CN109587028A - A kind of method and apparatus controlling client traffic - Google Patents

A kind of method and apparatus controlling client traffic Download PDF

Info

Publication number
CN109587028A
CN109587028A CN201811444737.7A CN201811444737A CN109587028A CN 109587028 A CN109587028 A CN 109587028A CN 201811444737 A CN201811444737 A CN 201811444737A CN 109587028 A CN109587028 A CN 109587028A
Authority
CN
China
Prior art keywords
address
client
vpn
server
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811444737.7A
Other languages
Chinese (zh)
Other versions
CN109587028B (en
Inventor
陈功磊
赵春伟
李涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kylin Seing Network Technology Ltd By Share Ltd
Original Assignee
Kylin Seing Network Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kylin Seing Network Technology Ltd By Share Ltd filed Critical Kylin Seing Network Technology Ltd By Share Ltd
Priority to CN201811444737.7A priority Critical patent/CN109587028B/en
Publication of CN109587028A publication Critical patent/CN109587028A/en
Application granted granted Critical
Publication of CN109587028B publication Critical patent/CN109587028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Abstract

The embodiment of the present application provides a kind of method and apparatus for controlling client traffic, comprising: establishes the Virtual Private Network vpn connection between client and server-side;The address Virtual Private Network Internet protocol vpn ip is issued to the client;The data packet transmitted based on the vpn connection is obtained, the data packet carries the address the vpn ip;And virtual switch is established, the address vpn ip in packet, carries out flow control to the data packet according to preset flow control policy based on the data.A kind of method and apparatus controlling client traffic provided by the embodiments of the present application can control the flow of each client in such a way that simplicity is easy to implement and low-cost under the premise of not changing the network architecture on a large scale to save floating resources and server resource.

Description

A kind of method and apparatus controlling client traffic
Technical field
This application involves computer field more particularly to a kind of method and apparatus for controlling client traffic.
Background technique
Traditional using open source Virtual Private Network (English: open virtual private network;Abbreviation: Openvpn) in the scheme as solution mobile office demand, openvpn client is often allowed to transmit request by public network Openvpn server-side is given, then client obtains the service response of server-side, and then client can be as LAN subscriber Access organization internal resource.
Based on this, it was found by the inventors of the present invention that although such mode solves most basic connectivity demand, but can not The flow for effectively controlling each client, when client terminal quantity is numerous, if each client rationally cannot be controlled effectively Flow, will lead to the waste of floating resources and server resource.
Summary of the invention
The purpose of the embodiment of the present application is to provide a kind of method and apparatus for controlling client traffic, can effectively control The flow of each client.
In order to solve the above technical problems, the embodiment of the present application is realized by following aspects.
In a first aspect, the embodiment of the present application provides a kind of method for controlling client traffic, comprising:
Establish the Virtual Private Network (English: virtual private network between client and server-side;Contracting Write: vpn) connection;
The address Virtual Private Network Internet protocol vpn ip is issued to the client;
The data packet transmitted based on the vpn connection is obtained, the data packet carries the address the vpn ip;
Virtual switch is established, based on the data the address vpn ip in packet, according to preset flow control policy pair The data packet carries out flow control.
Second aspect, the embodiment of the present application provide a kind of device for controlling client traffic, comprising:
Link block, the Virtual Private Network vpn connection for establishing between client and server-side;
Transmission module, for issuing the address Virtual Private Network Internet protocol vpn ip to the client;
Module is obtained, for obtaining the data packet based on vpn connection transmission, the data packet carries the vpn ip Address;
Control module, for establishing virtual switch, based on the data packet in the address vpn ip, according to preset stream It measures control strategy and flow control is carried out to the data packet.
The third aspect, the embodiment of the present application provide a kind of electronic equipment, comprising: memory, processor and are stored in institute The computer executable instructions that can be run on memory and on the processor are stated, the computer executable instructions are described The step of a kind of method of control client traffic as described in above-mentioned first aspect is realized when processor executes.
Fourth aspect, the embodiment of the present application provide a kind of computer readable storage medium, the computer-readable storage Medium realizes such as above-mentioned first for storing computer executable instructions when the computer executable instructions are executed by processor A kind of the step of method of control client traffic described in aspect.
In the embodiment of the present application, by the Virtual Private Network vpn connection established between client and server-side, to institute It states client and issues the address Virtual Private Network Internet protocol vpn ip, obtain the data packet transmitted based on the vpn connection, The data packet carries the address the vpn ip, establishes virtual switch, based on the data the address vpn ip in packet, according to Preset flow control policy carries out flow control to the data packet, can be in the premise for not changing the network architecture on a large scale Under, the flow of each client is controlled in such a way that simplicity is easy to implement and low-cost to save floating resources and server Resource.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The some embodiments recorded in application, for those of ordinary skill in the art, in the premise of not making the creative labor property Under, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of the first flow diagram of method for controlling client traffic provided by the embodiments of the present application;
Fig. 2 is a kind of second of flow diagram of method for controlling client traffic provided by the embodiments of the present application;
Fig. 3 is a kind of the third flow diagram of method for controlling client traffic provided by the embodiments of the present application;
Fig. 4 is a kind of the 4th kind of flow diagram of method for controlling client traffic provided by the embodiments of the present application;
Fig. 5 is a kind of the first module diagram of device for controlling client traffic provided by the embodiments of the present application;
Fig. 6 is a kind of second of module diagram of device for controlling client traffic provided by the embodiments of the present application;
Fig. 7 is the hardware knot for executing a kind of electronic equipment of method for controlling client traffic provided by the embodiments of the present application Structure schematic diagram.
Specific embodiment
In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application reality The attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementation Example is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field is common The application protection all should belong in technical staff's every other embodiment obtained without creative efforts Range.
Fig. 1 shows a kind of the first flow diagram of method for controlling client traffic provided by the embodiments of the present application, This method can be executed by electronic equipment, such as terminal device or server device.In other words, the method can be by being mounted on The software or hardware of terminal device or server device executes.The server-side includes but is not limited to: single server, service Device cluster, cloud server or cloud server cluster etc..As shown, this method may comprise steps of.
S10: the Virtual Private Network vpn connection between client and server-side is established.
Vpn connection belongs to remote access technology, including establishes dedicated network in common network and carry out encryption communication.Such as Enterprise network etc. application be vpn typical case scene, such as certain company personnel can establish personal computer client with Vpn connection between corporate server is come the internal resource for accessing corporate server of being in.
S20: Xiang Suoshu client issues the address Virtual Private Network Internet protocol vpn ip.
Server-side responds vpn establishment of connection, issues the address vpn ip to client.
S30: obtaining the data packet transmitted based on vpn connection, which carries the address vpn ip.
The embodiment of the present application may include sending data packet from client to server-side and being sent from server-side to client 2 kinds of situations of data packet, in other words, obtaining based on the data packet that vpn connection transmits may include that server-side reception client is based on The data packet that vpn connection is sent also may include that interception service end group connects the data packet sent to client in vpn.
S40: establishing virtual switch, based on the data the address vpn ip in packet, according to preset flow control plan Flow control slightly is carried out to the data packet.Establish virtual switch, based on the data packet in the address vpn ip, determine with The corresponding client in the address vpn ip, according to for the preset flow control policy of the client, by virtual switch, to institute It states data packet and carries out flow control.
A kind of method controlling client traffic provided by the embodiments of the present application as a result, can not change on a large scale net Under the premise of network framework, the flow of each client is controlled to save flow in such a way that simplicity is easy to implement and low-cost Resource and server resource.
Fig. 2 shows it is provided by the embodiments of the present application it is a kind of control client traffic method second of flow diagram, This method can be executed by electronic equipment, such as terminal device or server device.In other words, the method can be by being mounted on The software or hardware of terminal device or server device executes.The server-side includes but is not limited to: single server, service Device cluster, cloud server or cloud server cluster etc..As shown, this method may comprise steps of.
S10: the Virtual Private Network vpn connection between client and server-side is established.
Vpn connection belongs to remote access technology, including establishes dedicated network in common network and carry out encryption communication.Such as Enterprise network etc. application be vpn typical case scene, such as certain company personnel can establish personal computer client with Vpn connection between corporate server is come the internal resource for accessing corporate server of being in.
In one possible implementation, step S10 can specifically include following steps.
Step S11: the Virtual Private Network vpn that the client is sent is received by vyos network operating system and is requested.
For example, client can request vpn to be sent to vyos network operating system, turned by vyos network operating system Issue server-side.
Step S12: the vpn is sent to the client by the vyos network operating system and is requested.
Server-side returns vpn request to client by vyos network operating system.
The vpn between client and server-side can expeditiously be established by above step the embodiment of the present application as a result, Connection.
S20: Xiang Suoshu client issues the address Virtual Private Network Internet protocol vpn ip.
Server-side responds vpn establishment of connection, issues the address vpn ip to client.
S30: obtaining the data packet transmitted based on the vpn connection, and the data packet carries the address the vpn ip.
The embodiment of the present application may include sending data packet from client to server-side and being sent from server-side to client The case where data packet, therefore, obtaining based on the data packet that vpn connection transmits may include that server-side receives client based on vpn The data packet sent is connected, also may include that interception service end group connects the data packet sent to client in vpn.
Specifically, when sending data packet to server-side from client, data packet may include: outer layer packet and internal layer packet, The packet header of outer layer packet includes the address public network ip of client local, and the address purpose ip of outer layer packet includes the public network ip of server-side Location, the packet header of internal layer packet include the address vpn ip, and the address purpose ip of internal layer packet includes the address ip of the internal resource of server.
When sending data packet to client from server-side, data packet includes: outer layer packet and internal layer packet, the packet header of internal layer packet The address public network ip including the server-side, the address purpose ip of internal layer packet include the address public network ip of client local, outer layer The packet header of packet includes the address ip of the internal resource of the server, and the address purpose ip of outer layer packet includes the address vpn ip.
The embodiment of the present application can be adapted for the case where actively sending data packet to server from client as a result, can also To be suitable for the case where actively sending data packet to client from server.
S40: establishing virtual switch, based on the data the address vpn ip in packet, according to preset flow control plan Flow control slightly is carried out to the data packet.
Virtual switch is established, based on the data the address vpn ip in packet, determination is corresponding with the address vpn ip Client carries out flow control to the data packet by virtual switch according to for the preset flow control policy of the client System.
In one possible implementation, preset flow control policy can also include: bandwidth control, the address ip, It is one or more in port and protocol.
A kind of method controlling client traffic provided by the embodiments of the present application as a result, can expeditiously establish client Hold server-side between vpn connection, can not on a large scale change the network architecture under the premise of, with simplicity it is easy to implement and Low-cost mode controls the flow of each client to save floating resources and server resource.
In addition, the embodiment of the present application can expeditiously establish the vpn connection between client and server-side.Also, this Application embodiment both can be adapted for the case where actively sending data packet to server from client, be readily applicable to by servicing The case where device actively sends data packet to client.
Fig. 3 shows a kind of the third flow diagram of method for controlling client traffic provided by the embodiments of the present application, This method can be executed by electronic equipment, such as terminal device or server device.In other words, the method can be by being mounted on The software or hardware of terminal device or server device executes.The server-side includes but is not limited to: single server, service Device cluster, cloud server or cloud server cluster etc..As shown, this method may comprise steps of.
S10: the Virtual Private Network vpn connection between client and server-side is established.
Vpn connection belongs to remote access technology, including establishes dedicated network in common network and carry out encryption communication.Such as Enterprise network etc. application be vpn typical case scene, such as certain company personnel can establish personal computer client with Vpn connection between corporate server is come the internal resource for accessing corporate server of being in.
In one possible implementation, can also include the following steps before this step S10.
Step S110: by vyos network operating system on-premise network address conversion nat, the server-side is exposed to public affairs Net.
Network address translation (English: Network Address Translation, abbreviation: nat) needs to install nat soft Part, at least one effective outside ip address of the router equipped with nat software, in this way, all hosts using local address When with external world's communication, its local address can be converted into outside ip address on the router, thus be exposed to public network.
Step S111: the identity of the client is verified.
In one possible implementation, server-side can pass through the authenticator (English: Authenticator) on backstage The account name and password of client are verified, to verify the identity of the client.
For example, user accesses the internal resource of server-side, example by the client of mobile phone etc. under non-intranet environment Such as the office automation system (English: Office Automation System, abbreviation: OA system), user mobile phone online environment It can be 4G, and openvpn application has been installed, after operation openvpn application, the information such as account name/password can be inputted. Openvpn server-side can be mapped by " one-to-one " nat of vyos network operating system is exposed to public network, externally provides Vpn service, after server-side receives the request from client, verifies the identity of the client, specifically can be with backstage Remote customer dialing authentication system (English: Remote Authentication Dial In User Service, abbreviation: RADIUS the information such as account name/password) are verified.
In one possible implementation, this step S10 may include step in detail below.
Step S11: the Virtual Private Network vpn that the client is sent is received by vyos network operating system and is requested.
For example, client can request vpn to be sent to vyos network operating system, turned by vyos network operating system Issue server-side.
Step S12: the vpn is sent to the client by the vyos network operating system and is requested.
Server-side returns vpn request to client by vyos network operating system.
The embodiment of the present application can expeditiously establish the vpn connection between client and server-side as a result,.
S20: Xiang Suoshu client issues the address Virtual Private Network Internet protocol vpn ip.
Server-side responds vpn establishment of connection, issues the address vpn ip to client.
S30: obtaining the data packet transmitted based on the vpn connection, and the data packet carries the address the vpn ip.
The embodiment of the present application may include sending data packet from client to server-side and being sent from server-side to client The case where data packet, therefore, obtaining based on the data packet that vpn connection transmits may include that server-side receives client based on vpn The data packet sent is connected, also may include that interception service end group connects the data packet sent to client in vpn.
Specifically, when sending data packet to server-side from client, data packet may include: outer layer packet and internal layer packet, The packet header of outer layer packet includes the address public network ip of client local, and the address purpose ip of outer layer packet includes the public network ip of server-side Location, the packet header of internal layer packet include the address vpn ip, and the address purpose ip of internal layer packet includes the address ip of the internal resource of server.
For example, the public network IP for VPN IP=192.168.10.100/24, the 4G network that client obtains= 202.108.2.10, openvpn server-side is provided out public network IP=61.4.176.10 of service, OA system IP= 172.16.10.100。
Vpn connection is established after completion, and client initiates the request of access OA system, and the request is before entering vpn connection It need to be handled by special package, comprising: outer layer packet header IP-202.108.2.10 outer layer destination IP -61.4.176.10;Internal layer Packet header IP-192.168.10.100 internal layer destination IP -172.16.10.100.Server-side parsing envelope data packet, parses internal layer source The data packet of IP-192.168.10.100 internal layer destination IP -172.16.10.100.
When sending data packet to client from server-side, data packet includes: outer layer packet and internal layer packet, the packet header of internal layer packet The address public network ip including the server-side, the address purpose ip of internal layer packet include the address public network ip of client local, outer layer The packet header of packet includes the address ip of the internal resource of the server, and the address purpose ip of outer layer packet includes the address vpn ip.
S40: establishing virtual switch, based on the data the address vpn ip in packet, according to preset flow control plan Flow control slightly is carried out to the data packet.
Virtual switch is established, based on the data the address vpn ip in packet, determination is corresponding with the address vpn ip Client carries out flow control to the data packet by virtual switch according to for the preset flow control policy of the client System.
In one possible implementation, the embodiment of the present application can establish the void by vyos network operating system Quasi- interchanger.The address vpn ip in packet based on the data determines corresponding with the address vpn ip client, according to for this The preset flow control policy of client carries out flow control to the data packet by vyos network operating system, wherein Vyos network operating system is the network operating system based on general-purpose operating system Debian, can provide vpn function.
In one possible implementation, preset flow control policy can also include: bandwidth control, the address ip, It is one or more in port and protocol.
For example, the strategy disposed in advance by vyos network operating system are as follows: SRC_IP=192.168.10.100DST_ IP=172.16.10.100PROTOCOL=HTTPS&HTTP BANDWITH=2Mbps;Specifically, by source The data packet bandwidth speed limiting of IP192.168.10.100, destination IP 172.16.10.100, access HTTP/HTTPS service are 2M. It carries out to request correctly to pass to OA system after the operations such as speed limit for the strategy disposed in advance.
In one possible implementation, vyos network operating system can carry out different speed limits for data packet is sorted out Strategy, such as: matching certain section of source IP _ SUBNET, certain section of destination IP _ SUBNET, certain agreements such as BT (English: Bit Torrent) Communication protocol etc. carries out individual speed limit limitation.
A kind of method controlling client traffic provided by the embodiments of the present application as a result, can expeditiously establish client Vpn connection between end and server-side, can identify data packet feature, optimize and strengthen network function by the later period, make vyos Network operating system has flow control function similar with physical network device, and also can on Control granularity and flexibility Preferably meet current demand, it can be under the premise of not changing the network architecture on a large scale, with easy to be easy to implement and at low cost Honest and clean mode controls the flow of each client to save floating resources and server resource.
Fig. 4 shows a kind of the 4th kind of flow diagram of method for controlling client traffic provided by the embodiments of the present application, This method can be executed by electronic equipment, such as terminal device or server device.In other words, the method can be by being mounted on The software or hardware of terminal device or server device executes.The server-side includes but is not limited to: single server, service Device cluster, cloud server or cloud server cluster etc..As shown, this method may comprise steps of.
S10: the Virtual Private Network vpn connection between client and server-side is established.
Vpn connection belongs to remote access technology, including establishes dedicated network in common network and carry out encryption communication.Such as Enterprise network etc. application be vpn typical case scene, such as certain company personnel can establish personal computer client with Vpn connection between corporate server is come the internal resource for accessing corporate server of being in.
In one possible implementation, can also include the following steps before this step S10.
Step S110: by vyos network operating system on-premise network address conversion nat, the server-side is exposed to public affairs Net.
Network address translation (English: Network Address Translation, abbreviation: nat) needs to install nat soft Part, at least one effective outside ip address of the router equipped with nat software, in this way, all hosts using local address When with external world's communication, its local address can be converted into outside ip address on the router, thus be exposed to public network.
Step S111: the identity of the client is verified.
In one possible implementation, server-side can verify visitor by the authenticator Authenticator on backstage The account name and password at family end, to verify the identity of the client.
For example, user accesses the internal resource of server-side, example by the client of mobile phone etc. under non-intranet environment Such as the office automation system (English: Office Automation System, abbreviation: OA system), user mobile phone online environment For 4G, and openvpn application is installed, after operation openvpn application, the information such as account name/password can be inputted.openvpn Server-side can be mapped by " one-to-one " nat of vyos network operating system is exposed to public network, externally provides vpn service, After server-side receives the request from client, the identity of the client is verified, it specifically can be with the remote user on backstage Dialing authentication system (English: Remote Authentication Dial In User Service, abbreviation: RADIUS) is verified The information such as account name/password.
In one possible implementation, this step S10 may include step in detail below.
Step S11: the Virtual Private Network vpn that the client is sent is received by vyos network operating system and is requested.
For example, client can request vpn to be sent to vyos network operating system, turned by vyos network operating system Issue server-side.
Step S12: the vpn is sent to the client by the vyos network operating system and is requested.
Server-side returns vpn request to client by vyos network operating system.
The embodiment of the present application can expeditiously establish the vpn connection between client and server-side as a result,.
S20: Xiang Suoshu client issues the address Virtual Private Network Internet protocol vpn ip.
Server-side responds vpn establishment of connection, issues the address vpn ip to client.
S30: obtaining the data packet transmitted based on the vpn connection, and the data packet carries the address the vpn ip.
The embodiment of the present application may include sending data packet from client to server-side and being sent from server-side to client The case where data packet, therefore, obtaining based on the data packet that vpn connection transmits may include that server-side receives client based on vpn The data packet sent is connected, also may include that interception service end group connects the data packet sent to client in vpn.
Specifically, when sending data packet to server-side from client, data packet may include: outer layer packet and internal layer packet, The packet header of outer layer packet includes the address public network ip of client local, and the address purpose ip of outer layer packet includes the public network ip of server-side Location, the packet header of internal layer packet include the address vpn ip, and the address purpose ip of internal layer packet includes the address ip of the internal resource of server.
For example, the public network IP for VPN IP=192.168.10.100/24, the 4G network that client obtains= 202.108.2.10, openvpn server-side is provided out public network IP=61.4.176.10 of service, OA system IP= 172.16.10.100。
Vpn connection is established after completion, and client initiates the request of access OA system, and the request is before entering vpn connection It need to be handled by special package, comprising: outer layer packet header IP-202.108.2.10 outer layer destination IP -61.4.176.10;Internal layer Packet header IP-192.168.10.100 internal layer destination IP -172.16.10.100.Server-side parsing envelope data packet, parses internal layer source The data packet of IP-192.168.10.100 internal layer destination IP -172.16.10.100.
When sending data packet to client from server-side, data packet includes: outer layer packet and internal layer packet, the packet header of internal layer packet The address public network ip including the server-side, the address purpose ip of internal layer packet include the address public network ip of client local, outer layer The packet header of packet includes the address ip of the internal resource of the server, and the address purpose ip of outer layer packet includes the address vpn ip.
S40: establishing virtual switch, based on the data the address vpn ip in packet, according to preset flow control plan Flow control slightly is carried out to the data packet.
Virtual switch is established, based on the data the address vpn ip in packet, determination is corresponding with the address vpn ip Client carries out flow control to the data packet by virtual switch according to for the preset flow control policy of the client System.
In one possible implementation, the embodiment of the present application can establish the void by vyos network operating system Quasi- interchanger.The address vpn ip in packet based on the data determines corresponding with the address vpn ip client, according to for this The preset flow control policy of client carries out flow control to the data packet by vyos network operating system, wherein Vyos network operating system is the network operating system based on general-purpose operating system Debian, can provide vpn function.
In one possible implementation, preset flow control policy can also include: bandwidth control, the address ip, It is one or more in port and protocol.
For example, the strategy disposed in advance by vyos network operating system are as follows: SRC_IP=192.168.10.100DST_ IP=172.16.10.100PROTOCOL=HTTPS&HTTP BANDWITH=2Mbps;Specifically, by source The data packet bandwidth speed limiting of IP192.168.10.100, destination IP 172.16.10.100, access HTTP/HTTPS service are 2M.
In one possible implementation, vyos network operating system can carry out different speed limits for data packet is sorted out Strategy, such as: matching certain section of source IP _ SUBNET, certain section of destination IP _ SUBNET, certain agreements such as BT (Bit Torrent) communication protocols View etc., carries out individual speed limit limitation.
It in one possible implementation, after the step s 40, can also include step S50.
Step S50: the flow that record is used by the client that the vyos network operating system reports.
Specifically, client traffic can be reported to server-side and be recorded by server-side by vyos network operating system, In one possible implementation, server-side is also based on flow and carries out the operation such as charging.
In one possible implementation, can also pass through vyos network operating system by client will be on local flow It offers server-side and carries out traffic statistics.
A kind of method controlling client traffic provided by the embodiments of the present application as a result, can expeditiously establish client Vpn connection between end and server-side, can identify data packet feature, optimize and strengthen network function by the later period, make vyos Network operating system has flow control function similar with physical network device, and also can on Control granularity and flexibility Preferably meet current demand, it can be under the premise of not changing the network architecture on a large scale, with easy to be easy to implement and at low cost Honest and clean mode controls the flow of each client to save floating resources and server resource.Further, the embodiment of the present application A kind of method of the control client traffic provided, is able to carry out the traffic statistics of client.
Fig. 5 shows a kind of the first module diagram of device for controlling client traffic provided by the embodiments of the present application, As shown, the device 1 of the control client traffic includes: link block 10, transmission module 20, obtains module 30 and control mould Block 40.
Specifically, link block 10 is used for the Virtual Private Network vpn connection established between client and server-side.Transmission Module 20 is connect with link block 10, for issuing the address Virtual Private Network Internet protocol vpn ip to client.It obtains Module 30 is connect with transmission module 20, for obtaining the data packet based on vpn connection transmission, described in the data packet carries The address vpn ip.Control module 40 is connect with module 30 is obtained, for establishing virtual switch, based on the data in packet The address vpn ip carries out flow control to the data packet according to preset flow control policy.
The working method of each module and side above in a kind of device 1 controlling client traffic provided by the embodiments of the present application Step described in method embodiment is similar, and details are not described herein.
A kind of device controlling client traffic provided by the embodiments of the present application as a result, can not change on a large scale net Under the premise of network framework, the flow of each client is controlled to save flow in such a way that simplicity is easy to implement and low-cost Resource and server resource.
Fig. 6 shows a kind of second of module diagram of device for controlling client traffic provided by the embodiments of the present application, As shown, the device 1 of the control client traffic includes: link block 10, transmission module 20, obtains module 30, control mould Block 40, deployment module 110, authentication module 111 and statistical module 50.
Specifically, link block 10 is used for the Virtual Private Network vpn connection established between client and server-side.One In the possible implementation of kind, link block 10 can be specifically used for passing through the vyos network operating system reception client The Virtual Private Network vpn request that end is sent, and by the vyos network operating system to described in client transmission Vpn request.
Transmission module 20 is used to issue the address Virtual Private Network Internet protocol vpn ip to client.
It obtains module 30 and is used to obtain the data packet based on vpn connection transmission, the data packet carries the vpn The address ip.In one possible implementation, the data packet for obtaining module acquisition includes: outer layer packet and internal layer Packet, the packet header of the outer layer packet includes the address public network ip of the client local, and the address purpose ip of the outer layer packet includes The address public network ip of the server-side, the packet header of the internal layer packet include the address the vpn ip, the purpose ip of the internal layer packet Address includes the address ip of the internal resource of the server.
In alternatively possible implementation, described to obtain the data packet that module obtains include: outer layer packet and interior Layer packet, the packet header of the internal layer packet includes the address public network ip of the server-side, and the address purpose ip of the internal layer packet includes institute The address public network ip of client local is stated, the packet header of the outer layer packet includes the address ip of the internal resource of the server, institute The address purpose ip for stating outer layer packet includes the address the vpn ip.
Control module 40 is used to establish virtual switch, based on the data the address vpn ip in packet, according to preset Flow control policy carries out flow control to the data packet.In one possible implementation, control module 40 is for leading to It crosses vyos network operating system and establishes the virtual switch.In one possible implementation, the preset flow control System strategy further include: bandwidth control, the address ip, one or more in port and protocol.
In one possible implementation, described device 1 further includes deployment module 110, is connect with link block 10, is used In by the vyos network operating system on-premise network address conversion nat, the server-side is exposed to public network.
In one possible implementation, described device 1 further includes authentication module 111, is connect with link block 10, is used In the identity for verifying the client.
In one possible implementation, described device 1 further includes statistical module 50, is connect with control module 40, is used In the flow that record is used by the client that the vyos network operating system reports.
The working method of each module and side above in a kind of device 1 controlling client traffic provided by the embodiments of the present application Step described in method embodiment is similar, and details are not described herein.
A kind of device controlling client traffic provided by the embodiments of the present application as a result, can expeditiously establish client Vpn connection between end and server-side, can identify data packet feature, optimize and strengthen network function by the later period, make vyos Network operating system has flow control function similar with physical network device, and also can on Control granularity and flexibility Preferably meet current demand, it can be under the premise of not changing the network architecture on a large scale, with easy to be easy to implement and at low cost Honest and clean mode controls the flow of each client to save floating resources and server resource.Further, the embodiment of the present application A kind of device of the control client traffic provided, is able to carry out the traffic statistics of client.
Fig. 7 shows the hardware for executing a kind of electronic equipment of method for controlling client traffic provided by the embodiments of the present application Structural schematic diagram, as shown, the electronic equipment can generate bigger difference because configuration or performance are different, it may include one A or more than one processor 701 and memory 702 can store one or more storages in memory 702 and answered With program or data.Wherein, memory 702 can be of short duration storage or persistent storage.It is stored in the application program of memory 702 It may include one or more modules (diagram is not shown), each module may include to a series of in the electronic equipment Computer executable instructions.Further, processor 701 can be set to communicate with memory 702, on the electronic equipment Execute the series of computation machine executable instruction in memory 702.The electronic equipment can also include one or more electricity Source 703, one or more wired or wireless network interfaces 704, one or more input/output interfaces 705, one Or more than one keyboard 706 etc..
In a specific embodiment, which includes memory, processor and is stored on the memory And the computer executable instructions that can be run on the processor, the computer executable instructions are executed by the processor Shi Shixian following below scheme:
Establish the Virtual Private Network vpn connection between client and server-side;
The address Virtual Private Network Internet protocol vpn ip is issued to the client;
The data packet transmitted based on the vpn connection is obtained, the data packet carries the address the vpn ip;
The address vpn ip in packet based on the data, by vyos network operating system, according to preset flow control Strategy carries out flow control to the data packet.
Optionally, it is described to establish client and server-side when the computer executable instructions are executed by the processor Between Virtual Private Network vpn connection, including execute:
The Virtual Private Network vpn request that the client is sent is received by the vyos network operating system;
The vpn request is sent to the client by the vyos network operating system.
Optionally, when the computer executable instructions are executed by the processor, passing through the vyos network operation Before system receives the Virtual Private Network vpn request that the client is sent, also execute:
By the vyos network operating system on-premise network address conversion nat, the server-side is exposed to public network.
Optionally, when the computer executable instructions are executed by the processor, the data packet include: outer layer packet and Internal layer packet, the packet header of the outer layer packet include the address public network ip of the client local, the address purpose ip of the outer layer packet The address public network ip including the server-side, the packet header of the internal layer packet include the address the vpn ip, the mesh of the internal layer packet The address ip include the server internal resource the address ip.
Optionally, when the computer executable instructions are executed by the processor, the data packet include: outer layer packet and Internal layer packet, the packet header of the internal layer packet include the address public network ip of the server-side, and the address purpose ip of the internal layer packet includes The address public network ip of the client local, the packet header of the outer layer packet include the address ip of the internal resource of the server, The address purpose ip of the outer layer packet includes the address the vpn ip.
Optionally, when the computer executable instructions are executed by the processor, the preset flow control policy Further include: it is bandwidth control, the address ip, one or more in port and protocol.
Optionally, when the computer executable instructions are executed by the processor, described according to preset flow control After system strategy carries out flow control to the data packet, also execute:
Record the flow used by the client that the vyos network operating system reports.
Optionally, when the computer executable instructions are executed by the processor, establish client and server-side it Between Virtual Private Network vpn connection before, also execute: verify the identity of the client.
The electronic equipment for executing a kind of method for controlling client traffic provided by the embodiments of the present application as a result, can be efficient The vpn connection between client and server-side is established to rate, can identify data packet feature, optimizes and strengthen network by the later period Function makes vyos network operating system have a flow control function similar with physical network device, and in Control granularity and Also it can preferably meet current demand in flexibility, can be easy to real under the premise of not changing the network architecture on a large scale with simplicity It applies and low-cost mode controls the flow of each client to save floating resources and server resource.Further, The electronic equipment for executing a kind of method for controlling client traffic provided by the embodiments of the present application is able to carry out the flow of client Statistics.
The electronic equipment of the embodiment of the present application exists in a variety of forms, including but not limited to following equipment.
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device: this kind of equipment can show and play multimedia content.Such equipment include: audio, Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic devices with data interaction function.
Further, described computer-readable to deposit the embodiment of the present application also provides a kind of computer readable storage medium Storage media is realized for storing computer executable instructions, when the computer executable instructions are executed by processor to flow down Journey:
Establish the Virtual Private Network vpn connection between client and server-side;
The address Virtual Private Network Internet protocol vpn ip is issued to the client;
The data packet transmitted based on the vpn connection is obtained, the data packet carries the address the vpn ip;
The address vpn ip in packet based on the data, by vyos network operating system, according to preset flow control Strategy carries out flow control to the data packet.
Optionally, it is described to establish client and server-side when the computer executable instructions are executed by the processor Between Virtual Private Network vpn connection, including execute:
The Virtual Private Network vpn request that the client is sent is received by the vyos network operating system;
The vpn request is sent to the client by the vyos network operating system.
Optionally, when the computer executable instructions are executed by the processor, passing through the vyos network operation Before system receives the Virtual Private Network vpn request that the client is sent, also execute:
By the vyos network operating system on-premise network address conversion nat, the server-side is exposed to public network.
Optionally, when the computer executable instructions are executed by the processor, the data packet include: outer layer packet and Internal layer packet, the packet header of the outer layer packet include the address public network ip of the client local, the address purpose ip of the outer layer packet The address public network ip including the server-side, the packet header of the internal layer packet include the address the vpn ip, the mesh of the internal layer packet The address ip include the server internal resource the address ip.
Optionally, when the computer executable instructions are executed by the processor, the data packet include: outer layer packet and Internal layer packet, the packet header of the internal layer packet include the address public network ip of the server-side, and the address purpose ip of the internal layer packet includes The address public network ip of the client local, the packet header of the outer layer packet include the address ip of the internal resource of the server, The address purpose ip of the outer layer packet includes the address the vpn ip.
Optionally, when the computer executable instructions are executed by the processor, the preset flow control policy Further include: it is bandwidth control, the address ip, one or more in port and protocol.
Optionally, when the computer executable instructions are executed by the processor, described according to preset flow control After system strategy carries out flow control to the data packet, also execute:
Record the flow used by the client that the vyos network operating system reports.
Optionally, when the computer executable instructions are executed by the processor, establish client and server-side it Between Virtual Private Network vpn connection before, also execute: verify the identity of the client.
The electronic equipment for executing a kind of method for controlling client traffic provided by the embodiments of the present application as a result, can be efficient The vpn connection between client and server-side is established to rate, can identify data packet feature, optimizes and strengthen network by the later period Function makes vyos network operating system have a flow control function similar with physical network device, and in Control granularity and Also it can preferably meet current demand in flexibility, can be easy to real under the premise of not changing the network architecture on a large scale with simplicity It applies and low-cost mode controls the flow of each client to save floating resources and server resource.Further, The electronic equipment for executing a kind of method for controlling client traffic provided by the embodiments of the present application is able to carry out the flow of client Statistics.
Wherein, the computer readable storage medium includes read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic or disk etc..
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal Replacement, improvement etc., should be included within the scope of the claims of this application.

Claims (13)

1. a kind of method for controlling client traffic characterized by comprising
Establish the Virtual Private Network vpn connection between client and server-side;
The address Virtual Private Network Internet protocol vpn ip is issued to the client;
The data packet transmitted based on the vpn connection is obtained, the data packet carries the address the vpn ip;And
Virtual switch is established, based on the data the address vpn ip in packet, according to preset flow control policy to described Data packet carries out flow control.
2. the method according to claim 1, wherein the virtual private established between client and server-side Network vpn connection, comprising:
The Virtual Private Network vpn request that the client is sent is received by vyos network operating system;And
The vpn request is sent to the client by the vyos network operating system.
3. according to the method described in claim 2, it is characterized in that, receiving the visitor by vyos network operating system described Before the Virtual Private Network vpn request that family end is sent, further includes:
By the vyos network operating system on-premise network address conversion nat, the server-side is exposed to public network.
4. described outer the method according to claim 1, wherein the data packet includes: outer layer packet and internal layer packet The packet header of layer packet includes the address public network ip of the client local, and the address purpose ip of the outer layer packet includes the server-side The address public network ip, the packet header of the internal layer packet includes the address vpnip, and the address purpose ip of the internal layer packet includes described The address ip of the internal resource of server.
5. the method according to claim 1, wherein the data packet includes: outer layer packet and internal layer packet, it is described in The packet header of layer packet includes the address public network ip of the server-side, and the address purpose ip of the internal layer packet includes that the client is local The address public network ip, the packet header of the outer layer packet includes the address ip of the internal resource of the server, the mesh of the outer layer packet The address ip include the address the vpn ip.
6. the method according to claim 1, wherein the preset flow control policy further include: bandwidth control It is system, the address ip, one or more in port and protocol.
7. the method according to claim 1, wherein it is described according to preset flow control policy to the number After packet progress flow control, further includes:
Record the flow used by the client that the vyos network operating system reports.
8. the method according to claim 1, wherein the virtual switch of establishing includes: by vyos network Operating system establishes the virtual switch.
9. a kind of device for controlling client traffic characterized by comprising
Link block, the Virtual Private Network vpn connection for establishing between client and server-side;
Transmission module, for issuing the address Virtual Private Network Internet protocol vpn ip to the client;
Module is obtained, for obtaining the data packet based on vpn connection transmission, the data packet is with carrying the vpn ip Location;And
Control module, for establishing virtual switch, based on the data packet in the address vpn ip, according to preset flow control System strategy carries out flow control to the data packet.
10. device according to claim 9, which is characterized in that the link block is used to pass through vyos network operation system System receives the Virtual Private Network vpn request that the client is sent;And
The vpn request is sent to the client by the vyos network operating system.
11. device according to claim 10, which is characterized in that described device further include:
Deployment module, for by the vyos network operating system on-premise network address conversion nat, the server-side to be exposed To public network.
12. device according to claim 9, which is characterized in that the data packet for obtaining module acquisition includes: outer Layer packet and internal layer packet, the packet header of the outer layer packet includes the address public network ip of the client local, the purpose of the outer layer packet The address ip includes the address public network ip of the server-side, and the packet header of the internal layer packet includes the address the vpn ip, the internal layer The address purpose ip of packet includes the address ip of the internal resource of the server.
13. device according to claim 9, which is characterized in that the data packet for obtaining module acquisition includes: outer Layer packet and internal layer packet, the packet header of the internal layer packet include the address public network ip of the server-side, the purpose ip of the internal layer packet Location includes the address public network ip of the client local, and the packet header of the outer layer packet includes the ip of the internal resource of the server Address, the address purpose ip of the outer layer packet include the address the vpn ip.
CN201811444737.7A 2018-11-29 2018-11-29 Method and device for controlling flow of client Active CN109587028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811444737.7A CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811444737.7A CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Publications (2)

Publication Number Publication Date
CN109587028A true CN109587028A (en) 2019-04-05
CN109587028B CN109587028B (en) 2021-11-26

Family

ID=65925640

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811444737.7A Active CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Country Status (1)

Country Link
CN (1) CN109587028B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347113A (en) * 2021-06-29 2021-09-03 深信服科技股份有限公司 Flow control method, device, equipment and computer storage medium
CN113992461A (en) * 2021-10-26 2022-01-28 亿次网联(杭州)科技有限公司 Data isolation transmission method, system and storage medium
CN115834529A (en) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN101527740A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Dynamic address allocation method, device and system thereof
CN101958842A (en) * 2010-10-28 2011-01-26 神州数码网络(北京)有限公司 Flow control method based on user
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN102065125A (en) * 2010-11-18 2011-05-18 广州致远电子有限公司 Method for realizing embedded secure socket layer virtual private network (SSL VPN)
CN103731363A (en) * 2014-01-15 2014-04-16 网神信息技术(北京)股份有限公司 Internet flow control method and device
CN103959711A (en) * 2012-09-07 2014-07-30 Sk电信有限公司 Network traffic management system using monitoring policy and filtering policy, and method thereof
CN104753752A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 As-needed connecting method suitable for VPN
US20160226815A1 (en) * 2015-01-30 2016-08-04 Huawei Technologies Co., Ltd. System and method for communicating in an ssl vpn
CN105939241A (en) * 2016-03-10 2016-09-14 杭州迪普科技有限公司 Connection disconnecting method and device
US10038712B2 (en) * 2014-06-02 2018-07-31 Paypal, Inc. Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN101527740A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Dynamic address allocation method, device and system thereof
CN101958842A (en) * 2010-10-28 2011-01-26 神州数码网络(北京)有限公司 Flow control method based on user
CN102065125A (en) * 2010-11-18 2011-05-18 广州致远电子有限公司 Method for realizing embedded secure socket layer virtual private network (SSL VPN)
CN102045363A (en) * 2010-12-31 2011-05-04 成都市华为赛门铁克科技有限公司 Establishment, identification control method and device for network flow characteristic identification rule
CN103959711A (en) * 2012-09-07 2014-07-30 Sk电信有限公司 Network traffic management system using monitoring policy and filtering policy, and method thereof
CN104753752A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 As-needed connecting method suitable for VPN
CN103731363A (en) * 2014-01-15 2014-04-16 网神信息技术(北京)股份有限公司 Internet flow control method and device
US10038712B2 (en) * 2014-06-02 2018-07-31 Paypal, Inc. Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel
US20160226815A1 (en) * 2015-01-30 2016-08-04 Huawei Technologies Co., Ltd. System and method for communicating in an ssl vpn
CN105939241A (en) * 2016-03-10 2016-09-14 杭州迪普科技有限公司 Connection disconnecting method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
薄杨等: "SDN新型网络架构业务流量监控研究", 《贺州学院学报》 *
黄鑫等: "基于聚集流量分类的流量型DoS攻击防御方法", 《计算机工程》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347113A (en) * 2021-06-29 2021-09-03 深信服科技股份有限公司 Flow control method, device, equipment and computer storage medium
CN113992461A (en) * 2021-10-26 2022-01-28 亿次网联(杭州)科技有限公司 Data isolation transmission method, system and storage medium
CN113992461B (en) * 2021-10-26 2024-01-30 亿次网联(杭州)科技有限公司 Data isolation transmission method, system and storage medium
CN115834529A (en) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment
CN115834529B (en) * 2022-11-23 2023-08-08 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Also Published As

Publication number Publication date
CN109587028B (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN107786613B (en) Broadband remote access server BRAS forwarding implementation method and device
CN101986648A (en) Negotiation method, device and network device of TCP option
WO2013056630A1 (en) Base station, service processing method and cloud computing system
TWI477111B (en) Outdoor wireless modem and method for signal procesisng thereof
CN109587028A (en) A kind of method and apparatus controlling client traffic
CN109890069A (en) Method for connecting network, terminal, base station and computer storage medium
CN108200158B (en) Request Transmission system, method, apparatus and storage medium
WO2023000940A1 (en) Data processing method and apparatus, and network element device, storage medium and program product
CN104066110A (en) Wireless router stability testing system and method
WO2021169291A1 (en) Route advertising method, network elements, system, and device
CN106301921A (en) Elephant flow transmission dispatching method based on tunnel and system
CN104426732A (en) High-speed transmission tunnel realization method and system
CN113613314A (en) ICOT private network networking method and system based on converged network splitter
WO2015090035A1 (en) Network resource sharing processing and sharing method, device and system
CN112073244A (en) TR069 protocol-based message processing method and system
CN102845042B (en) The aggregation of bandwidth system and method for the multiple movable physical interface of a kind of application layer
KR20210016802A (en) Method for optimizing flow table for network service based on server-client in software defined networking environment and sdn switch thereofor
CN104935490A (en) Mobile internet terminal accessing apparatus based on cloud virtual machine
CN107566476A (en) A kind of cut-in method, SDN controllers, forwarding unit and subscriber access system
CN108494748A (en) A kind of communication means, device and storage medium
CN102282886A (en) Method, mobile terminal, device and system for implementing voice services
Cicconetti et al. A preliminary evaluation of quic for mobile serverless edge applications
EP3416058A1 (en) Routers and hybrid packet processing methods thereof
Ran et al. The research of OpenFlow management and control interface protocols based on SDN technology
Nikitinskiy et al. Analyzing the possibility of applying asymmetric transport protocols in terms of software defined networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant