CN110191067A - Private line network access control method, device, equipment and readable storage medium storing program for executing - Google Patents

Private line network access control method, device, equipment and readable storage medium storing program for executing Download PDF

Info

Publication number
CN110191067A
CN110191067A CN201910450419.XA CN201910450419A CN110191067A CN 110191067 A CN110191067 A CN 110191067A CN 201910450419 A CN201910450419 A CN 201910450419A CN 110191067 A CN110191067 A CN 110191067A
Authority
CN
China
Prior art keywords
service
private line
line network
public cloud
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910450419.XA
Other languages
Chinese (zh)
Other versions
CN110191067B (en
Inventor
林丰
卢道和
谢波
沈卫华
赵伟
杨成旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201910450419.XA priority Critical patent/CN110191067B/en
Publication of CN110191067A publication Critical patent/CN110191067A/en
Application granted granted Critical
Publication of CN110191067B publication Critical patent/CN110191067B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to financial technology (Fintech) technical fields, specifically disclose a kind of private line network access control method, device, equipment and readable storage medium storing program for executing, this method comprises: establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment based on the public cloud private line network accessed;According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;Definition is directed to the routing diagram of the multiple first service traffics, and the routing diagram includes service priority corresponding with the multiple type of service;The routing diagram is called, and the multiple first service traffics are forwarded to by the destination server based on the service priority respectively.The present invention realizes the optimization of financial technology enterprise network service traffics processing, the communication of important service when the flow processing based on service priority has ensured line peak.

Description

Private line network access control method, device, equipment and readable storage medium storing program for executing
Technical field
The present invention relates to financial technology (Fintech) technical field more particularly to a kind of private line network access control method, Device, equipment and readable storage medium storing program for executing.
Background technique
With the development of computer technology, more and more computer technology (such as artificial intelligence, block chain, cloud computing) quilts It applies in financial field, traditional financial industry gradually changes to financial technology (Fintech), the network data in financial technology Flow is also in lasting sharp increase;Currently, branch carries out industry dependent on parent company in the network interconnection framework of financial technology enterprise The forwarding of business data traffic turns the service traffics got under the background that business datum flow sharply increases together Hair easily causes the congestion or failure of network route, and when line peak can not ensure the communication of important service.
Summary of the invention
The main purpose of the present invention is to provide a kind of private line network access control method, device, equipment and readable storages Medium, it is intended to solve in the network interconnection framework of financial technology enterprise, branch relies on parent company and carries out data forwarding, can not The problem of communication of important service is ensured in line peak.
To achieve the above object, the present invention provides a kind of private line network access control method, is applied to object boundary equipment, The object boundary equipment and destination server communicate to connect, the private line network access control method the following steps are included:
Based on the public cloud private line network accessed, Border Gateway Protocol (BGP) neighbours are established with the public cloud network equipment;
According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;
Definition is directed to the routing diagram of the multiple first service traffics, and the routing diagram includes and the multiple type of service Corresponding service priority;
The routing diagram is called, and the multiple first service traffics are forwarded to by institute based on the service priority respectively State destination server.
Optionally, described according to established bgp neighbor, obtain corresponding multiple first business of multiple types of service The step of flow includes:
Based on preset type of service demand, arranging access control list;
According to the accesses control list that established bgp neighbor and configuration are completed, obtains multiple types of service and respectively correspond Multiple first service traffics.
Optionally, described based on the public cloud private line network accessed, borde gateway association is established with the public cloud network equipment After the step of discussing bgp neighbor further include:
Based on the bgp neighbor and the corresponding target routing of preset prefix list, the target routing corresponding the is obtained Two service traffics;
According to preset filter condition, second service traffics are filtered, obtain filtered second Business Stream Amount, filtered second service traffics include corresponding multiple first service traffics of the multiple type of service;And It enters step: according to established bgp neighbor, obtaining corresponding multiple first service traffics of multiple types of service.
Optionally, described based on the public cloud private line network accessed, borde gateway association is established with the public cloud network equipment Before the step of discussing bgp neighbor further include:
According to preset alternative condition, the access via telephone line point of public cloud private line network is determined;
Based on the corresponding public cloud network equipment of the access via telephone line point, the public cloud private line network is accessed.
Optionally, the access via telephone line point includes the first access point and the second access point, described publicly-owned based on what is accessed Cloud private line network, after the step of establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment further include:
If detecting the corresponding public cloud private line network of first access point, there are failures, first access is disconnected The corresponding bgp neighbor of point, and switch the service traffics of the corresponding public cloud private line network of first access point to described second The corresponding public cloud private line network of access point.
Optionally, described to call the routing diagram, and the service priority is based on by the multiple first service traffics Before the step of being forwarded to the destination server respectively further include:
Based on the attribute of preset object group and the destination server, configuration control access strategy;
It is described to call the routing diagram, and forwarded the multiple first service traffics respectively based on the service priority Include: to the step of destination server
Call the routing diagram, and according to the service priority and the control access strategy by the multiple first industry Business flow is forwarded to the destination server respectively.
In addition, the present invention also proposes a kind of private line network access control apparatus, it is set to object boundary equipment, the target Edge device and destination server communicate to connect, and the private line network access control apparatus includes:
Module is established, for establishing borde gateway with the public cloud network equipment based on the public cloud private line network accessed Agreement bgp neighbor;
First obtains module, for according to established bgp neighbor, obtaining multiple types of service corresponding multiple the One service traffics;
Definition module, for defining the routing diagram for being directed to the multiple first service traffics, the routing diagram includes and institute State the corresponding service priority of multiple types of service;
Forwarding module for calling the routing diagram, and is based on the service priority for the multiple first Business Stream Amount is forwarded to the destination server respectively.
Optionally, the first acquisition module includes:
Configuration unit, for being based on preset type of service demand, arranging access control list;
Acquiring unit, the accesses control list for being completed according to established bgp neighbor and configuration, obtains multiple business Corresponding multiple first service traffics of type.
Optionally, described device further include:
Second obtains module, for being routed based on the bgp neighbor and the corresponding target of preset prefix list, described in acquisition Target routes corresponding second service traffics;
Filtering module, for being filtered to second service traffics, after obtaining filtering according to preset filter condition The second service traffics, filtered second service traffics include the multiple type of service corresponding multiple first Service traffics.
Optionally, described device further include:
Determining module, for determining the access via telephone line point of public cloud private line network according to preset alternative condition;
It is special to access the public cloud for being based on the corresponding public cloud network equipment of the access via telephone line point for AM access module Gauze network.
Optionally, the access via telephone line point includes the first access point and the second access point, described device further include:
Switching module is broken if there are failures for detecting the corresponding public cloud private line network of first access point The corresponding bgp neighbor of first access point is opened, and switches the business of the corresponding public cloud private line network of first access point Flow is to the corresponding public cloud private line network of second access point.
Optionally, described device further include:
Configuration module, for the attribute based on preset object group and the destination server, configuration control access strategy;
The forwarding module includes:
Retransmission unit, for calling the routing diagram, and will according to the service priority and the control access strategy The multiple first service traffics are forwarded to the destination server respectively.
In addition, to achieve the above object, the present invention also proposes a kind of private line network access control apparatus, the equipment packet It includes: memory, processor and being stored in the private line network access control that can be run on the memory and on the processor Program realizes that as above described in any item private line networks are visited when the private line network access control program is executed by the processor The step of asking control method.
In addition, to achieve the above object, the present invention also proposes a kind of readable storage medium storing program for executing, be applied to computer, it is described can It reads to be stored with private line network access control program on storage medium, when the private line network access control program is executed by processor The step of realizing as above described in any item private line network access control methods.
The present invention is based on the public cloud private line networks accessed, establish Border Gateway Protocol (BGP) with the public cloud network equipment Neighbours;According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;Definition is directed to The routing diagram of the multiple first service traffics, the routing diagram include that business corresponding with the multiple type of service is excellent First grade;It calls the routing diagram, and based on the service priority is forwarded to the multiple first service traffics respectively described Destination server;As a result, in financial technology enterprise, the object boundary equipment of parent company and branch is directly by publicly-owned Cloud private line network obtains service traffics from cloud, and distinguishes priority to the service traffics got, further according to the preferential of setting The forwarding of grading row service traffics avoids branch in the prior art and relies on parent company's progress data forwarding, can not be online The problem of important service communication is ensured when the peak value of road.The present invention realizes network service traffic in Intranet interconnection framework and handles Optimization, the communication of service traffics processing important service when having ensured line peak priority-based.
Detailed description of the invention
Fig. 1 is the structural schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of private line network access control method first embodiment of the present invention;
Fig. 3 is the refinement step schematic diagram of step S200 in Fig. 2;
Fig. 4 is the flow diagram of private line network access control method second embodiment of the present invention;
Fig. 5 is the flow diagram of private line network access control method 3rd embodiment of the present invention;
Fig. 6 is the flow diagram of private line network access control method fourth embodiment of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
As shown in Figure 1, Fig. 1 is the structural schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
It should be noted that Fig. 1 can be the structural schematic diagram of the hardware running environment of private line network access control apparatus. Private line network access control apparatus of the embodiment of the present invention can be PC, the terminal devices such as portable computer.
As shown in Figure 1, the private line network access control apparatus may include: processor 1001, such as CPU, network interface 1004, user interface 1003, memory 1005, communication bus 1002.Wherein, communication bus 1002 for realizing these components it Between connection communication.User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), Optional user interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include Standard wireline interface and wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to steady Fixed memory (non-volatile memory), such as magnetic disk storage.Memory 1005 optionally can also be independently of The storage device of aforementioned processor 1001.
It will be understood by those skilled in the art that private line network access control apparatus structure shown in Fig. 1 is not constituted pair The restriction of private line network access control apparatus may include components more more or fewer than diagram, or combine certain components, or The different component layout of person.
As shown in Figure 1, as may include operating system, net in a kind of memory 1005 of computer readable storage medium Network communication module, Subscriber Interface Module SIM and private line network access control program.Wherein, operating system is to manage and control special line The program of NS software device hardware and software resource supports private line network access control program and other softwares or journey The operation of sequence.
In private line network access control apparatus shown in Fig. 1, user interface 1003 is mainly used for carrying out with each terminal Data communication;Network interface 1004 is mainly used for connecting background server, carries out data communication with background server;And processor 1001 can be used for calling the private line network access control program stored in memory 1005, and execute following operation:
Based on the public cloud private line network accessed, Border Gateway Protocol (BGP) neighbours are established with the public cloud network equipment;
According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;
Definition is directed to the routing diagram of the multiple first service traffics, and the routing diagram includes and the multiple type of service Corresponding service priority;
The routing diagram is called, and the multiple first service traffics are forwarded to by institute based on the service priority respectively State destination server.
Further, processor 1001 can be also used for calling the private line network access control journey stored in memory 1005 Sequence, and execute following steps:
Based on preset type of service demand, arranging access control list;
According to the accesses control list that established bgp neighbor and configuration are completed, obtains multiple types of service and respectively correspond Multiple first service traffics.
Further, described based on the public cloud private line network accessed, borde gateway is established with the public cloud network equipment After the step of agreement bgp neighbor, processor 1001 can be also used for calling the private line network access stored in memory 1005 Program is controlled, and executes following steps:
Based on the bgp neighbor and the corresponding target routing of preset prefix list, the target routing corresponding the is obtained Two service traffics;
According to preset filter condition, second service traffics are filtered, obtain filtered second Business Stream Amount, filtered second service traffics include corresponding multiple first service traffics of the multiple type of service.
Further, described based on the public cloud private line network accessed, borde gateway is established with the public cloud network equipment Before the step of agreement bgp neighbor, processor 1001 can be also used for calling the private line network access stored in memory 1005 Program is controlled, and executes following steps:
According to preset alternative condition, the access via telephone line point of public cloud private line network is determined;
Based on the corresponding public cloud network equipment of the access via telephone line point, the public cloud private line network is accessed.
Further, the access via telephone line point includes the first access point and the second access point, described based on the public affairs accessed After the step of having cloud private line network, establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment, processor 1001 may be used also With for calling the private line network access control program stored in memory 1005, and execute following steps:
If detecting the corresponding public cloud private line network of first access point, there are failures, first access is disconnected The corresponding bgp neighbor of point, and switch the service traffics of the corresponding public cloud private line network of first access point to described second The corresponding public cloud private line network of access point.
Further, described to call the routing diagram, and the service priority is based on by the multiple first Business Stream Before the step of amount is forwarded to the destination server respectively, processor 1001 can be also used for calling and store in memory 1005 Private line network access control program, and execute following steps:
Based on the attribute of preset object group and the destination server, configuration control access strategy;
It is described to call the routing diagram, and forwarded the multiple first service traffics respectively based on the service priority Include: to the step of destination server
Call the routing diagram, and according to the service priority and the control access strategy by the multiple first industry Business flow is forwarded to the destination server respectively.
Based on above-mentioned structure, each embodiment of private line network access control method of the present invention is proposed.
It is the flow diagram of private line network access control method first embodiment of the present invention referring to Fig. 2, Fig. 2.
The embodiment of the invention provides the embodiments of private line network access control method, it should be noted that although flowing Logical order is shown in journey figure, but in some cases, it can be to be different from shown or described by sequence execution herein The step of.
The present embodiment private line network access control method is applied to object boundary equipment, the object boundary equipment and target Server communication connection, the present embodiment object boundary equipment can be the network boundary devices such as firewall or router.
The present embodiment private line network access control method the following steps are included:
Step S100 establishes Border Gateway Protocol with the public cloud network equipment based on the public cloud private line network accessed Bgp neighbor;
Currently, the network traffic data in financial technology is persistently sharply increasing, however, existing financial technology enterprise In network interconnection framework, branch dependent on parent company carry out business datum flow forwarding, there are the drawbacks of have: directly from Parent company draws special line that can be related to huge leased-line charge to each branch, expensive;Communication between branch according to Rely and carry out data forwarding in parent company, all flows can detour from parent company, will increase the load of special line;There are single-point hidden danger, If the network of parent company produces failure, it will influence all branches;In the back that business datum flow sharply increases Under scape, parent company is forwarded the congestion or failure for easily causing network route, route peak to the service traffics got together The communication of important service can not be ensured when value.
The present embodiment object boundary equipment can be the object boundary equipment of parent company or the object boundary of branch is set Standby, i.e., the present embodiment parent company and branch are based on its corresponding object boundary equipment and directly acquire business from cloud respectively Flow avoids and directly draws special line that can be related to asking for huge leased-line charge to each branch from parent company in the prior art Topic, the communication also avoided between branch carry out data forwarding dependent on parent company, and all flows can detour from parent company, The problem of will increase the load of special line.
The present embodiment object boundary equipment establishes side based on the public cloud private line network accessed, with the public cloud network equipment Boundary's gateway protocol bgp neighbor;Specifically, BGP:Border Gateway Protocol, Border Gateway Protocol are for connection to The routing protocol of autonomous system on Internet, after object boundary equipment accesses public cloud private line network, with public cloud The network equipment establishes bgp neighbor, dynamically to interact routing iinformation.
Step S200 obtains corresponding multiple first Business Streams of multiple types of service according to established bgp neighbor Amount;
In the present embodiment, the equal base of object boundary equipment of the parent company and branch of financial technology enterprise (such as bank) In established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;Specifically, reference Fig. 3, Fig. 3 is the refinement step schematic diagram of step S200 in the present embodiment, and the present embodiment step S200 specifically includes following refinement step:
Step 210, preset type of service demand, arranging access control list are based on;
Step 220, the accesses control list completed according to established bgp neighbor and configuration, obtains multiple types of service Corresponding multiple first service traffics.
For different branches, the demand to type of service is different, and when specific implementation can be according to actual needs Sets itself after setting multiple types of service according to demand, configures ACL (Access Control List, accesses control list) The service traffics of different service types are grabbed, multiple first service traffics can be IP phone traffic, business transaction stream respectively Amount, common surfing flow etc..
Step S300, definition be directed to the multiple first service traffics routing diagram, the routing diagram include with it is described more The corresponding service priority of a type of service;
Definition is directed to the routing diagram of the multiple first service traffics, and the routing diagram includes and the multiple type of service Corresponding service priority;Specifically, in object boundary device configuration policy-map (routing diagram), a routing diagram by A plurality of strategy composition, each strategy both defines one or more matching rules and respective operations, by configuring routing diagram counterweight It wants business (such as service traffics) that high priority is set, low priority is arranged to unessential business (such as surfing flow).
Step S400 is called the routing diagram, and is divided the multiple first service traffics based on the service priority It is not forwarded to the destination server.
Object boundary equipment connection special line interface enter to go out to the routing diagram is called, object boundary as a result, Equipment will execute forwarding behaviour when carrying out the forwarding of multiple first service traffics according to the defined priority of the routing diagram Make, i.e. high priority message prior forward process, that is, has reached the optimization of network flow processing, ensured in line peak important The communication of business.
The present embodiment establishes Border Gateway Protocol based on the public cloud private line network accessed, with the public cloud network equipment Bgp neighbor;According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;Define needle To the routing diagram of the multiple first service traffics, the routing diagram includes business corresponding with the multiple type of service Priority;The routing diagram is called, and the multiple first service traffics are forwarded to by institute based on the service priority respectively State destination server;The object boundary equipment of parent company and branch directly passes through public cloud private line network from cloud as a result, End obtains service traffics, and distinguishes priority to the service traffics got, carries out service traffics further according to the priority of setting Forwarding, avoid in the prior art branch rely on parent company carry out data forwarding, can not be ensured in line peak weigh The problem of wanting newsletter.The present embodiment realizes the optimization that network service traffic is handled in Intranet interconnection framework, is based on The communication of important service when the service traffics processing of priority has ensured line peak.
Further, private line network access control method second embodiment of the present invention is proposed.
It is the flow diagram of private line network access control method second embodiment of the present invention referring to Fig. 4, Fig. 4, based on upper State private line network access control method first embodiment, in the present embodiment, step S100, based on the public cloud private wire network accessed Network, after the step of establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment further include:
Step S510 obtains the target routing based on the bgp neighbor and the corresponding target routing of preset prefix list Corresponding second service traffics;
Step S520 is filtered second service traffics according to preset filter condition, obtains filtered Two service traffics, filtered second service traffics include corresponding multiple first business of the multiple type of service Flow;And enter step S200: according to established bgp neighbor, obtaining corresponding multiple first industry of multiple types of service Business flow.
In the present embodiment, prefix-list (prefix list) is configured in bgp process to grab different Business Streams Amount, i.e., described second service traffics, the second service traffics may include exploitation net, Office Network, isolated area, non-workplace flow, etc. Deng;Prefix list can limit the range of prefix and the range of restriction masked for matching and filtering to routing;This reality Example is applied according to the prefix list being arranged in bgp process, the target for including in the prefix list is obtained and routes corresponding second industry Business flow.
Further, as an implementation, as traditional financial industry is gradually to the transformation of financial technology, financial technology Requirement of the enterprise to information security is also higher and higher, the present embodiment after grabbing the second service traffics by prefix-list, Being arranged allows or refuses the routing received, such as refusal receives the routing of non-workplace, hereby it is achieved that the second service traffics Filtering, filtered second service traffics are used further to define routing diagram, realize the flow forward process based on service priority;This Important service is logical when embodiment realizes the optimization of network service traffic processing in Intranet interconnection framework, ensures line peak While news, the internet security of financial technology enterprise is improved in routing level.
Further, private line network access control method 3rd embodiment of the present invention is proposed.
It is the flow diagram of private line network access control method 3rd embodiment of the present invention referring to Fig. 5, Fig. 5, based on upper State embodiment shown in Fig. 2, in the present embodiment, step S100, based on the public cloud private line network accessed, with publicly-owned cloud network Equipment was established before the step of Border Gateway Protocol (BGP) neighbours further include:
Step S610 determines the access via telephone line point of public cloud private line network according to preset alternative condition;
Step S620 is based on the corresponding public cloud network equipment of the access via telephone line point, accesses the public cloud private wire network Network.
In the present embodiment, the special line of the parent company of financial technology enterprise and branch is respectively connected to public cloud operation The nearest access point of quotient, access via telephone line point described in the present embodiment include the first access point and the second access point, i.e. a target side Boundary's equipment accesses its two access point nearest with public cloud operator, it is to be understood that an object boundary deployed with devices 2 Root special line, the problem of with to avoid single-point hidden danger.
Further, in the present embodiment, as an implementation, step S100, it is special based on the public cloud accessed Gauze network, after the step of establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment further include:
Step a, if detecting the corresponding public cloud private line network of first access point, there are failures, disconnect described The corresponding bgp neighbor of one access point, and switch the service traffics of the corresponding public cloud private line network of first access point to institute State the corresponding public cloud private line network of the second access point.
Specifically, after object boundary equipment and the public cloud network equipment establish bgp neighbor, in the object boundary of connection special line BFD (Bidirectional forwarding detection, two-way converting detection are configured in equipment and the public cloud network equipment Mechanism) detection, that is, starting the real-time ping survey of a BFD process, (Ping is a life under Windows, Unix and linux system Enabling) special line will test result and is associated with bgp process to the accessibility of end interface, when 3 failures of ping accessibility, immediately The bgp neighbor of the route is interrupted, even detects that there are failures for the corresponding public cloud private line network of first access point, then breaks Open the corresponding bgp neighbor of first access point;The service traffics of failure special line corresponding object boundary equipment is switched to again to connect That is, another normal special line entered and switches the service traffics of the corresponding public cloud private line network of first access point to described The corresponding public cloud private line network of two access points, thus accelerates the time of leased-line link failover, it is ensured that private line network is visited The reliability asked.
Further, private line network access control method fourth embodiment of the present invention is proposed.
It is the flow diagram of private line network access control method fourth embodiment of the present invention referring to Fig. 6, Fig. 6, based on upper State private line network access control method first embodiment, in the present embodiment, step S400 calls the routing diagram, and is based on institute Before stating the step of the multiple first service traffics are forwarded to the destination server by service priority respectively further include:
Step S310, based on the attribute of preset object group and the destination server, configuration control access strategy;
Further, step S400 calls the routing diagram, and is based on the service priority for the multiple first industry Business flow the step of being forwarded to the destination server respectively includes:
Step S410 calls the routing diagram, and will be described according to the service priority and the control access strategy Multiple first service traffics are forwarded to the destination server respectively.
In the present embodiment, specifically, in object boundary device configuration object group (object group), and in object group Interior association source address, destination address and port;The object group that configuration is completed is called and according to the category of destination server Property be configured to control access strategy, reached the business demand according to financial technology enterprises control different branches, The effect of the safety of exchanging visit port between different departments, such as realize exploitation net denied access public network;The routing diagram is called, And the multiple first service traffics are forwarded to by the mesh according to the service priority and the control access strategy respectively Server is marked, hereby it is achieved that the safe access control of private line network.
In addition, the embodiment of the present invention also proposes a kind of private line network access control apparatus, it is set to object boundary equipment, institute It states object boundary equipment and destination server communicates to connect, the private line network access control apparatus includes:
Module is established, for establishing borde gateway with the public cloud network equipment based on the public cloud private line network accessed Agreement bgp neighbor;
First obtains module, for according to established bgp neighbor, obtaining multiple types of service corresponding multiple the One service traffics;
Definition module, for defining the routing diagram for being directed to the multiple first service traffics, the routing diagram includes and institute State the corresponding service priority of multiple types of service;
Forwarding module for calling the routing diagram, and is based on the service priority for the multiple first Business Stream Amount is forwarded to the destination server respectively.
Preferably, the first acquisition module includes:
Configuration unit, for being based on preset type of service demand, arranging access control list;
Acquiring unit, the accesses control list for being completed according to established bgp neighbor and configuration, obtains multiple business Corresponding multiple first service traffics of type.
Preferably, described device further include:
Second obtains module, for being routed based on the bgp neighbor and the corresponding target of preset prefix list, described in acquisition Target routes corresponding second service traffics;
Filtering module, for being filtered to second service traffics, after obtaining filtering according to preset filter condition The second service traffics, filtered second service traffics include the multiple type of service corresponding multiple first Service traffics.
Preferably, described device further include:
Determining module, for determining the access via telephone line point of public cloud private line network according to preset alternative condition;
It is special to access the public cloud for being based on the corresponding public cloud network equipment of the access via telephone line point for AM access module Gauze network.
Preferably, the access via telephone line point includes the first access point and the second access point, described device further include:
Switching module is broken if there are failures for detecting the corresponding public cloud private line network of first access point The corresponding bgp neighbor of first access point is opened, and switches the business of the corresponding public cloud private line network of first access point Flow is to the corresponding public cloud private line network of second access point.
Preferably, described device further include:
Configuration module, for the attribute based on preset object group and the destination server, configuration control access strategy;
The forwarding module includes:
Retransmission unit, for calling the routing diagram, and will according to the service priority and the control access strategy The multiple first service traffics are forwarded to the destination server respectively.
The method that the present embodiment private line network access control apparatus modules are realized when running can refer to of the invention special The each embodiment of line method for network access control, details are not described herein again.
In addition, the embodiment of the present invention also proposes a kind of computer readable storage medium, it is stored on the storage medium specially Gauze network access control program, the private line network access control program realize private wire network as described above when being executed by processor The step of network access control method.
Wherein, the private line network access control program run on the processor, which is performed realized method, to join According to each embodiment of private line network access control method of the present invention, details are not described herein again.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (14)

1. a kind of private line network access control method, which is characterized in that be applied to object boundary equipment, the object boundary equipment With destination server communicate to connect, the private line network access control method the following steps are included:
Based on the public cloud private line network accessed, Border Gateway Protocol (BGP) neighbours are established with the public cloud network equipment;
According to established bgp neighbor, corresponding multiple first service traffics of multiple types of service are obtained;
Definition is directed to the routing diagram of the multiple first service traffics, and the routing diagram includes distinguishing with the multiple type of service Corresponding service priority;
The routing diagram is called, and the multiple first service traffics are forwarded to by the mesh based on the service priority respectively Mark server.
2. private line network access control method as described in claim 1, which is characterized in that described adjacent according to established BGP The step of occupying, obtaining multiple types of service corresponding multiple first service traffics include:
Based on preset type of service demand, arranging access control list;
According to the accesses control list that established bgp neighbor and configuration are completed, it is corresponding more to obtain multiple types of service A first service traffics.
3. private line network access control method as claimed in claim 2, which is characterized in that described based on the public cloud accessed Private line network, after the step of establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment further include:
Based on the bgp neighbor and the corresponding target routing of preset prefix list, obtains the target and route corresponding second industry Business flow;
According to preset filter condition, second service traffics are filtered, obtain filtered second service traffics, institute Stating filtered second service traffics includes corresponding multiple first service traffics of the multiple type of service;And enter step It is rapid: according to established bgp neighbor, to obtain corresponding multiple first service traffics of multiple types of service.
4. private line network access control method as described in any one of claims 1-3, which is characterized in that described to be based on having accessed Public cloud private line network, before the step of establishing Border Gateway Protocol (BGP) neighbours with the public cloud network equipment further include:
According to preset alternative condition, the access via telephone line point of public cloud private line network is determined;
Based on the corresponding public cloud network equipment of the access via telephone line point, the public cloud private line network is accessed.
5. private line network access control method as claimed in claim 4, which is characterized in that the access via telephone line point includes first Access point and the second access point, it is described based on the public cloud private line network accessed, boundary net is established with the public cloud network equipment After the step of closing agreement bgp neighbor further include:
If detecting the corresponding public cloud private line network of first access point, there are failures, first access point pair is disconnected The bgp neighbor answered, and switch the service traffics of the corresponding public cloud private line network of first access point to second access The corresponding public cloud private line network of point.
6. private line network access control method as described in any one of claims 1-3, which is characterized in that described to call the road By scheming, and the step of the multiple first service traffics are forwarded to by the destination server based on the service priority respectively Before further include:
Based on the attribute of preset object group and the destination server, configuration control access strategy;
It is described to call the routing diagram, and the multiple first service traffics are forwarded to by institute based on the service priority respectively The step of stating destination server include:
Call the routing diagram, and according to the service priority and the control access strategy by the multiple first Business Stream Amount is forwarded to the destination server respectively.
7. a kind of private line network access control apparatus, which is characterized in that be set to object boundary equipment, the object boundary equipment It is communicated to connect with destination server, the private line network access control apparatus includes:
Module is established, for establishing Border Gateway Protocol with the public cloud network equipment based on the public cloud private line network accessed Bgp neighbor;
First obtains module, for obtaining corresponding multiple first industry of multiple types of service according to established bgp neighbor Business flow;
Definition module, for define be directed to the multiple first service traffics routing diagram, the routing diagram include with it is described more The corresponding service priority of a type of service;
Forwarding module is divided the multiple first service traffics for calling the routing diagram, and based on the service priority It is not forwarded to the destination server.
8. private line network access control apparatus as claimed in claim 7, which is characterized in that described first, which obtains module, includes:
Configuration unit, for being based on preset type of service demand, arranging access control list;
Acquiring unit, the accesses control list for being completed according to established bgp neighbor and configuration, obtains multiple types of service Corresponding multiple first service traffics.
9. private line network access control apparatus as claimed in claim 8, which is characterized in that described device further include:
Second obtains module, for obtaining the target based on the bgp neighbor and the corresponding target routing of preset prefix list Route corresponding second service traffics;
Filtering module is filtered second service traffics for according to preset filter condition, obtains filtered the Two service traffics, filtered second service traffics include corresponding multiple first business of the multiple type of service Flow.
10. such as the described in any item private line network access control apparatus of claim 7-9, which is characterized in that described device is also wrapped It includes:
Determining module, for determining the access via telephone line point of public cloud private line network according to preset alternative condition;
AM access module accesses the public cloud private wire network for being based on the corresponding public cloud network equipment of the access via telephone line point Network.
11. private line network access control apparatus as claimed in claim 10, which is characterized in that the access via telephone line point includes the One access point and the second access point, described device further include:
Switching module disconnects institute if there are failures for detecting the corresponding public cloud private line network of first access point The corresponding bgp neighbor of the first access point is stated, and switches the service traffics of the corresponding public cloud private line network of first access point To the corresponding public cloud private line network of second access point.
12. such as the described in any item private line network access control apparatus of claim 7-9, which is characterized in that described device is also wrapped It includes:
Configuration module, for the attribute based on preset object group and the destination server, configuration control access strategy;
The forwarding module includes:
Retransmission unit, for calling the routing diagram, and will be described according to the service priority and the control access strategy Multiple first service traffics are forwarded to the destination server respectively.
13. a kind of private line network access control apparatus, which is characterized in that the equipment includes: memory, processor and is stored in On the memory and the private line network access control program that can run on the processor, the private line network access control It realizes when program is executed by the processor such as private line network access control method described in any one of claims 1 to 6 Step.
14. a kind of readable storage medium storing program for executing, which is characterized in that be applied to computer, be stored with special line on the readable storage medium storing program for executing NS software program is realized when the private line network access control program is executed by processor as appointed in claim 1 to 6 The step of private line network access control method described in one.
CN201910450419.XA 2019-05-24 2019-05-24 Private line network access control method, device, equipment and readable storage medium Active CN110191067B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910450419.XA CN110191067B (en) 2019-05-24 2019-05-24 Private line network access control method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910450419.XA CN110191067B (en) 2019-05-24 2019-05-24 Private line network access control method, device, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN110191067A true CN110191067A (en) 2019-08-30
CN110191067B CN110191067B (en) 2023-04-18

Family

ID=67718187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910450419.XA Active CN110191067B (en) 2019-05-24 2019-05-24 Private line network access control method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN110191067B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511426A (en) * 2019-09-16 2021-03-16 中国移动通信集团河北有限公司 Traffic grooming method and device, computing device and storage medium for service
CN113595901A (en) * 2020-04-30 2021-11-02 华为技术有限公司 Routing method and device based on border gateway protocol
WO2021227863A1 (en) * 2020-05-09 2021-11-18 北京金山云网络技术有限公司 Disaster recovery method and apparatus for hybrid cloud private line access network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014182805A1 (en) * 2013-05-07 2014-11-13 Equinix, Inc. A direct connect virtual private interface for a one to many connection with multiple virtual private clouds
CN106685825A (en) * 2017-02-18 2017-05-17 郑州云海信息技术有限公司 Cloud routing network management method and system based on cloud computing
CN106936857A (en) * 2015-12-29 2017-07-07 中国电信股份有限公司 A kind of connection management method of mixed cloud, SDN controllers and mixing cloud system
US9935816B1 (en) * 2015-06-16 2018-04-03 Amazon Technologies, Inc. Border gateway protocol routing configuration
CN109347743A (en) * 2018-08-02 2019-02-15 平安科技(深圳)有限公司 A kind of special line communication method, computer readable storage medium and terminal device
CN109525512A (en) * 2019-01-22 2019-03-26 新华三技术有限公司 A kind of method for building up and device of bgp neighbor

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014182805A1 (en) * 2013-05-07 2014-11-13 Equinix, Inc. A direct connect virtual private interface for a one to many connection with multiple virtual private clouds
US9935816B1 (en) * 2015-06-16 2018-04-03 Amazon Technologies, Inc. Border gateway protocol routing configuration
CN106936857A (en) * 2015-12-29 2017-07-07 中国电信股份有限公司 A kind of connection management method of mixed cloud, SDN controllers and mixing cloud system
CN106685825A (en) * 2017-02-18 2017-05-17 郑州云海信息技术有限公司 Cloud routing network management method and system based on cloud computing
CN109347743A (en) * 2018-08-02 2019-02-15 平安科技(深圳)有限公司 A kind of special line communication method, computer readable storage medium and terminal device
CN109525512A (en) * 2019-01-22 2019-03-26 新华三技术有限公司 A kind of method for building up and device of bgp neighbor

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511426A (en) * 2019-09-16 2021-03-16 中国移动通信集团河北有限公司 Traffic grooming method and device, computing device and storage medium for service
CN112511426B (en) * 2019-09-16 2022-09-27 中国移动通信集团河北有限公司 Traffic grooming method and device, computing device and storage medium for service
CN113595901A (en) * 2020-04-30 2021-11-02 华为技术有限公司 Routing method and device based on border gateway protocol
WO2021227863A1 (en) * 2020-05-09 2021-11-18 北京金山云网络技术有限公司 Disaster recovery method and apparatus for hybrid cloud private line access network

Also Published As

Publication number Publication date
CN110191067B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
US11765085B2 (en) Switch with network services packet processing by service software instances
JP6434190B1 (en) Network control device, communication system, network control method, program, and recording medium
CN103916453B (en) Handled using the Dynamic network device of external component
CN110191067A (en) Private line network access control method, device, equipment and readable storage medium storing program for executing
US8458319B2 (en) System and method for tracking network resources
CN105745886B (en) Fast path is provided between the two entities
CN106130913B (en) The route selecting method of the more WAN mouthfuls of routers based on strategy in the case of a kind of access of multi-operator
CN104937888B (en) Link aggregation (LAG) for the extension used in multiple switch
CN102291455B (en) Distributed cluster processing system and message processing method thereof
CN106911778A (en) A kind of flow bootstrap technique and system
CN106105115A (en) The service chaining originated by service node in network environment
CN107395445A (en) The network architecture with middleboxes
CN106953945A (en) Domain name intelligently parsing method and device, server based on SDN realizations
CN108809732A (en) A kind of software definition metropolitan area network control system
CN104040538B (en) A kind of the Internet, applications exchange method, apparatus and system
CN107566196A (en) Network-building method and network device, customer edge and readable storage medium storing program for executing
CN101217508A (en) A network agent system and the corresponding realizing methods based on instant communication platform
CN104486229B (en) A kind of method and apparatus for realizing the forwarding of VPN message
CN105915383A (en) Remote router configuration method
CN108377222A (en) Implementation of load balancing, device, equipment based on software and storage medium
CN117255089A (en) Container network system and method of using the same
CN110311861A (en) A kind of method and apparatus guiding data traffic
CN101917414B (en) BGP (Border Gateway Protocol) classification gateway device and method for realizing gateway function by using same
CN111884863B (en) VPC service chain implementation method and system for cloud computing environment
CN112751762A (en) Automatic routing platform for multi-operator network link load outbound

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant