CN111614537A - Disaster recovery network system - Google Patents

Disaster recovery network system Download PDF

Info

Publication number
CN111614537A
CN111614537A CN202010353376.6A CN202010353376A CN111614537A CN 111614537 A CN111614537 A CN 111614537A CN 202010353376 A CN202010353376 A CN 202010353376A CN 111614537 A CN111614537 A CN 111614537A
Authority
CN
China
Prior art keywords
vpn
vpn gateway
router
gateway
tunnel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010353376.6A
Other languages
Chinese (zh)
Other versions
CN111614537B (en
Inventor
詹闻昊
陈静
陈峥嵘
张越鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202010353376.6A priority Critical patent/CN111614537B/en
Publication of CN111614537A publication Critical patent/CN111614537A/en
Application granted granted Critical
Publication of CN111614537B publication Critical patent/CN111614537B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/22Alternate routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Abstract

The application provides disaster recovery network equipment, wherein first data is transmitted to a third router through a first router and a second router; the second data is transmitted to the second VPN gateway through the first VPN gateway; in the first state, the first router cannot transmit the first data to the second router, so that a communication link between the first VPN gateway and the first router, a VPN tunnel between the first VPN gateway and the third VPN gateway, and a communication link between the third VPN gateway and the third router need to be established, so that the first data can be transmitted to the third router through the first router, the first VPN gateway and the third VPN gateway, and the first VPN gateway, the second VPN gateway and the third VPN gateway can be uniformly scheduled through the VPN controller, thereby realizing dynamic establishment and automatic switching of the VPN tunnel, improving switching efficiency and reducing labor cost; and a plurality of VPN tunnels are flexibly established by utilizing the Internet, the characteristic of multi-path of the Internet is fully utilized, and the bandwidth investment cost in disaster recovery construction is saved.

Description

Disaster recovery network system
Technical Field
The application relates to the technical field of network security, in particular to a disaster recovery network system.
Background
The current hierarchical network architecture of banks includes: the equipment at the branch and the branch gathers data to the equipment at the branch through a communication link; the devices located in the first-level branch line upload data to the devices located in the head line through the communication link.
If the equipment in the first-level branch is in disaster, the equipment in the network point and branch can not upload data to the equipment in the head office.
Disclosure of Invention
In view of this, the present application provides a disaster recovery network system.
In order to achieve the above purpose, the present application provides the following technical solutions:
a disaster recovery network system, comprising:
the first service device comprises a first router, a second router and a third router; the first router is in wired connection with the second router, and the second router is in wired connection with the third router; the first router is used for transmitting first data obtained from first terminal equipment to the third router through the second router;
a second service device including a first VPN gateway and a second VPN gateway; the first VPN gateway is used for transmitting second data obtained from a second terminal device to the second VPN gateway;
the VPN controller is connected with the second VPN gateway and the third VPN gateway and is used for sending first configuration information to the first VPN gateway through the second VPN gateway if the VPN controller is in a first state, wherein the first configuration information comprises the address of the first router and the address of the third VPN gateway; the second router cannot receive the first data uploaded by the first router in the first state;
the third VPN gateway is connected with the third router in the first state;
the first VPN gateway is further configured to disconnect a VPN tunnel with the second VPN gateway, disconnect a communication link with the second terminal device, establish a communication link with the first router, and establish a VPN tunnel with the third VPN gateway based on the first configuration information;
so that the first data is transmitted to the third router through the first router, the first VPN gateway, and the third VPN gateway.
In an optional embodiment, the VPN controller is further configured to send second configuration information to the third VPN gateway if the VPN gateway is in the first state; the second configuration information carries an address of the third router;
the third VPN gateway is further configured to establish a communication link with the third router based on the second configuration information.
In an optional embodiment, the second service device further includes: a fourth VPN gateway; the first VPN gateway, when performing transmission of second data obtained from a second terminal device to the second VPN gateway, is specifically configured to:
and transmitting second data obtained from the second terminal equipment to the second VPN gateway through the fourth VPN gateway.
In an optional embodiment, in the first state, the VPN tunnel between the first VPN gateway and the fourth VPN gateway is disconnected, and the first VPN gateway is configured with an address of the second VPN gateway and an address of the fourth VPN gateway;
the first VPN gateway is further configured to establish a VPN tunnel with the second VPN gateway based on the address of the second VPN gateway if it is detected that the VPN tunnel with the fourth VPN gateway is disconnected.
In an optional embodiment, the VPN controller is further configured to determine that the first VPN gateway is in the first state if it is detected that the first VPN gateway is switched from the VPN tunnel with the fourth VPN gateway to the VPN tunnel with the second VPN gateway;
or the like, or, alternatively,
the VPN controller is further used for generating alarm information if the first VPN gateway is detected to be switched from a VPN tunnel between the first VPN gateway and the fourth VPN gateway to a VPN tunnel between the first VPN gateway and the second VPN gateway; and sending the alarm information to a setting device.
In an optional embodiment, the VPN controller is further configured to send, if the VPN gateway is in the second state, third configuration information to the first VPN gateway through the third VPN gateway, where the third configuration information is used to instruct the first VPN gateway to establish a VPN tunnel with the second VPN gateway; the second router can receive the first data uploaded by the first router in the second state;
the first VPN gateway is further configured to disconnect a communication link with the first router and a VPN tunnel with the third VPN gateway, establish a VPN tunnel with the second VPN gateway, and establish a communication link with the second terminal device based on the third configuration information.
In an optional embodiment, the VPN controller is further configured to send fourth configuration information to the third VPN gateway if the VPN gateway is in the second state, where the fourth configuration information is used to instruct the third VPN gateway to disconnect a communication link with the third router;
the third VPN gateway is further configured to disconnect a communication link with the third router based on the fourth configuration information.
In an optional embodiment, the second service device further includes: a fourth VPN gateway;
the first VPN gateway, when performing transmission of second data obtained from a second terminal device to the second VPN gateway, is specifically configured to: transmitting second data obtained from the second terminal device to the second VPN gateway through the fourth VPN gateway;
the first VPN gateway, when performing establishment of a VPN tunnel with the second VPN gateway, is specifically configured to: and establishing a VPN tunnel between the fourth VPN gateway and the VPN gateway.
In an optional embodiment, the VPN controller is further configured to:
detecting whether a VPN tunnel with the first VPN gateway is in a normal operation state based on an Internet packet explorer.
In an optional embodiment, the VPN controller is further configured to:
and acquiring the equipment information of the first VPN gateway based on a simple network management protocol.
According to the technical scheme, the disaster recovery network device provided by the application is provided with two data transmission tunnels, and first data is transmitted to a third router through a first router and a second router; the second data is transmitted to the second VPN gateway through the first VPN gateway; in the first state, the first router cannot transmit the first data to the second router, and therefore, a communication link between the first VPN gateway and the first router needs to be established, and a VPN tunnel between the first VPN gateway and the third VPN gateway needs to be established.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a structural diagram of an implementation manner of a disaster recovery network system in a normal service scenario according to an embodiment of the present application;
fig. 2 is a block diagram of an implementation manner of a disaster recovery network system after a building-level disaster or a campus-level disaster occurs in a first-level branch according to an embodiment of the present application;
fig. 3 is a structural diagram of another implementation manner of a disaster recovery network system in a normal service scenario according to an embodiment of the present application;
fig. 4 is a structural diagram of an implementation manner of a VPN controller according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a structure diagram of an implementation manner of a disaster recovery network system in a normal service scenario provided in an embodiment of the present application is shown.
The normal business scenario refers to that no building-level disaster or no garden-level disaster occurs in the first-level branch, or the normal business scenario refers to that the building-level disaster or the garden-level disaster occurs in the first-level branch, but disaster recovery is achieved.
Disaster recovery (also called Disaster recovery) refers to a process of restarting data, hardware and software devices of a Disaster recovery network system after a natural or artificial Disaster to recover normal business operation.
The disaster recovery network system comprises: a first service device 11, a second service device 12, a VPN controller 13, and a third VPN gateway 14.
The first service device 11 includes: a first router 111, a second router 112, and a third router 113; the first router 111 is connected with the second router 112 by wire, and the second router 112 is connected with the third router 113 by wire. The first router is configured to transmit the first data obtained from the first terminal device 15 to the third router through the second router.
In an alternative embodiment, the wired line between the first router 111 and the second router 112 is an operator-specific line; in an alternative embodiment, the wire between the second router 112 and the third router 113 is a long haul dedicated wire.
In an alternative embodiment, the bank level is sequentially from large to small a main line, a first-level branch line (provincial line), a second-level branch line (city line), a first-level branch line (district, county-level city-level line), a second-level branch line (branch office or deposit office), and the like.
In an optional embodiment, the first router 111 is deployed in a dedicated access area of a branch or a mesh point (in this embodiment, the "second branch or the first branch or the second branch" is referred to as a branch or a mesh point); the second router 112 is deployed in a private access area of the first-level branch; the third router 113 is deployed in a private access area of the head office.
In an alternative embodiment, the first router 111 is a device located in a branch or a mesh point. The second router 112 is a device located at a level of a branch. The third router is a device located at the head office.
In an alternative embodiment, the number of the first routers 111 may be one or more, the number of the second routers 112 may be one or more, and the number of the third routers 113 may be one or more.
In an alternative embodiment, the second router 112 may be connected to the first server 16, and the first server 16 may refer to a feature service server deployed in a hierarchical intranet and accessible to the first terminal device 15.
In an alternative embodiment, the third router 113 may be connected to the second server 17, and the second server 17 may refer to a server for production and office services deployed in the intranet of the head office.
In an alternative embodiment, the first terminal device 15 may be a production and office terminal deployed in a branch or a network, including but not limited to a production transaction terminal or an office terminal such as a teller machine, an office computer, an ATM machine, and the like.
In an optional embodiment, the first data is production and office related business data of the first terminal device.
The second service device 12 includes: a first VPN gateway 121 and a second VPN gateway 122.
The first VPN gateway 121 transmits the second data obtained from the second terminal device 18 to said second VPN gateway 122.
In an alternative embodiment, the first VPN gateway 121 may be an internet behavior gateway.
The internet behavior gateway is deployed at an internet outlet, manages and detects internet behaviors of users accessing the internet, and provides a Virtual Private Network (VPN) dialing function.
In an alternative embodiment, first VPN gateway 121 is a device located at a branch or mesh point; the second VPN gateway 122 is a device located at the head office.
In an optional embodiment, the first VPN gateway 121 may be deployed in an internet area of a branch or a branch, and has a user internet behavior management and auditing function.
In an optional embodiment, the second VPN gateway 122 is deployed in an internet area of a head office, and has one or more functions of carrying client internet authentication, collecting internet behavior logs, pushing marketing services, uniformly managing the first VPN gateway, and monitoring traffic.
In an optional embodiment, the second VPN gateway 122 may be connected to the third server 19, and optionally, the third server 19 is deployed in an internet area of a head office, and has one or more functions of client internet authentication, internet behavior data analysis, marketing advertisement, and application APP pushing.
In an alternative embodiment, the second terminal device 18 may refer to a terminal used by the client to access the internet, for example, any one or more devices of a web all-in-one machine, a mobile phone carried by the client, a tablet computer, and a notebook computer.
In an alternative embodiment, the second data may be internet behavior data.
In an alternative embodiment, the number of the first VPN gateway and the second VPN gateway may be one or more.
The VPN controller 13 is connected to the second VPN gateway 122 and the third VPN gateway 14, respectively.
The working process of the disaster recovery network system after the disaster at the building level or the disaster at the campus level occurs in the first-level branch is described below.
A VPN controller 13, configured to control the second VPN gateway 122 to send first configuration information to the first VPN gateway 121 if the first VPN gateway is in the first state, where the first configuration information includes an address of the first router 111 and an address of the third VPN gateway 14; the second router cannot receive the first data uploaded by the first router in the first state.
Please refer to fig. 2, which is a block diagram of an implementation manner of a disaster recovery network system after a building-level disaster or a campus-level disaster occurs in a first-level branch according to an embodiment of the present application.
As indicated by an "x" located on the connecting line of the first router 111 and the second router 112 in fig. 2, the first router 111 has been unable to transmit the first data to the second router 112.
The first state is that a building level disaster or a park level disaster occurs in the first level branch.
In an alternative embodiment, the VPN controller 13 may have a plurality of states, for example comprising at least a first state and a second state, and the switching of the states may be manually switched.
In an alternative embodiment, the VPN controller 13 may automatically switch to the first state.
In an optional embodiment, the VPN controller 13 may be a logic management component deployed in the head office internet area, and is configured to centrally manage and monitor the state of the first VPN gateway in the whole head office, and may implement issuing a configuration script for the first VPN gateway. The VPN controller may be implemented by software and dedicated hardware devices.
The first VPN gateway 121 is configured to disconnect a VPN tunnel with the second VPN gateway, disconnect a communication link with the second terminal device, establish a communication link with the first router 111, and establish a VPN tunnel with the third VPN gateway 14 based on the first configuration information.
In this embodiment, the first VPN gateway 121 includes a plurality of interfaces, and the first VPN gateway 121 disconnects the communication link with the second terminal device, that is, the interface corresponding to the second terminal device included in the first VPN gateway 121 is in a closed state. The first VPN gateway 121 establishes a communication link with the first router 111, that is, an interface included in the first VPN gateway 121 and corresponding to the first router 111 is in an open state.
As in fig. 2, first VPN gateway 121 has broken the communication link with second end device 18 and the VPN tunnel with second VPN gateway 122.
In the disaster recovery network system provided in the embodiment of the present application, after the first VPN gateway receives the first configuration information, optionally, the first VPN gateway opens an internet interface with the first router, establishes a VPN tunnel to the third VPN gateway, and starts the disaster recovery channel of the path 2 (including the VPN tunnel 1, the communication link 1, and the communication link 2). After the path 2 is established, the first VPN gateway disables the service corresponding to the second data, releases the internet bandwidth for carrying the service corresponding to the first data, and ensures that the service corresponding to the first data is not affected by a disaster. That is, the first data transmission to the third router is maintained under the premise of sacrificing the second data (the second data cannot be transmitted to the second VPN gateway). In an alternative embodiment, the first data is more important than the second data.
And a third VPN gateway 14 connected to said third router in said first state.
Optionally, the third VPN gateway 14 is not connected to the third router in the first state. Optionally, the third VPN gateway 14 is connected to the third router in the first state.
In an optional embodiment, in this embodiment of the application, the third VPN gateway includes a plurality of interfaces, and the third VPN gateway is not connected to the third router, that is, an interface corresponding to the third router included in the third VPN gateway is in a closed state. The third VPN gateway is connected to the third router, that is, an interface corresponding to the third router included in the third VPN gateway is in an open state.
In an alternative embodiment, the third VPN gateway 14 may be a VPN gateway, and the third VPN gateway 14 may be referred to as a disaster recovery gateway and is deployed in an internet area of a head office.
In an alternative embodiment, the third VPN gateway may automatically establish a communication link with the third router. The specific method comprises the following steps: if the VPN controller 13 is in the first state, sending second configuration information to the third VPN gateway; optionally, the second configuration information is used to instruct the third VPN gateway to establish a communication link with the third router. The third VPN gateway 14 establishes a communication link with said third router based on said second configuration information.
In an alternative embodiment, the communication link of the third VPN gateway with the third router may be established manually.
As shown in fig. 1, in the embodiment of the present application, devices deployed in different areas are differentiated by dot-dash lines, and in an alternative embodiment, the VPN controller 13, the third VPN gateway 14, the second VPN gateway 122, the third router 113, and the third server 19 are deployed in a head office; the second router 12 and the first server 16 are deployed in a first-level branch; the first router 111, the first end device 15, the first VPN gateway 121 and the second end device 18 are deployed at a branch or a mesh point.
Alternatively, if the third VPN gateway 14 and the third router 113 are deployed in the head office, that is, in the same area, the third VPN gateway 14 and the third router 13 may be established by human beings to be in communication connection.
In an alternative embodiment, the first VPN gateway may automatically establish the communication link with the first router, i.e. based on the first configuration information.
Optionally, the communication link between the first VPN gateway and the first router may be manually established, and if the first VPN gateway and the first router are deployed in a branch or a site, that is, in the same area, the communication link between the first VPN gateway and the first router may be manually established.
In this embodiment, the first VPN gateway 121 includes a plurality of interfaces, and the first VPN gateway 121 establishes a communication link with the first router, that is, the interface corresponding to the first router included in the first VPN gateway 121 is in an open state. The corresponding first VPN gateway 121 disconnects the communication link with the first router 111, i.e. the interface corresponding to the first router included in the first VPN gateway 121 is in a closed state.
In an alternative embodiment, the first VPN gateway may automatically disconnect the communication link with the second terminal device, i.e. the first VPN gateway disconnects the communication link with the second terminal device based on the first configuration information.
Optionally, the communication link between the first VPN gateway 121 and the second terminal device 18 may be manually disconnected, and if the first VPN gateway 121 and the second terminal device are deployed in a branch or a site, that is, in the same area, the communication link between the first VPN gateway 121 and the second terminal device may be manually disconnected.
In the disaster recovery network system provided in the embodiment of the present application, after the VPN controller is in the first state, the second VPN gateway is controlled to send the first configuration information to the first VPN gateway, so that the first VPN gateway disconnects the VPN tunnel with the second VPN gateway based on the first configuration information, establishes a communication link with the first router, and establishes a VPN tunnel with the third VPN gateway; and the third VPN gateway is connected with the third router in the first state. That is, the first data from the first terminal device 15 can be transmitted to the third router 113 through the first router 111, the first VPN gateway 121, and the third VPN gateway 14.
Referring to fig. 3, a structural diagram of another implementation manner of a disaster recovery network system in a normal service scenario provided in the embodiment of the present application is shown, where the disaster recovery network system includes: the first service device 11, the second service device 12, the VPN controller 13, and the third VPN gateway 14 shown in fig. 1 and 2 further include a fourth VPN gateway 31.
In an alternative embodiment, the fourth VPN gateway 31 may be located in a first-level branch.
The first VPN gateway 121 transmits the second data to the second VPN gateway 122 through the fourth VPN gateway 31.
In an optional embodiment, the fourth VPN gateway 31 is deployed in an internet area of a first-level branch, and optionally has one or more functions of carrying a client internet authentication service of the second terminal device 18, collecting internet behavior logs, pushing a marketing service, uniformly managing the first VPN gateway, and monitoring traffic of the first VPN gateway.
In an optional embodiment, the disaster recovery network system further includes a fourth server 32.
Optionally, the fourth server 32 is configured to collect internet logs of clients at a location of the fourth server 32, and report the internet logs to a local public security administration (also called non-via-interface).
In an alternative embodiment, both the second router 112 and the fourth VPN gateway 31 may be damaged if a building level disaster or a campus level disaster occurs in a first level branch. In order to send the first configuration information to the first VPN gateway when a building-level disaster or a campus-level disaster occurs in a first-level branch, optionally, the first VPN gateway is configured with an address of the second VPN gateway and an address of the fourth VPN gateway. The first VPN gateway is further configured to establish a VPN tunnel with the second VPN gateway based on the address of the second VPN gateway if it is detected that the VPN tunnel with the fourth VPN gateway is disconnected.
In summary, in the case that no building-level disaster or campus-level disaster occurs in the first-level branch, the first VPN gateway 121 transmits the second data to the second VPN gateway 122 through the fourth VPN gateway 31. In the event of a building-level disaster or a campus-level disaster occurring at a level one branch, the VPN controller 13 transmits the first configuration information to the first VPN gateway through the VPN tunnel 3 via the second VPN gateway 122.
In an optional embodiment, if the first VPN gateway is connected to the second VPN gateway through the VPN tunnel 3, the first VPN gateway, when performing disconnection of the VPN tunnel with the second VPN gateway, is specifically configured to: disconnecting the VPN tunnel 3 from said second VPN gateway.
To sum up, in the embodiment of the present application, two VPN gateways are configured for a first VPN gateway, and a priority level is set, that is, an address of a second VPN gateway and an address of a fourth VPN gateway are configured for the first VPN gateway, where the priority level of the fourth VPN gateway is higher. In a normal service scene, the fourth VPN gateway is in a normal operation state, and has a VPN tunnel with the second VPN gateway, the first VPN gateway establishes a VPN tunnel with the fourth VPN gateway, and transmits the second data to the second VPN gateway through the fourth VPN gateway; meanwhile, the first VPN gateway monitors a VPN tunnel 3 with the second VPN gateway in real time, and uses the VPN tunnel 3 as a backup path to the second VPN gateway.
Since the second VPN gateway and the fourth VPN gateway are both VPN gateways, two VPN peers are configured for the first VPN gateway.
A VPN peer refers to a group of VPN gateway devices that establish a VPN tunnel.
In an optional embodiment, the VPN tunnel 2 between the first VPN gateway and the fourth VPN gateway, and the VPN tunnel 2 between the fourth VPN gateway and the second VPN gateway may both be IPsec VPN encrypted tunnels.
Ipsec (internet protocol security): the network transport protocol suite of the IP protocol is protected by encrypting and authenticating packets of the IP protocol, providing confidentiality, data source authentication, connectionless integrity, and protection against replay attacks.
In an optional embodiment, the VPN controller 13 may perform device management on one or more first VPN gateways through the VPN tunnel 2, perform unified device management and online monitoring over the entire network, and uniformly issue the first configuration information when a disaster occurs in a first-level branch; and uniformly issuing third configuration information under the condition of first-level branch disaster recovery.
Fig. 4 is a block diagram of an implementation manner of a VPN controller according to an embodiment of the present application.
The VPN controller comprises a device auto-discovery module 41, a device performance detection module 42 and an online configuration management module 43, wherein:
the device auto-discovery module 41 is configured to detect whether a VPN tunnel with the first VPN gateway is in a normal operating state based on an internet packet finder; i.e. ping (Packet Internet Groper, Internet Packet explorer) is used to explore the online survivability of the first VPN gateway.
ping is used to determine whether the VPN controller can successfully exchange (send and receive) data packets with the first VPN gateway, and then, based on the returned information, it can be inferred whether the TCP/IP parameters are set correctly, and whether the operation is normal, the network is unobstructed, etc.
The device performance detecting module 42 is configured to read the device information of the first VPN gateway through SNMP, and optionally, may be oid information in a mib of the first VPN gateway, for example, oid information in the mib includes, but is not limited to, one or more performance parameters of the first VPN gateway CPU occupancy, the memory utilization, the interface bandwidth utilization, and the false alarm rate.
The online configuration management module 43 is configured to issue the first configuration information or the third configuration information to the first VPN gateway through the API interface. Optionally, the multiple first VPN gateways may be simultaneously instructed to execute the operation instruction.
In an optional embodiment, the VPN controller may automatically switch to the first state, and the specific method is as follows: the VPN controller is further configured to determine that the first VPN gateway is in the first state if it is detected that the first VPN gateway is switched from the VPN tunnel with the fourth VPN gateway to the VPN tunnel with the second VPN gateway.
It is understood that in the case of a building-level disaster or a campus-level disaster in a first-level branch, both the second router and the fourth VPN gateway may fail; after detecting that the VPN tunnel between the first VPN gateway and the fourth VPN gateway is interrupted, the first VPN gateway is automatically connected to the second VPN gateway through the backup VPN tunnel 3, and the VPN controller can still manage the first VPN gateway through the VPN tunnel 3.
It can be understood that, if all the first VPN gateways below the first-level branch are connected to the second VPN gateway through the VPN tunnel 3, which indicates that the probability of the building-level disaster or the campus-level disaster occurring in the first-level branch is high, optionally, the VPN controller 13 determines to switch to the first state after detecting that a plurality of first VPN gateways are connected to the second VPN gateways through the VPN tunnels 3.
In an alternative embodiment, the VPN controller may be manually switched to the first state by the following specific method: the VPN controller is further used for generating alarm information if the first VPN gateway is detected to be switched from a VPN tunnel between the first VPN gateway and the fourth VPN gateway to a VPN tunnel between the first VPN gateway and the second VPN gateway; and sending the alarm information to a setting device.
The setting device can be one or more of a smart phone, a PAD, and a notebook computer. Optionally, a mail, a short message or a voice call may be sent to the corresponding setting device.
And after the owner of the set equipment sees the alarm information, fault confirmation is carried out, and if the fault is really a building-level disaster or a park-level disaster in the first-level branch, the VPN controller is switched to the first state.
The disaster recovery network device provided in the embodiment of the present application includes multiple data transmission tunnels, for example, a VPN tunnel 1, a VPN tunnel 2, and a VPN tunnel 3, and the first VPN gateway, the second VPN gateway, the third VPN gateway, and the fourth VPN gateway are controlled by the VPN controller in a unified manner, so that a free switch between the data transmission tunnels is realized, that is, each branch or branch point can flexibly and dynamically establish multiple VPN tunnels with each VPN gateway (that is, the first VPN gateway, the second VPN gateway, the third VPN gateway, and the fourth VPN gateway) by using an existing internet line outlet, thereby improving the switching efficiency and reducing the labor cost.
Furthermore, as the dynamically established multiple VPN tunnels are flexibly and dynamically established on the existing Internet bandwidth by using the wireless Internet, the characteristics of multiple paths of the Internet are fully utilized, the bandwidth resources are saved, and the bandwidth investment cost in disaster recovery construction is saved.
The disaster recovery network system provided in the embodiment of the present application is further described with reference to fig. 1 to fig. 3, and the disaster recovery network system mentioned in the embodiment of the present application is a general branch network architecture, that is, a general branch network of a head office, a first-level branch office, a branch office or a network point.
The first router is provided with a wired interface and an internet line outlet, and the first router is used for transmitting the first data to the third router through the first VPN gateway and the third VPN gateway under the condition that a building-level disaster or a park-level disaster occurs in first-level branch lines.
And a three-level VPN access structure is formed in a head office (a VPN controller, a second VPN gateway and a third VPN gateway are deployed in the head office), a first-level branch office (a fourth VPN gateway is deployed in the first-level branch office) and a branch office or a network point (a first VPN gateway is deployed in the branch office or the network point).
The fourth VPN gateway positioned in the first-level branch is used for converging data obtained by one or more first VPN gateways positioned in branches or network points; compared with the situation that the fourth VPN gateway located in the first-level branch is used for one or more first VPN gateways located in branches or network points to directly gather data to the second VPN gateway (each first VPN gateway and the second VPN gateway are provided with one VPN tunnel, and the first VPN gateways are provided with a plurality of VPN tunnels), the pressure of managing the VPN tunnels of the second VPN gateway located in the head office is relieved.
The following embodiment of the present application describes a working process of the disaster recovery network system after disaster recovery of the first-level branch.
The operation of the disaster recovery network system after disaster recovery of the first-level branch is described with reference to fig. 1 and 2.
If the VPN controller 13 is in the second state, sending third configuration information to the first VPN gateway 121 through a third VPN gateway 14, where the third configuration information is used to instruct the first VPN gateway to establish a VPN tunnel with the second VPN gateway; the second router is capable of receiving the first data uploaded by the first router in the second state.
The first VPN gateway 121 disconnects the communication link with the first router 111 and disconnects the VPN tunnel with the third VPN gateway 14 based on the third configuration information, and establishes the VPN tunnel with the second VPN gateway 122. That is, the first VPN gateway 121 automatically disconnects the communication link with the first router and automatically disconnects the VPN tunnel with the third VPN gateway.
In an alternative embodiment, if the first VPN gateway and the first router 111 are deployed in a branch or a branch, that is, in the same area, the connection between the first VPN gateway and the first router may be manually disconnected.
In an alternative embodiment, if the first VPN gateway 121 and the second terminal device are deployed in branches or sites, that is, in the same area, the communication link between the first VPN gateway 121 and the second terminal device 18 may be manually established.
In an alternative embodiment, first VPN gateway 121 may automatically establish a communication link with second end device 18.
In an alternative embodiment, if the third VPN gateway 14 and the third router 113 are deployed in the head office, i.e. in the same area, the third VPN gateway 14 and the third router 13 may be disconnected manually.
In an optional embodiment, if the VPN controller 13 is in the second state, sending fourth configuration information to the third VPN gateway, where the fourth configuration information is used to instruct the third VPN gateway to disconnect the communication link with the third router; the third VPN gateway is further configured to disconnect a communication link with the third router based on the fourth configuration information. I.e. the third VPN gateway automatically disconnects the communication link with the third router.
The operation of the disaster recovery network system after disaster recovery of the first-level branch is described with reference to fig. 3 and 2.
If the VPN controller 13 is in the second state, third configuration information is sent to the first VPN gateway 121 through the third VPN gateway 14, where the third configuration information is used to instruct the first VPN gateway to establish a VPN tunnel with the second VPN gateway.
If the first VPN gateway transmits the second data to the second VPN gateway through the fourth VPN gateway, the first VPN gateway 121 disconnects the VPN tunnel with the first router 111 and disconnects the VPN tunnel with the third VPN gateway 14 based on the third configuration information, and establishes the VPN tunnel with the fourth VPN gateway 31. I.e. the first VPN gateway 121 automatically disconnects the VPN tunnel with the first router and the third VPN gateway.
If the disaster recovery network system includes the fourth VPN gateway, in the embodiment of the present application, the fourth router and the fourth server are not shown in fig. 2.
After the first-level branch disaster is recovered, that is, the VPN controller 13 is in the second state, the dedicated lines among the first router, the second router, and the third router recover the available state, and the operation and maintenance personnel make a back-off decision, that is, the VPN controller is in the second state. And issuing the third configuration information to the first VPN gateway through the VPN controller by the path 2. And the third VPN gateway disconnects the internet interface with the first router, closes the VPN tunnel with the third VPN gateway and recovers the VPN tunnel with the second VPN gateway, and at the moment, the service corresponding to the first data and the service corresponding to the second data are both recovered to a normal state.
In this embodiment of the application, the communication network between the first VPN gateway and the second VPN gateway may be any one of the internet, a 3G network, a 4G network, and a 5G network; the communication network between the first VPN gateway and the fourth VPN gateway may be any one of the internet, a 3G network, a 4G network, and a 5G network; the communication network between the first VPN gateway and the first router can be any one of the internet, a 3G network, a 4G network, a 5G network and a wired network; the communication network between the third VPN gateway and the third router may be any one of the internet, a 3G network, a 4G network, a 5G network, and a wired network.
In an alternative embodiment, there may be one or more level branches and one or more branches or dots.
In the embodiment of the present application, a first-level branch and a branch or a branch point corresponding to the first-level branch may be used as a bank total.
The equipment deployed in a bank population may include: one or more first routers, one or more second routers, one or more first VPN gateways, and one or more fourth VPN gateways.
The VPN controller 13, the third VPN gateway 14 and the second VPN gateway can be shared by a plurality of banks as a whole.
In the embodiment of the application, the first VPN gateway and the fourth VPN gateway, as well as the second VPN gateway and the third VPN gateway located in the head office, which are generally included in a plurality of banks, can be uniformly scheduled by the VPN controller 13, so that the free switching of VPN tunnels is realized, and the labor maintenance cost is reduced.
Note that the features described in the embodiments in the present specification may be replaced with or combined with each other. For the device or system type embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A disaster recovery network system, comprising:
the first service device comprises a first router, a second router and a third router; the first router is in wired connection with the second router, and the second router is in wired connection with the third router; the first router is used for transmitting first data obtained from first terminal equipment to the third router through the second router;
a second service device including a first Virtual Private Network (VPN) gateway and a second VPN gateway; the first VPN gateway is used for transmitting second data obtained from a second terminal device to the second VPN gateway;
the VPN controller is respectively connected with the second VPN gateway and the third VPN gateway and is used for sending first configuration information to the first VPN gateway through the second VPN gateway if the VPN controller is in a first state, wherein the first configuration information comprises the address of the first router and the address of the third VPN gateway; the second router cannot receive the first data uploaded by the first router in the first state;
the third VPN gateway is connected with the third router in the first state;
the first VPN gateway is further configured to disconnect a VPN tunnel with the second VPN gateway, disconnect a communication link with the second terminal device, establish a communication link with the first router, and establish a VPN tunnel with the third VPN gateway based on the first configuration information;
so that the first data is transmitted to the third router through the first router, the first VPN gateway, and the third VPN gateway.
2. The disaster-recovery network system according to claim 1,
the VPN controller is further configured to send second configuration information to the third VPN gateway if the VPN controller is in the first state; the second configuration information carries an address of the third router;
the third VPN gateway is further configured to establish a communication link with the third router based on the second configuration information.
3. The disaster-recovery network system according to claim 1, wherein the second service device further includes: a fourth VPN gateway; the first VPN gateway, when performing transmission of second data obtained from a second terminal device to the second VPN gateway, is specifically configured to:
and transmitting second data obtained from the second terminal equipment to the second VPN gateway through the fourth VPN gateway.
4. The disaster-recovery network system according to claim 3, wherein in the first state, the VPN tunnel between the first VPN gateway and the fourth VPN gateway is disconnected, and the first VPN gateway is configured with an address of the second VPN gateway and an address of the fourth VPN gateway;
the first VPN gateway is further configured to establish a VPN tunnel with the second VPN gateway based on the address of the second VPN gateway if it is detected that the VPN tunnel with the fourth VPN gateway is disconnected.
5. The disaster recovery network system as set forth in claim 4,
the VPN controller is further configured to determine that the first VPN gateway is in the first state if it is detected that the first VPN gateway is switched from the VPN tunnel with the fourth VPN gateway to the VPN tunnel with the second VPN gateway;
or the like, or, alternatively,
the VPN controller is further used for generating alarm information if the first VPN gateway is detected to be switched from a VPN tunnel between the first VPN gateway and the fourth VPN gateway to a VPN tunnel between the first VPN gateway and the second VPN gateway; and sending the alarm information to a setting device.
6. The disaster-recovery network system according to claim 1,
the VPN controller is further configured to send third configuration information to the first VPN gateway through the third VPN gateway if the first VPN gateway is in the second state, where the third configuration information is used to instruct the first VPN gateway to establish a VPN tunnel with the second VPN gateway; the second router can receive the first data uploaded by the first router in the second state;
the first VPN gateway is further configured to disconnect a communication link with the first router and a VPN tunnel with the third VPN gateway, establish a VPN tunnel with the second VPN gateway, and establish a communication link with the second terminal device based on the third configuration information.
7. The disaster recovery network system according to claim 6,
the VPN controller is further configured to send fourth configuration information to the third VPN gateway if the VPN controller is in the second state, where the fourth configuration information is used to instruct the third VPN gateway to disconnect a communication link with the third router;
the third VPN gateway is further configured to disconnect a communication link with the third router based on the fourth configuration information.
8. The disaster-recovery network system according to claim 6 or 7, wherein the second service device further includes: a fourth VPN gateway;
the first VPN gateway, when performing transmission of second data obtained from a second terminal device to the second VPN gateway, is specifically configured to: transmitting second data obtained from the second terminal device to the second VPN gateway through the fourth VPN gateway;
the first VPN gateway, when performing establishment of a VPN tunnel with the second VPN gateway, is specifically configured to: and establishing a VPN tunnel between the fourth VPN gateway and the VPN gateway.
9. The disaster-recovery network system according to claim 1, wherein said VPN controller is further configured to:
detecting whether a VPN tunnel with the first VPN gateway is in a normal operation state based on an Internet packet explorer.
10. The disaster-recovery network system according to claim 1, wherein said VPN controller is further configured to:
and acquiring the equipment information of the first VPN gateway based on a simple network management protocol.
CN202010353376.6A 2020-04-29 2020-04-29 Disaster recovery network system Active CN111614537B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010353376.6A CN111614537B (en) 2020-04-29 2020-04-29 Disaster recovery network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010353376.6A CN111614537B (en) 2020-04-29 2020-04-29 Disaster recovery network system

Publications (2)

Publication Number Publication Date
CN111614537A true CN111614537A (en) 2020-09-01
CN111614537B CN111614537B (en) 2022-03-01

Family

ID=72201230

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010353376.6A Active CN111614537B (en) 2020-04-29 2020-04-29 Disaster recovery network system

Country Status (1)

Country Link
CN (1) CN111614537B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN102263687A (en) * 2011-08-11 2011-11-30 武汉思为同飞网络技术有限公司 VPN (virtual private network) speed-up gateway in WAN (wide area network) as well as speed-up communication and method thereof
US20160134590A1 (en) * 2014-11-06 2016-05-12 Pismo Labs Technology Limited Methods and systems for establishing vpn connections at a vpn management server
US20160359811A1 (en) * 2015-02-11 2016-12-08 Pismo Labs Technology Limited Methods and systems for establishing vpn connections at a vpn gateway
CN109672602A (en) * 2019-01-03 2019-04-23 青岛聚好联科技有限公司 A kind of method and apparatus remotely accessing VPN

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN102263687A (en) * 2011-08-11 2011-11-30 武汉思为同飞网络技术有限公司 VPN (virtual private network) speed-up gateway in WAN (wide area network) as well as speed-up communication and method thereof
US20160134590A1 (en) * 2014-11-06 2016-05-12 Pismo Labs Technology Limited Methods and systems for establishing vpn connections at a vpn management server
CN106797346A (en) * 2014-11-06 2017-05-31 柏思科技有限公司 Method and system for setting up VPN connections at VPN management servers
US20160359811A1 (en) * 2015-02-11 2016-12-08 Pismo Labs Technology Limited Methods and systems for establishing vpn connections at a vpn gateway
CN109672602A (en) * 2019-01-03 2019-04-23 青岛聚好联科技有限公司 A kind of method and apparatus remotely accessing VPN

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
马奇蔚等: "气象网络VPN的组建方案和安全策略的探讨", 《计算机与网络》 *

Also Published As

Publication number Publication date
CN111614537B (en) 2022-03-01

Similar Documents

Publication Publication Date Title
Ganame et al. A global security architecture for intrusion detection on computer networks
JP5049588B2 (en) System and method for delivering multiple messages using multiple alternative modes of communication
CN100553213C (en) A kind of method and apparatus of WLAN abnormal quick restoring
CN109450841B (en) Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode
AU2005285511A1 (en) Telemetry using "always-on" communication connection system and method
CN103036733A (en) Unconventional network access behavior monitoring system and monitoring method
CN102404158B (en) Method, device and system for processing network failures
CN110753327A (en) Terminal Internet of things access system based on wireless ad hoc network and LoRa
CN101188498B (en) Communication terminal and communication method
CN109391661A (en) The block chain network-building method and system of internet-of-things terminal
CN108092969A (en) The system and method for Intelligent Mobile Robot acquisition image access electric power Intranet
CN108134713A (en) A kind of communication means and device
CN101729310B (en) Method and system for realizing business monitor and information acquisition equipment
CN107659999A (en) WIFI connection methods and equipment
CN111614537B (en) Disaster recovery network system
CN106209552B (en) Plug and play network-building method, apparatus and system
CN114143904B (en) CPE management method based on 5G fusion network shunt
CN113055427B (en) Service-based server cluster access method and device
CN113852544B (en) Security gateway based on LoraWan and blockchain
Cerullo et al. Critical Infrastructure Protection: having SIEM technology cope with network heterogeneity
CN101184044A (en) Packet processing method of multicast monitoring discovery protocol
CN109257444B (en) Load sharing method, device and system
CN112040170A (en) Remote off-site bid evaluation system based on 5G
CN101340402A (en) Network security reporting system
CN114244621B (en) High-safety intensity communication system with multi-level fragmentation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant