ b and CE _ c of the branch site, but CE _ b and CE _ c of the branch site have no authority to access CE _ a of the headquarter site, and CE _ b and CE _ c of the branch site can access each other.
The centralized control device can also set access policy information according to specific service types. For example, the VPN _ a is a headquarter site of a certain enterprise, and the VPN _ b and VPN _ c are branch sites of the enterprise, and the centralized management and control device may set: CE _ b of the branch site VPN _ b and CE _ c of the VPN _ c both have access to a certain file server (e.g., the file server stores shared data, etc.), but CE _ b of the branch site VPN _ b and CE _ c of the VPN _ c do not have access to the enterprise resource planning system, customer relationship management system, etc. of the enterprise (these systems may store some business secrets).
The centralized control device may further set access policy information according to a service type, and specifically may set an access right of each site of the first VPN according to at least one of the following: the destination IP address, destination IP network segment, source IP address, source IP network segment, destination port, source port and the like of the data message.
Optionally, in this embodiment of the present invention, the centralized management and control apparatus may provide access policy information to the target CE device in any one of the following manners: an Access Control List (ACL), an OpenFlow flow table, a static-Based Routing (PBR), and the like.
Optionally, in the embodiment of the present invention, the performing, by the centralized management and control device, network traffic management on the first VPN specifically includes: at least one target CE device reports the network flow of the at least one target CE device to a centralized control device; the centralized control device receives network traffic reported by at least one target CE device to monitor the network traffic of the first VPN.
In this embodiment of the present invention, the centralized management and control device may manage the bandwidth of the first VPN, and the bandwidth management performed on the first VPN by the centralized management and control device may include static bandwidth management and flexible bandwidth management (which may be understood as dynamic bandwidth management). Specifically, the centralized management and control device may send bandwidth policy information to at least one target CE device to manage a bandwidth of the first VPN, and the centralized management and control device may configure a fixed bandwidth for the first VPN (that is, an available bandwidth of the first VPN in the backbone network is a fixed value); the centralized control device may further send bandwidth policy information to the at least one target CE device according to a service condition of the first VPN, and instruct the at least one target CE device to perform bandwidth adjustment. Illustratively, taking one of the target CE devices (e.g., the first CE device mentioned above) as an example, the bandwidth adjustment may include: the first CE device adjusts (increases or decreases) the available bandwidth of the upstream interface of the first CE device, or adjusts the available bandwidth of the designated data packet.
In the embodiment of the present invention, the centralized management and control apparatus may send QoS policy information to at least one target CE device to indicate the priorities of different clients or the priorities of services, so as to ensure the transmission quality of an important user or ensure the transmission quality of an important service. Optionally, the centralized management and control apparatus may send the existing QoS policy in the backbone network to the at least one target CE device. For example, taking sending QoS policy information to a first CE device as an example, the first CE device receives a QoS policy sent by a centralized management and control apparatus, after receiving a data packet sent by a user device in a first VPN site, sets a QoS value in a TOS field of an IP address of the data packet, then the first CE device sends the data packet to a corresponding PE device, and after receiving the data packet, the PE device performs MPLS processing on the data packet (maps the IP address to a fixed label), and the TOS field value of the data packet is also mapped to an EXP field of the MPLS packet.
In the embodiment of the present invention, the centralized management and control apparatus may send the policy information to the at least one target CE device, so that the at least one target CE device adjusts the policy of the first VPN, thereby improving the communication quality. Compared with the prior art, complicated and long-period strategy adjustment is not needed to be carried out on the PE equipment of the backbone network, and the VPN service can be managed more flexibly.
Optionally, in this embodiment of the present invention, the centralized management and control device may further monitor network traffic in the first VPN. For example, taking the first CE device as an example, the first CE device may report the network traffic of the first CE device to a centralized control apparatus, where the network traffic includes an uplink traffic and a downlink traffic of the first CE device, so that the centralized control apparatus receives the network traffic reported by the first CE device to monitor the network traffic of the first VPN.
All the CE devices of the first VPN (i.e., all the target CE devices) report the network traffic of the input port and the output port of the target CE device to the centralized control apparatus, so that the centralized control apparatus can monitor the network traffic of the entire first VPN to handle some abnormal conditions. Compared with the prior art, the target CE equipment can report the network flow to the centralized control device, so that the flow visualization can be realized, and the problem that the network flow of the VPN cannot be monitored in the prior art is solved.
Optionally, in this embodiment of the present invention, the centralized management and control device may further perform routing information management on the first VPN, specifically: the at least one target CE device may send a link anomaly notification message to the centralized management and control apparatus, so that the centralized management and control apparatus may update the routing configuration information according to the link anomaly notification message, and then send the updated routing configuration information to the at least one target CE device.
Illustratively, when a link between a certain CE device (e.g., a first CE device) of the first VPN and other CE devices of the first VPN (i.e., the first CE device and other CE devices in the target CE device) is abnormal (e.g., read-through interruption or congestion occurs), the first CE device sends a link abnormality notification message to the centralized management and control apparatus; the centralized management and control apparatus receives the link anomaly notification message sent by the first CE device, and after updating the routing configuration information, the centralized management and control apparatus sends the updated routing configuration information (including the static routing information or the dynamic routing protocol mentioned in the above embodiment) to the first CE device, so that the new routing information (the new routing information indicates a new link) determined according to the new routing configuration information communicates with other CE devices in the first VPN, for example, in the above-mentioned VPN management system shown in fig. 4, the user devices among VPN _ a, VPN _ b, and VPN _ c can communicate with each other, if a link between the CE device 101 of VPN _ a and the CE device 102 of VPN _ b fails, the CE device 101 sends a link anomaly notification message to the centralized management and control apparatus 100, and then the centralized management and control apparatus 100 updates the routing configuration information of the CE device 101, and then, sending the updated routing configuration information to the CE device 101, and selecting a new link to transmit the data packet, for example, the VPN _ a may send the data packet to the VPN _ b through the relay of the VPN _ c, so as to ensure normal communication between the VPN _ a and the VPN _ b.
It should be noted that, in the embodiment of the present invention, the service of managing the VPN by the centralized management and control apparatus (including sending policy information to at least one target CE device, receiving network traffic reported by at least one target CE device, receiving a link exception notification message sent by at least one target CE device, updating routing configuration information, and the like described in the foregoing embodiment) is executed by the management and control module in the centralized management and control apparatus.
The VPN management method provided in the embodiment of the present invention may be applied to the VPN management system provided in the above embodiment, because at least two PE devices in a backbone network configure a bandwidth required by at least one VPN (a VPN that may need to be constructed in a future period of time), and at least two CE devices in the backbone network have a public network IP address of at least one VPN, when a first VPN is constructed, and when a centralized management and control apparatus in the VPN management system receives a VPN construction request, a target CE device that constructs the first VPN may be determined from the at least two CE devices according to the construction requirement in the VPN construction request, and a tunnel construction message may be sent to the target CE device according to the VPN requirement, so that tunnel communication may be established between the target CE devices according to the tunnel construction message, and the first VPN may be constructed. Compared with the prior art, in the process of constructing the VPN, a long-term and complex construction process in the prior art is not needed, so that the VPN can be constructed quickly.
Furthermore, the centralized management and control device can send policy information to at least one target CE device to adjust the policy of the VPN, and the integrated management and control device can receive network traffic and link anomaly notification messages sent by at least one target CE device to monitor the network traffic of the VPN and update the routing configuration information, so that the service of the VPN can be managed more flexibly.
The embodiment of the present invention further provides a VPN management apparatus, where the VPN management apparatus is applied to a centralized management and control apparatus included in a VPN management system, and the VPN management system further includes at least two CE devices, at least two PE devices, and a P device, where the at least two PE devices are respectively connected to the P device to form a backbone network, one of the at least two CE devices is connected to a corresponding one of the at least two PE devices, the at least two PE devices are configured with a bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses. Fig. 7 shows a schematic diagram of a possible structure of the VPN management apparatus according to the above embodiment, and as shown in fig. 7, the VPN management apparatus may include a receiving module 30, a determining module 31, and a sending module 32.
A receiving module 30, configured to receive a VPN construction request, where the VPN construction request includes a VPN requirement; a determining module 31, configured to determine, according to a VPN requirement, a target CE device that constructs a first VPN from at least two CE devices; a sending module 32, configured to send a tunnel construction message to the target CE device according to the VPN requirement, so as to establish tunnel communication between the target CE devices, and construct a first VPN.
Optionally, the sending module 32 is further configured to send routing configuration information to the target CE device, where the routing configuration information includes static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for the target CE device to obtain the dynamic routing information.
Optionally, the sending module 32 is further configured to send policy information to at least one target CE device, where the policy information includes at least one of access policy information, bandwidth policy information, and QoS policy information.
Optionally, the receiving module 30 is configured to receive a network traffic reported by at least one target CE device, so as to monitor the network traffic of the first VPN, where the network traffic includes an uplink traffic and a downlink traffic of the at least one target CE device; the receiving module 30 is further configured to receive a link exception notification message sent by at least one target CE device.
Optionally, as shown in fig. 7, the VPN management apparatus according to the embodiment of the present invention further includes an update module 33. The updating module 33 is configured to update the routing configuration information according to the link exception notification message received by the receiving module 30.
The sending module 32 is further configured to send, by at least one target CE device, the route configuration information updated by the updating module 33.
The VPN management apparatus shown in fig. 7 may be applied to a centralized management and control apparatus, where the centralized management and control apparatus may include a processor, a memory, and a computer program stored in the memory and capable of running on the centralized management and control apparatus, and when the computer program is executed by the centralized management and control apparatus, the actions of the centralized management and control apparatus in the VPN management method embodiment may be implemented, and the same technical effects may be achieved.
Embodiments of the present invention further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the actions of the centralized management and control device in the foregoing VPN management method embodiments may be implemented, and the same technical effects may be achieved. The computer readable storage medium is, for example, ROM, RAM, magnetic disk or optical disk.
The embodiment of the present invention further provides another VPN management apparatus, where the VPN management apparatus is applied to at least two CE devices included in a VPN management system to construct a target CE device of a first VPN, the VPN management system further includes a centralized management and control apparatus, at least two PE devices, and a P device, where the at least two PE devices are respectively connected to the P device to form a backbone network, one CE device of the at least two CE devices is connected to a corresponding one of the at least two PE devices, the at least two PE devices are configured with a bandwidth required by at least one VPN, and the at least two CE devices have public network IP addresses. Fig. 8 shows a schematic diagram of another possible structure of the VPN management apparatus according to the above embodiment, and as shown in fig. 8, the VPN management apparatus may include a receiving module 40 and a constructing module 41.
The receiving module 40 is configured to receive a tunnel construction message sent by the centralized management and control apparatus; a building module 41, configured to establish tunnel communication with other CE devices in the target CE device to build the first VPN.
Optionally, the receiving module 40 is further configured to receive routing configuration information sent by the centralized management and control device, where the routing configuration information includes static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for a target CE device where the VPN management device is located to obtain the dynamic routing information.
Optionally, the receiving module 40 is further configured to receive policy information sent by the centralized management and control apparatus, where the policy information is used for a target CE device where the VPN management apparatus is located to adjust a policy of the first VPN, and the policy information includes at least one of access policy information, bandwidth policy information, and QoS policy information.
Optionally, as shown in fig. 8, the VPN management apparatus according to the embodiment of the present invention further includes a sending module 42, where the sending module 42 is configured to report the network traffic of the target CE device where the VPN management apparatus is located to the centralized management and control apparatus; the sending module 42 is further configured to send a link abnormality notification message to the centralized control apparatus when a link between the target CE device where the VPN management apparatus is located and another CE device in the target CE device is abnormal.
The VPN management apparatus shown in fig. 8 may be applied to a target CE device (for example, the first CE device in the foregoing embodiment) where the VPN management apparatus is located, where the first CE device includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, and when the computer program is executed by the processor, the actions of the first CE device in the foregoing VPN management method embodiment may be implemented, and the same technical effects may be achieved, and details are not described here to avoid repetition.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the actions of the first CE device in the foregoing VPN management method embodiment may be implemented, and the same technical effects may be achieved, and in order to avoid repetition, details are not described here again. The computer readable storage medium is ROM, RAM, magnetic disk or optical disk.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (15)

1. A VPN management method of virtual private network is characterized in that the VPN management method is applied to a centralized control device included in a VPN management system, the VPN management system further includes at least two customer edge CE devices, at least two operator edge PE devices and an operator P device, the at least two PE devices are respectively connected with the P device to form a backbone network, each CE device of the at least two CE devices is connected with a corresponding PE device of the at least two PE devices, the at least two PE devices are configured with at least one bandwidth required by VPN, and the at least two CE devices have public network Internet protocol IP addresses; the method comprises the following steps:
receiving a VPN construction request, wherein the VPN construction request comprises VPN requirements;
determining a target CE device for constructing a first VPN from the at least two CE devices according to the VPN requirement;
and sending a tunnel construction message to each target CE device according to the VPN requirement so as to establish tunnel communication between the target CE devices and construct the first VPN.
2. The method of claim 1, further comprising:
and sending routing configuration information to each target CE device, wherein the routing configuration information comprises static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for the target CE device to acquire the dynamic routing information.
3. The method according to claim 1 or 2, characterized in that the method further comprises at least one of:
sending policy information to at least one target CE device, the policy information comprising at least one of access policy information, bandwidth policy information, and quality of service (QoS) policy information;
receiving network traffic reported by the at least one target CE device to monitor the network traffic of the first VPN, wherein the network traffic comprises uplink traffic and downlink traffic of the at least one target CE device;
and receiving a link abnormity notification message sent by the at least one target CE device, updating the routing configuration information according to the link abnormity notification message, and sending the updated routing configuration information to the at least one target CE device.
4. A VPN management method of virtual private network is characterized in that the VPN management method is applied to a target CE device constructing a first VPN in at least two CE devices included in a VPN management system, the VPN management system further comprises a centralized control device, at least two provider edge PE devices and a provider P device, the at least two PE devices are respectively connected with the P device to form a backbone network, each CE device of the at least two CE devices is connected with a corresponding PE device of the at least two PE devices, the at least two PE devices are configured with a bandwidth required by at least one VPN, and the at least two CE devices have public Internet protocol IP addresses; the method comprises the following steps:
a first CE device receives a tunnel construction message sent by the centralized control device, wherein the first CE device is each of the target CE devices;
establishing tunnel communication with other CE devices in the target CE device to construct the first VPN.
5. The method of claim 4, further comprising:
and receiving routing configuration information sent by the centralized control device, wherein the routing configuration information comprises static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for the first CE equipment to acquire the dynamic routing information.
6. The method according to claim 4 or 5, characterized in that the method further comprises at least one of the following:
receiving policy information sent by the centralized management and control device, where the policy information is used for the first CE device to adjust the policy of the first VPN, and the policy information includes at least one of access policy information, bandwidth policy information, and quality of service QoS policy information;
reporting the network traffic of the first CE equipment to the centralized control device;
and when the link between the first CE device and other CE devices in the target CE device is abnormal, sending a link abnormality notification message to the centralized management and control device.
7. The VPN management device is characterized by being applied to a centralized management and control device included in a VPN management system, wherein the VPN management system further comprises at least two CE devices, at least two PE devices and a P device, the at least two PE devices are respectively connected with the P device to form a backbone network, each CE device in the at least two CE devices is connected with a corresponding PE device in the at least two PE devices, the at least two PE devices are configured with at least one bandwidth required by VPN, and the at least two CE devices have public network IP addresses; the VPN management device includes:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a VPN construction request which comprises VPN requirements;
a determining module, configured to determine, according to the VPN requirement, a target CE device that constructs a first VPN from the at least two CE devices;
and the transmitting module is used for transmitting a tunnel construction message to each target CE device according to the VPN requirement so as to establish tunnel communication between the target CE devices and construct the first VPN.
8. The VPN management apparatus according to claim 7, wherein the sending module is further configured to send routing configuration information to the destination CE device, where the routing configuration information includes static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for the destination CE device to obtain dynamic routing information.
9. VPN management device according to claim 7 or 8, characterized in that the VPN management device further comprises an update module;
the sending module is further configured to send policy information to at least one target CE device, where the policy information includes at least one of access policy information, bandwidth policy information, and quality of service QoS policy information;
the receiving module is further configured to receive a network traffic reported by the at least one target CE device, so as to monitor the network traffic of the first VPN, where the network traffic includes an uplink traffic and a downlink traffic of the at least one target CE device;
the receiving module is further configured to receive a link exception notification message sent by the at least one target CE device;
the updating module is used for updating the routing configuration information according to the link abnormity notification message;
the sending module is further configured to send the updated routing configuration information to the at least one target CE device.
10. The VPN management device is characterized in that the VPN management device is applied to each target CE device of a first VPN constructed in at least two CE devices included in a VPN management system, the VPN management system further comprises a centralized control device, at least two PE devices and a P device, the at least two PE devices are respectively connected with the P device to form a backbone network, each CE device of the at least two CE devices is connected with a corresponding PE device of the at least two PE devices, the at least two PE devices are configured with at least one bandwidth required by the VPN, and the at least two CE devices have public network IP addresses; the VPN management device includes:
the receiving module is used for receiving the tunnel construction message sent by the centralized control device;
and the building module is used for building tunnel communication with other CE equipment in the target CE equipment so as to build the first VPN.
11. The VPN management apparatus according to claim 10, wherein the receiving module is further configured to receive routing configuration information sent by the centralized management and control apparatus, where the routing configuration information includes static routing information or a dynamic routing protocol, and the dynamic routing protocol is used for a target CE device where the VPN management apparatus is located to obtain dynamic routing information.
12. VPN management device according to claim 10 or 11, characterized in that the VPN management device further comprises a sending module;
the receiving module is further configured to receive policy information sent by the centralized management and control device, where the policy information is used for a target CE device where the VPN management device is located to adjust a policy of the first VPN, and the policy information includes at least one of access policy information, bandwidth policy information, and quality of service QoS policy information;
the sending module is configured to report the network traffic of the target CE device where the VPN management apparatus is located to the centralized management and control apparatus;
the sending module is further configured to send a link exception notification message to the centralized management and control apparatus when a link between the target CE device where the VPN management apparatus is located and another CE device in the target CE device is abnormal.
13. A VPN management system, comprising a centralized management and control apparatus, at least two CE devices, at least two PE devices, and a P device, wherein the centralized management and control apparatus includes the VPN management apparatus according to any one of claims 7 to 9, a target CE device of the at least two CE devices, which is used to construct a first VPN, includes the VPN management apparatus according to any one of claims 10 to 12, the at least two PE devices are respectively connected to the P device to form a backbone network, one of the at least two CE devices is connected to a corresponding one of the at least two PE devices, a bandwidth required by at least one VPN is configured on the at least two PE devices, and the at least two CE devices have public network IP addresses.
14. A computer-readable storage medium comprising computer instructions that, when executed on a centralized management appliance, cause the centralized management appliance to perform a VPN management method according to any one of claims 1 to 3.
15. A computer readable storage medium comprising computer instructions which, when run on a CE device, cause the CE device to perform the VPN management method according to any one of claims 4 to 6.
CN201711267327.5A 2017-12-05 2017-12-05 VPN management method, device and system Active CN108011759B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711267327.5A CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711267327.5A CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Publications (2)

Publication Number Publication Date
CN108011759A CN108011759A (en) 2018-05-08
CN108011759B true CN108011759B (en) 2021-06-18

Family

ID=62056366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711267327.5A Active CN108011759B (en) 2017-12-05 2017-12-05 VPN management method, device and system

Country Status (1)

Country Link
CN (1) CN108011759B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495367A (en) * 2018-12-06 2019-03-19 安徽云探索网络科技有限公司 Based on VPN route management system and method
CN109660439B (en) * 2018-12-14 2021-08-13 深圳市信锐网科技术有限公司 Terminal mutual access management system and method
CN110351308B (en) * 2019-08-20 2021-12-31 北京天融信网络安全技术有限公司 Virtual private network communication method and virtual private network device
CN110912878B (en) * 2019-11-13 2022-04-01 南京理工大学 VPN-based information management system network security protection method and system
CN113810206B (en) * 2020-06-11 2023-01-13 中国移动通信有限公司研究院 Network automation arrangement management method, entity, controller and electronic equipment
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052022B (en) * 2006-04-05 2010-10-13 华为技术有限公司 System and method for virtual special net user to access public net
CN103684958B (en) * 2012-09-14 2017-04-19 中国电信股份有限公司 Method and system for providing flexible VPN (virtual private network) service and VPN service center
CN104219147B (en) * 2013-06-05 2018-10-16 中兴通讯股份有限公司 The VPN of edge device realizes processing method and processing device
CN106487695B (en) * 2015-08-25 2019-10-01 华为技术有限公司 A kind of data transmission method, virtual network managing device and data transmission system
CN106936714B (en) * 2015-12-31 2020-12-08 华为技术有限公司 VPN processing method, PE equipment and system
CN107222449B (en) * 2016-03-21 2020-06-16 华为技术有限公司 Communication method, device and system based on flow rule protocol
CN107294849B (en) * 2016-04-13 2022-05-13 中兴通讯股份有限公司 Method, device and system for establishing service path

Also Published As

Publication number Publication date
CN108011759A (en) 2018-05-08

Similar Documents

Publication Publication Date Title
US11870691B2 (en) Intelligent wide area network (IWAN)
CN108011759B (en) VPN management method, device and system
US10757008B2 (en) Flow specification protocol-based communications method, device, and system
US10771434B1 (en) Route signaling driven service management
CN107637031B (en) Path computation element central controller for network traffic
CN107852365B (en) Method and apparatus for dynamic VPN policy model
JP7389305B2 (en) Enhanced SD-WAN path quality measurement and selection
CN108092893B (en) Special line opening method and device
CN111492627B (en) Controller-based service policy mapping to establish different tunnels for different applications
EP3605968B1 (en) N:1 stateful application gateway redundancy model
US20150326469A1 (en) Oam aided explicit path report via igp
US11563680B2 (en) Pseudo wire load sharing method and device
EP2999172B1 (en) Method and devices to certify a trusted path in a software defined network
CN104539443A (en) Communicating network path and status information in multi-homed networks
EP3890262A1 (en) Routing distributing method, device and system
Farrel et al. An architecture for use of PCE and the PCE communication protocol (PCEP) in a network with central control
Šeremet et al. Evolving IP/MPLS network in order to meet 5G requirements
Ajiardiawan et al. Performance analysis of segment routing on MPLS L3VPN using PNETLAB
Moser Performance Analysis of an SD-WAN Infrastructure Implemented Using Cisco System Technologies
Buntsma et al. Investigative Research of an IP Peering Service for NetherLight
Li et al. RFC 8283: An Architecture for Use of PCE and the PCE Communication Protocol (PCEP) in a Network with Central Control
Gondal et al. Traffic Engineering QoS and MP-BGP VPNs in MPLS Networks
Gercheva et al. Review on the benefits of converged next generation network architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant