CN110191067B - Private line network access control method, device, equipment and readable storage medium - Google Patents
Private line network access control method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN110191067B CN110191067B CN201910450419.XA CN201910450419A CN110191067B CN 110191067 B CN110191067 B CN 110191067B CN 201910450419 A CN201910450419 A CN 201910450419A CN 110191067 B CN110191067 B CN 110191067B
- Authority
- CN
- China
- Prior art keywords
- service
- private network
- access control
- public cloud
- private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of financial technology (Fintech), and particularly discloses a private network access control method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network; acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors; defining a routing graph for the plurality of first service flows, wherein the routing graph comprises service priorities respectively corresponding to the plurality of service types; and calling the routing graph, and respectively forwarding the plurality of first service flows to the target server based on the service priority. The invention realizes the optimization of network service flow processing of financial and scientific enterprises, and the flow processing based on the service priority ensures the communication of important services at the peak of a line.
Description
Technical Field
The invention relates to the technical field of financial technology (Fintech), in particular to a private network access control method, a private network access control device, private network access control equipment and a readable storage medium.
Background
With the development of computer technologies, more and more computer technologies (such as artificial intelligence, block chaining, cloud computing) are applied to the financial field, the traditional financial industry is gradually changing to financial technology (Fintech), and the network data traffic in the financial technology is continuously increasing; at present, in a network interconnection architecture of a financial and technology enterprise, a branch office depends on a head office to forward service data traffic, and forwarding the acquired service traffic together under the background of rapidly increasing service data traffic is very likely to cause congestion or failure of network lines, and communication of important services cannot be guaranteed when the lines are at a peak.
Disclosure of Invention
The invention mainly aims to provide a private network access control method, a private network access control device, private network access control equipment and a readable storage medium, and aims to solve the problem that in a network interconnection architecture of a financial and scientific enterprise, a branch organization depends on a main company to forward data and cannot guarantee communication of important services at a line peak.
In order to achieve the above object, the present invention provides a private network access control method, which is applied to a target border device, wherein the target border device is in communication connection with a target server, and the private network access control method comprises the following steps:
establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
defining a routing graph for the plurality of first traffic flows, the routing graph comprising traffic priorities corresponding to the plurality of traffic types, respectively;
and calling the routing graph, and respectively forwarding the first service flows to the target server based on the service priority.
Optionally, the step of acquiring, according to the established BGP neighbor, a plurality of first service flows corresponding to the plurality of service types respectively includes:
configuring an access control list based on preset service type requirements;
and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
Optionally, the step of establishing a BGP neighbor with the public cloud network device based on the accessed public cloud private network further includes:
acquiring a second service flow corresponding to the target route based on the BGP neighbor and the target route corresponding to the preset prefix list;
filtering the second service traffic according to a preset filtering condition to obtain filtered second service traffic, wherein the filtered second service traffic comprises a plurality of first service traffics corresponding to the plurality of service types respectively; and entering the step: and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors.
Optionally, the step of establishing a BGP neighbor with a public cloud network device based on the accessed public-private cloud network further includes:
determining a private access point of a public cloud private line network according to a preset selection condition;
and accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
Optionally, the step of establishing a BGP neighbor with the public cloud network device based on the accessed public cloud private network further includes:
and if detecting that the public cloud private network corresponding to the first access point has a fault, disconnecting the BGP neighbor corresponding to the first access point, and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point.
Optionally, before the step of invoking the routing graph and forwarding the plurality of first traffic flows to the target server respectively based on the traffic priorities, the method further includes:
configuring a control access strategy based on a preset object group and the attribute of the target server;
the step of invoking the routing graph and forwarding the plurality of first traffic flows to the target server based on the traffic priorities respectively comprises:
and calling the routing graph, and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
In addition, the present invention further provides a private network access control device, which is disposed on a target border device, wherein the target border device is in communication connection with a target server, and the private network access control device includes:
the establishing module is used for establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
the first acquisition module is used for acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
a defining module, configured to define a routing graph for the plurality of first service flows, where the routing graph includes service priorities respectively corresponding to the plurality of service types;
and the forwarding module is used for calling the routing graph and respectively forwarding the plurality of first service flows to the target server based on the service priority.
Optionally, the first obtaining module includes:
the configuration unit is used for configuring an access control list based on the preset service type requirement;
and the acquisition unit is used for acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
Optionally, the apparatus further comprises:
a second obtaining module, configured to obtain, based on the BGP neighbor and a target route corresponding to a preset prefix list, a second service traffic corresponding to the target route;
and the filtering module is used for filtering the second service flow according to a preset filtering condition to obtain a filtered second service flow, wherein the filtered second service flow comprises a plurality of first service flows corresponding to the plurality of service types respectively.
Optionally, the apparatus further comprises:
the determining module is used for determining a private access point of the public cloud private line network according to a preset selection condition;
and the access module is used for accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
Optionally, the private line access point includes a first access point and a second access point, and the apparatus further includes:
and the switching module is used for disconnecting the BGP neighbor corresponding to the first access point and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point if the public cloud private network corresponding to the first access point is detected to have a fault.
Optionally, the apparatus further comprises:
the configuration module is used for configuring a control access strategy based on a preset object group and the attribute of the target server;
the forwarding module includes:
and the forwarding unit is used for calling the routing graph and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
In addition, in order to achieve the above object, the present invention further provides a private network access control device, including: the system comprises a memory, a processor and a private network access control program which is stored on the memory and can run on the processor, wherein the private network access control program realizes the steps of the private network access control method according to any one of the above items when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a readable storage medium applied to a computer, where a private network access control program is stored on the readable storage medium, and when the private network access control program is executed by a processor, the steps of the private network access control method are implemented.
The method is based on the accessed public cloud private network, and a Border Gateway Protocol (BGP) neighbor is established with the public cloud network equipment; acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors; defining a routing graph for the plurality of first traffic flows, the routing graph comprising traffic priorities corresponding to the plurality of traffic types, respectively; calling the routing graph, and respectively forwarding the first service flows to the target server based on the service priority; therefore, in the financial and scientific enterprises, the target boundary equipment of the main company and the branch office directly obtains the service flow from the cloud end through the public cloud private network, the obtained service flow is prioritized, and the service flow is forwarded according to the set priority, so that the problem that the branch office depends on the main company to forward data and cannot guarantee important service communication at the line peak in the prior art is solved. The invention realizes the optimization of network service flow processing in the enterprise network interconnection architecture, and the service flow processing based on the priority ensures the communication of important services at the line peak.
Drawings
FIG. 1 is a schematic diagram of a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a first embodiment of a private network access control method according to the present invention;
FIG. 3 is a detailed diagram of step S200 in FIG. 2;
fig. 4 is a flowchart illustrating a second embodiment of the method for controlling access to a private network according to the present invention;
fig. 5 is a flowchart illustrating a third embodiment of a private network access control method according to the present invention;
fig. 6 is a flowchart illustrating a fourth embodiment of the method for controlling access to a private network according to the present invention.
The implementation, functional features and advantages of the present invention will be further described with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present invention.
It should be noted that fig. 1 is a schematic structural diagram of a hardware operating environment of a private network access control device. The private network access control equipment of the embodiment of the invention can be terminal equipment such as a PC, a portable computer and the like.
As shown in fig. 1, the private network access control device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., a WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
It will be appreciated by those skilled in the art that the private network access control device architecture shown in fig. 1 does not constitute a limitation of private network access control devices, and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include therein an operating system, a network communication module, a user interface module, and a private network access control program. The operating system is a program for managing and controlling hardware and software resources of the private network access control device, and supports the running of the private network access control program and other software or programs.
In the private network access control apparatus shown in fig. 1, the user interface 1003 is mainly used for data communication with each terminal; the network interface 1004 is mainly used for connecting a background server and performing data communication with the background server; and the processor 1001 may be configured to invoke a private network access control program stored in the memory 1005 and perform the following operations:
establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
defining a routing graph for the plurality of first traffic flows, the routing graph comprising traffic priorities corresponding to the plurality of traffic types, respectively;
and calling the routing graph, and respectively forwarding the first service flows to the target server based on the service priority.
Further, the processor 1001 may be further configured to call a private network access control program stored in the memory 1005, and perform the following steps:
configuring an access control list based on preset service type requirements;
and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
Further, after the step of establishing a BGP neighbor with the public cloud network device based on the accessed public cloud private network, the processor 1001 may be further configured to call a private network access control program stored in the memory 1005, and execute the following steps:
acquiring a second service flow corresponding to the target route based on the BGP neighbor and the target route corresponding to the preset prefix list;
and filtering the second service flow according to a preset filtering condition to obtain a filtered second service flow, wherein the filtered second service flow comprises a plurality of first service flows corresponding to the plurality of service types respectively.
Further, before the step of establishing a BGP neighbor with a public cloud network device based on the accessed public-private cloud network, the processor 1001 may be further configured to call a private network access control program stored in the memory 1005, and execute the following steps:
determining a private access point of a public cloud private line network according to a preset selection condition;
and accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
Further, the dedicated access points include a first access point and a second access point, and after the step of establishing a BGP neighbor with the public cloud network device based on the accessed public cloud and dedicated network, the processor 1001 may be further configured to call a dedicated network access control program stored in the memory 1005, and execute the following steps:
and if detecting that the public cloud private network corresponding to the first access point has a fault, disconnecting the BGP neighbor corresponding to the first access point, and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point.
Further, before the step of invoking the routing map and forwarding the first traffic flows to the target servers respectively based on the traffic priorities, the processor 1001 may be further configured to invoke a private network access control program stored in the memory 1005 and perform the following steps:
configuring a control access strategy based on a preset object group and the attribute of the target server;
the step of invoking the routing graph and forwarding the plurality of first traffic flows to the target server based on the traffic priorities respectively comprises:
and calling the routing graph, and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
Based on the above structure, the embodiments of the method for controlling access to the private network of the present invention are provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a private network access control method according to a first embodiment of the present invention.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown or described herein.
The private network access control method of the embodiment is applied to a target boundary device, the target boundary device is in communication connection with a target server, and the target boundary device of the embodiment may be a network boundary device such as a firewall or a router.
The method for controlling the access of the private line network comprises the following steps:
step S100, establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on an accessed public cloud private network;
at present, the network data traffic in financial technology is continuously and rapidly increasing, however, in the network interconnection architecture of the existing financial technology enterprise, the branch office depends on the head office to forward the service data traffic, and there are disadvantages: the direct drawing of a private line from a main company to each branch office involves huge private line cost and is expensive; communication among the branches depends on a main company to carry out data forwarding, all traffic can bypass the main company, and the load of a special line can be increased; the single-point hidden danger exists, and if the network of the main company breaks down, all branch institutions are influenced; under the background of rapid increase of service data traffic, the head office forwards the acquired service traffic together, which is very easy to cause congestion or failure of network lines, and the communication of important services cannot be guaranteed at the peak of the lines.
The target boundary device of this embodiment may be a target boundary device of a head office or a target boundary device of a branch office, that is, the head office and the branch office of this embodiment directly obtain service traffic from the cloud based on the target boundary devices corresponding thereto, thereby avoiding a problem in the prior art that a huge private line cost is involved when a private line is directly pulled from the head office to each branch office, and also avoiding a problem in which communication between the branch offices depends on the head office to perform data forwarding, all traffic bypasses from the head office, and a load of the private line is increased.
In the embodiment, the target border equipment establishes a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on an accessed public cloud private network; specifically, BGP: border Gateway Protocol (BGP) is a routing Protocol used for connecting an independent system on the Internet, and after a target Border device is accessed to a public cloud private network, BGP neighbors are established with public cloud network devices for dynamically interacting routing information.
Step S200, acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
in this embodiment, a head office of a financial technology enterprise (e.g., a bank) and a target boundary device of a branch office both obtain a plurality of first service flows corresponding to a plurality of service types based on established BGP neighbors; specifically, referring to fig. 3, fig. 3 is a schematic diagram of a refining step of step S200 in this embodiment, and step S200 in this embodiment specifically includes the following refining steps:
step 210, configuring an access control list based on a preset service type requirement;
step 220, obtaining a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
The method includes that requirements for service types are different for different branch organizations, the requirements can be set according to actual requirements, after a plurality of service types are set according to the requirements, an Access Control List (ACL) is configured to grab service flows of different service types, and the first service flows can be IP telephone flows, service transaction flows, ordinary internet flow and the like.
Step S300, defining a routing graph aiming at the plurality of first service flows, wherein the routing graph comprises service priorities respectively corresponding to the plurality of service types;
defining a routing graph for the plurality of first service flows, wherein the routing graph comprises service priorities respectively corresponding to the plurality of service types; specifically, a policy-map (routing map) is configured at the target edge device, one routing map is composed of a plurality of policies, each policy defines one or more matching rules and corresponding operations, a high priority is set for important services (such as service traffic) by configuring the routing map, and a low priority is set for the unimportant services (such as internet traffic).
Step S400, invoking the routing graph, and forwarding the plurality of first service flows to the target server based on the service priorities, respectively.
And calling the routing diagram in the incoming direction and the outgoing direction of the interface of the target boundary equipment connecting the private line, so that when the target boundary equipment forwards a plurality of first service flows, the target boundary equipment executes forwarding operation according to the defined priority of the routing diagram, namely, high-priority messages are forwarded preferentially, namely, the optimization of network flow processing is achieved, and the communication of important services is ensured at the peak value of the line.
In the embodiment, based on an accessed public cloud private network, a Border Gateway Protocol (BGP) neighbor is established with public cloud network equipment; acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors; defining a routing graph for the plurality of first traffic flows, the routing graph comprising traffic priorities corresponding to the plurality of traffic types, respectively; calling the routing graph, and respectively forwarding the first service flows to the target server based on the service priority; therefore, the target boundary equipment of the head office and the branch office directly obtain the service flow from the cloud end through the public cloud private network, the obtained service flow is prioritized, and the service flow is forwarded according to the set priority, so that the problem that in the prior art, the branch office depends on the head office to forward data, and important service communication cannot be guaranteed at the peak value of the line is solved. The embodiment realizes the optimization of network service flow processing in an enterprise network interconnection architecture, and the service flow processing based on the priority guarantees the communication of important services at the peak value of a line.
Further, a second embodiment of the private network access control method of the present invention is provided.
Referring to fig. 4, fig. 4 is a flowchart illustrating a second embodiment of the private network access control method according to the present invention, based on the first embodiment of the private network access control method, in this embodiment, step S100, based on the accessed public cloud private network, further includes, after the step of establishing a BGP neighbor with the public cloud network device:
step S510, based on the BGP neighbor and a target route corresponding to a preset prefix list, acquiring a second service flow corresponding to the target route;
step S520, filtering the second service traffic according to a preset filtering condition to obtain a filtered second service traffic, where the filtered second service traffic includes a plurality of first service traffic corresponding to the plurality of service types, respectively; and proceeds to step S200: and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors.
In this embodiment, a prefix-list (prefix list) is configured in the BGP process to capture different service flows, that is, the second service flow, where the second service flow may include a development network, an office network, an isolation area, a non-enterprise flow, and the like; the prefix list is used for matching and filtering the route, and can limit the range of the prefix and the range of the mask; in this embodiment, according to a prefix list set in a BGP process, a second service traffic corresponding to a target route included in the prefix list is acquired.
Further, as an implementation manner, along with gradual transition from the traditional financial industry to the financial technology, the requirement of the financial technology enterprise on information security is higher and higher, in this embodiment, after capturing the second service traffic through the prefix-list, a route that is allowed or rejected to be accepted is set, for example, a route that is not a workplace is rejected to be accepted, so that filtering of the second service traffic is realized, and the filtered second service traffic is used for defining a route map, so as to realize traffic forwarding processing based on service priority; the embodiment realizes the optimization of network service flow processing in the enterprise network interconnection architecture, ensures the communication of important services at the line peak value and simultaneously improves the network security of the financial technology enterprise on the routing level.
Further, a third embodiment of the method for controlling access to a private network according to the present invention is provided.
Referring to fig. 5, fig. 5 is a flowchart illustrating a third embodiment of the private network access control method according to the present invention, based on the embodiment shown in fig. 2, in this embodiment, step S100, based on the accessed public cloud private network, further includes, before the step of establishing a border gateway protocol BGP neighbor with the public cloud network device:
step S610, determining a private access point of the public cloud private network according to a preset selection condition;
and step S620, accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
In this embodiment, the private lines of the head office and the branch office of the financial technology enterprise are respectively connected to the nearest access points of the public cloud operator, and the private line access points in this embodiment include a first access point and a second access point, that is, one target boundary device is connected to two access points nearest to the public cloud operator, and it can be understood that 2 private lines are deployed on one target boundary device to avoid the problem of single-point hidden danger.
Further, in this embodiment, as an implementation manner, the step S100, based on the accessed public-private cloud network, further includes, after the step of establishing a BGP neighbor with the public cloud network device:
step a, if detecting that the public cloud private network corresponding to the first access point has a fault, disconnecting the BGP neighbor corresponding to the first access point, and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point.
Specifically, after a BGP neighbor is established between a target boundary device and a public cloud network device, a Bidirectional Forwarding Detection (BFD) detection is configured on the target boundary device connected to a dedicated line and the public cloud network device, that is, a BFD process real-time Ping (Ping is a command under Windows, unix, and Linux systems) is started to assess the accessibility of a dedicated line peer interface, and the detection result is associated with the BGP process, when the Ping accessibility fails for 3 times, the BGP neighbor of the line is immediately interrupted, that is, if a failure is detected in the public cloud dedicated network corresponding to the first access point, the BGP neighbor corresponding to the first access point is disconnected; and then switching the service flow of the fault private line to another normal private line accessed by the corresponding target boundary equipment, namely switching the service flow of the public cloud private line network corresponding to the first access point to the public cloud private line network corresponding to the second access point, thereby quickening the time for switching the fault of the private line link and ensuring the reliability of the access of the private line network.
Further, a fourth embodiment of the method for controlling access to a private network according to the present invention is provided.
Referring to fig. 6, fig. 6 is a flowchart of a fourth embodiment of the private network access control method according to the present invention, and based on the first embodiment of the private network access control method, in this embodiment, before the step of invoking the routing graph and forwarding the plurality of first service flows to the target server based on the service priorities in step S400, the method further includes:
step S310, configuring a control access strategy based on a preset object group and the attribute of the target server;
further, in step S400, the step of invoking the routing graph and forwarding the first service flows to the target servers respectively based on the service priorities includes:
step S410, invoking the routing graph, and forwarding the plurality of first service flows to the target server according to the service priorities and the control access policies, respectively.
In this embodiment, specifically, an object group (object group) is configured at the target edge device, and a source address, a destination address and a port are associated in the object group; the configured object group is called and configured into a control access strategy according to the attribute of the target server, so that the effect of controlling the safety of the mutual access ports among different branches and different departments according to the service requirement in the financial science and technology enterprise is achieved, and the purpose of refusing the access to the public network by the development network is realized; and calling the routing graph, and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy, thereby realizing the security access control of the private network.
In addition, an embodiment of the present invention further provides a private network access control device, which is disposed on a target border device, where the target border device is in communication connection with a target server, and the private network access control device includes:
the establishing module is used for establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
the first acquisition module is used for acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
a defining module, configured to define a routing graph for the plurality of first service flows, where the routing graph includes service priorities corresponding to the plurality of service types, respectively;
and the forwarding module is used for calling the routing graph and respectively forwarding the first service flows to the target server based on the service priority.
Preferably, the first obtaining module includes:
the configuration unit is used for configuring an access control list based on the preset service type requirement;
and the obtaining unit is used for obtaining a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
Preferably, the apparatus further comprises:
a second obtaining module, configured to obtain, based on the BGP neighbor and a target route corresponding to a preset prefix list, a second service traffic corresponding to the target route;
and the filtering module is used for filtering the second service flow according to a preset filtering condition to obtain a filtered second service flow, wherein the filtered second service flow comprises a plurality of first service flows corresponding to the plurality of service types respectively.
Preferably, the apparatus further comprises:
the determining module is used for determining a private line access point of the public cloud private line network according to a preset selection condition;
and the access module is used for accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
Preferably, the private line access point includes a first access point and a second access point, and the apparatus further includes:
and the switching module is used for disconnecting the BGP neighbor corresponding to the first access point and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point if the public cloud private network corresponding to the first access point is detected to have a fault.
Preferably, the apparatus further comprises:
the configuration module is used for configuring a control access strategy based on a preset object group and the attribute of the target server;
the forwarding module includes:
and the forwarding unit is used for calling the routing graph and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
The method implemented when each module of the private network access control device operates in this embodiment may refer to each embodiment of the private network access control method of the present invention, and details are not described here.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a private network access control program is stored on the storage medium, and when being executed by a processor, the private network access control program implements the steps of the private network access control method described above.
The method implemented when the private network access control program running on the processor is executed may refer to each embodiment of the private network access control method of the present invention, and is not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (14)
1. A private network access control method is applied to target boundary equipment, the target boundary equipment is in communication connection with a target server, and the private network access control method comprises the following steps:
establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
configuring a routing graph for the plurality of first service flows, wherein the routing graph comprises service priorities respectively corresponding to the plurality of service types;
and calling the routing graph, and respectively forwarding the first service flows to the target server based on the service priority.
2. The private network access control method of claim 1, wherein the step of obtaining a plurality of first service flows corresponding to a plurality of service types, respectively, according to the established BGP neighbor comprises:
configuring an access control list based on preset service type requirements;
and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
3. The private network access control method of claim 2, wherein the step of establishing a BGP neighbor with a public cloud network device based on the accessed public cloud private network further comprises:
acquiring a second service flow corresponding to the target route based on the BGP neighbor and the target route corresponding to the preset prefix list;
filtering the second service traffic according to a preset filtering condition to obtain filtered second service traffic, wherein the filtered second service traffic comprises a plurality of first service traffic corresponding to the plurality of service types respectively; and entering the step: and acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors.
4. The private network access control method of any one of claims 1-3, wherein the step of establishing a Border Gateway Protocol (BGP) neighbor with a public cloud network device based on the accessed public cloud private network further comprises:
determining a private access point of a public cloud private line network according to a preset selection condition;
and accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
5. The private network access control method of claim 4, wherein the private access points comprise a first access point and a second access point, and the step of establishing a Border Gateway Protocol (BGP) neighbor with a public cloud network device based on the accessed public cloud private network further comprises:
and if detecting that the public cloud private network corresponding to the first access point has a fault, disconnecting the BGP neighbor corresponding to the first access point, and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point.
6. A private network access control method according to any of claims 1-3, wherein said step of invoking said routing graph and forwarding said plurality of first traffic flows to said destination server based on said traffic priorities, respectively, further comprises:
configuring a control access strategy based on a preset object group and the attribute of the target server;
the step of invoking the routing graph and forwarding the plurality of first traffic flows to the target server based on the traffic priorities respectively comprises:
and calling the routing graph, and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
7. A private network access control device is provided in a target border device, the target border device being in communication with a target server, the private network access control device comprising:
the establishing module is used for establishing a Border Gateway Protocol (BGP) neighbor with public cloud network equipment based on the accessed public cloud private network;
the first acquisition module is used for acquiring a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors;
a defining module, configured to configure a routing graph for the plurality of first service flows, where the routing graph includes service priorities respectively corresponding to the plurality of service types;
and the forwarding module is used for calling the routing graph and respectively forwarding the first service flows to the target server based on the service priority.
8. The private network access control device of claim 7, wherein the first obtaining module comprises:
the configuration unit is used for configuring an access control list based on the preset service type requirement;
and the obtaining unit is used for obtaining a plurality of first service flows corresponding to a plurality of service types respectively according to the established BGP neighbors and the configured access control list.
9. The private network access control apparatus of claim 8, wherein said apparatus further comprises:
a second obtaining module, configured to obtain, based on the BGP neighbor and a target route corresponding to a preset prefix list, a second service traffic corresponding to the target route;
and the filtering module is used for filtering the second service flow according to a preset filtering condition to obtain a filtered second service flow, wherein the filtered second service flow comprises a plurality of first service flows corresponding to the plurality of service types respectively.
10. A private network access control apparatus according to any one of claims 7 to 9, wherein said apparatus further comprises:
the determining module is used for determining a private access point of the public cloud private line network according to a preset selection condition;
and the access module is used for accessing the public cloud private line network based on the public cloud network equipment corresponding to the private line access point.
11. The private network access control apparatus of claim 10, wherein the private access point comprises a first access point and a second access point, the apparatus further comprising:
and the switching module is used for disconnecting the BGP neighbor corresponding to the first access point and switching the service flow of the public cloud private network corresponding to the first access point to the public cloud private network corresponding to the second access point if the public cloud private network corresponding to the first access point is detected to have a fault.
12. A private network access control apparatus according to any one of claims 7 to 9, wherein said apparatus further comprises:
the configuration module is used for configuring a control access strategy based on a preset object group and the attribute of the target server;
the forwarding module includes:
and the forwarding unit is used for calling the routing graph and respectively forwarding the plurality of first service flows to the target server according to the service priority and the control access strategy.
13. A private network access control apparatus, the apparatus comprising: a memory, a processor and a private network access control program stored on the memory and executable on the processor, the steps of the private network access control method as claimed in any one of claims 1 to 6 being implemented by the private network access control program when executed by the processor.
14. A readable storage medium applied to a computer, wherein a private network access control program is stored on the readable storage medium, and when executed by a processor, the private network access control program implements the steps of the private network access control method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910450419.XA CN110191067B (en) | 2019-05-24 | 2019-05-24 | Private line network access control method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910450419.XA CN110191067B (en) | 2019-05-24 | 2019-05-24 | Private line network access control method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110191067A CN110191067A (en) | 2019-08-30 |
| CN110191067B true CN110191067B (en) | 2023-04-18 |
Family
ID=67718187
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910450419.XA Active CN110191067B (en) | 2019-05-24 | 2019-05-24 | Private line network access control method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110191067B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112511426B (en) * | 2019-09-16 | 2022-09-27 | 中国移动通信集团河北有限公司 | Traffic grooming method and device, computing device and storage medium for service |
| CN113595901A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Routing method and device based on border gateway protocol |
| CN113630314B (en) * | 2020-05-09 | 2022-09-16 | 北京金山云网络技术有限公司 | Disaster recovery method and device for hybrid cloud private line access network |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014182805A1 (en) * | 2013-05-07 | 2014-11-13 | Equinix, Inc. | A direct connect virtual private interface for a one to many connection with multiple virtual private clouds |
| CN106685825A (en) * | 2017-02-18 | 2017-05-17 | 郑州云海信息技术有限公司 | Cloud routing network management method and system based on cloud computing |
| CN106936857A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | A kind of connection management method of mixed cloud, SDN controllers and mixing cloud system |
| US9935816B1 (en) * | 2015-06-16 | 2018-04-03 | Amazon Technologies, Inc. | Border gateway protocol routing configuration |
| CN109347743A (en) * | 2018-08-02 | 2019-02-15 | 平安科技(深圳)有限公司 | A kind of special line communication method, computer readable storage medium and terminal device |
| CN109525512A (en) * | 2019-01-22 | 2019-03-26 | 新华三技术有限公司 | A kind of method for building up and device of bgp neighbor |
-
2019
- 2019-05-24 CN CN201910450419.XA patent/CN110191067B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014182805A1 (en) * | 2013-05-07 | 2014-11-13 | Equinix, Inc. | A direct connect virtual private interface for a one to many connection with multiple virtual private clouds |
| US9935816B1 (en) * | 2015-06-16 | 2018-04-03 | Amazon Technologies, Inc. | Border gateway protocol routing configuration |
| CN106936857A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | A kind of connection management method of mixed cloud, SDN controllers and mixing cloud system |
| CN106685825A (en) * | 2017-02-18 | 2017-05-17 | 郑州云海信息技术有限公司 | Cloud routing network management method and system based on cloud computing |
| CN109347743A (en) * | 2018-08-02 | 2019-02-15 | 平安科技(深圳)有限公司 | A kind of special line communication method, computer readable storage medium and terminal device |
| CN109525512A (en) * | 2019-01-22 | 2019-03-26 | 新华三技术有限公司 | A kind of method for building up and device of bgp neighbor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110191067A (en) | 2019-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109891841B (en) | Network control device, communication system, network control method, and recording medium | |
| CN110191067B (en) | Private line network access control method, device, equipment and readable storage medium | |
| US8806606B2 (en) | Service aggregation in a cloud services center | |
| US10084685B2 (en) | Route reflector as a service | |
| EP3449598B1 (en) | A data driven orchestrated network with installation control using a light weight distributed controller | |
| AU2016315646A1 (en) | Distributing remote device management attributes to service nodes for service rule processing | |
| US11799946B2 (en) | Method and apparatus for cloud service management, and readable storage medium | |
| MX2008000175A (en) | Unified architecture for remote network access. | |
| CN111327531B (en) | VDC-based routing configuration method, device, equipment and readable storage medium | |
| CN105939267B (en) | Outband management method and device | |
| WO2017143695A1 (en) | Sub-network intercommunication method and device | |
| US11924220B2 (en) | User directory deployment based on user and group policies | |
| CN114025000B (en) | Method, device, equipment and storage medium for establishing network access relationship | |
| CN113132293A (en) | Attack detection method and device and public honeypot system | |
| US11290354B2 (en) | Dynamic service provisioning system and method | |
| CN111884863B (en) | VPC service chain implementation method and system for cloud computing environment | |
| CN110995744B (en) | Message transmission method and device, software defined network switch and storage medium | |
| CN115086003B (en) | Login-free method after webpage skipping of load balancing centralized management and control system | |
| US11463404B2 (en) | Quarantined communications processing at a network edge | |
| CN101909021A (en) | BGP (Border Gateway Protocol) gateway equipment and method for realizing gateway on-off function by utilizing equipment | |
| Huang et al. | A novel vCPE framework for enabling virtual network functions with multiple flow tables architecture in SDN switches | |
| CN114760246A (en) | Service drainage method, device and medium | |
| US11916775B1 (en) | Multi-tenant cloud native control plane system | |
| US11968269B1 (en) | Hybrid tag based virtual private network with scalable next hop convergence | |
| CN109150725A (en) | Traffic grooming method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |