CN115134216B - A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN - Google Patents

A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN Download PDF

Info

Publication number
CN115134216B
CN115134216B CN202210605209.5A CN202210605209A CN115134216B CN 115134216 B CN115134216 B CN 115134216B CN 202210605209 A CN202210605209 A CN 202210605209A CN 115134216 B CN115134216 B CN 115134216B
Authority
CN
China
Prior art keywords
service
communication device
ipsec
communication equipment
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210605209.5A
Other languages
Chinese (zh)
Other versions
CN115134216A (en
Inventor
郭永立
梁海峰
任利波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Cncr Information Technology Co ltd
Original Assignee
Hangzhou Cncr Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Cncr Information Technology Co ltd filed Critical Hangzhou Cncr Information Technology Co ltd
Priority to CN202210605209.5A priority Critical patent/CN115134216B/en
Publication of CN115134216A publication Critical patent/CN115134216A/en
Application granted granted Critical
Publication of CN115134216B publication Critical patent/CN115134216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application relates to a method, a system and a medium for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN, wherein the method is applied to single-side path protection and comprises the following steps: respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform; the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role; monitoring the first communication equipment and the second communication equipment through the upper management control platform, if the main service on the first communication equipment cannot be operated, enabling the standby service on the second communication equipment, and simultaneously disabling the main service.

Description

一种依托于SDWAN的异机IPSEC隧道保护调度方法、系统和 介质A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN

技术领域Technical Field

本申请涉及计算机通信技术领域,特别是涉及一种依托于SDWAN的异机IPSEC隧道保护调度方法、系统和介质。The present application relates to the field of computer communication technology, and in particular to a heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN.

背景技术Background technique

目前,IPSEC隧道的保护方案主要是针对单设备内的不同IPSEC隧道之间的保护,即单设备自身监控配置的隧道连通性,在主用隧道断连后,自动将业务切换到备用隧道。At present, the protection scheme of IPSEC tunnel is mainly aimed at the protection between different IPSEC tunnels in a single device, that is, the single device itself monitors the connectivity of the configured tunnels, and automatically switches the service to the backup tunnel after the main tunnel is disconnected.

目前针对相关技术中多设备间的IPSEC隧道保护方案缺乏高效管理的问题,尚未提出有效的解决方案。Currently, there is no effective solution to the problem that IPSEC tunnel protection solutions between multiple devices in related technologies lack efficient management.

发明内容Summary of the invention

本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度方法、系统和介质,以至少解决相关技术中多设备间的IPSEC隧道保护方案缺乏高效管理的问题。The embodiments of the present application provide a heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN, so as to at least solve the problem of lack of efficient management of IPSEC tunnel protection solutions between multiple devices in the related art.

第一方面,本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度方法,所述方法应用在单侧路径保护上,包括:In a first aspect, an embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN, the method being applied to unilateral path protection, including:

通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务;Creating an IPSEC service on the first communication device and the second communication device respectively through the upper-layer management and control platform;

将所述第一通信设备上的IPSEC业务分配为主用业务角色,将所述第二通信设备上的IPSEC业务分配为备用业务角色;Allocate the IPSEC service on the first communication device as a primary service role, and allocate the IPSEC service on the second communication device as a backup service role;

通过所述上层管控平台监听第一通信设备和第二通信设备,若监听到所述第一通信设备上的主用业务无法运行,则启用所述第二通信设备上的备用业务,同时停用所述主用业务。The first communication device and the second communication device are monitored by the upper-layer management and control platform. If it is detected that the primary service on the first communication device cannot be operated, the backup service on the second communication device is enabled and the primary service is disabled.

在其中一些实施例中,通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务包括:In some embodiments, creating an IPSEC service on a first communication device and a second communication device respectively through an upper-layer management and control platform includes:

通过上层管控平台创建IPSEC业务,并判断通信设备是否上线,当第一通信设备和第二通信业务上线后,为所述第一通信设备和所述第二通信设备分别下发一个IPSEC业务,并配置所述IPSEC业务的保护参数。An IPSEC service is created through an upper-level management and control platform, and it is determined whether the communication device is online. When the first communication device and the second communication service are online, an IPSEC service is respectively issued to the first communication device and the second communication device, and protection parameters of the IPSEC service are configured.

在其中一些实施例中,将所述第一通信设备上的IPSEC业务分配为主用业务角色,将所述第二通信设备上的IPSEC业务分配为备用业务角色包括:In some embodiments, allocating the IPSEC service on the first communication device to a primary service role and allocating the IPSEC service on the second communication device to a backup service role includes:

将所述第一通信设备上的IPSEC业务分配为主用业务角色,所述主用业务的状态为已启用状态;Allocating the IPSEC service on the first communication device to a primary service role, wherein the primary service is in an enabled state;

将所述第二通信设备上的IPSEC业务分配为备用业务角色,所述备用业务的状态为未启用状态。The IPSEC service on the second communication device is assigned as a backup service role, and the status of the backup service is a disabled status.

在其中一些实施例中,通过所述上层管控平台监听第一通信设备和第二通信设备包括:In some embodiments, monitoring the first communication device and the second communication device through the upper-layer control platform includes:

通过所述上层管控平台监听第一通信设备和第二通信设备,根据通信设备中IPSEC业务的保护参数的返回值,判断所述通信设备的运行状态。The upper-layer management and control platform monitors the first communication device and the second communication device, and determines the operation status of the communication device according to the return value of the protection parameter of the IPSEC service in the communication device.

在其中一些实施例中,在启用所述第二通信设备上的备用业务,同时停用所述主用业务之后,所述方法还包括:In some embodiments, after enabling the backup service on the second communication device and disabling the primary service, the method further includes:

通过所述上层管控平台继续监听所述第一通信设备,若监听到所述第一通信设备上的主用业务恢复运行,则启用所述主用业务,同时停用所述第二通信设备上的备用业务。The first communication device is continuously monitored through the upper-layer management and control platform. If it is monitored that the primary service on the first communication device is restored, the primary service is enabled and the backup service on the second communication device is disabled.

在其中一些实施例中,将角色分配数据、业务下发数据和参数配置数据持久化存储到本地数据库中。In some of the embodiments, the role allocation data, service delivery data and parameter configuration data are persistently stored in a local database.

在其中一些实施例中,所述通信设备为依托于软件定义广域网下的通信设备。In some of the embodiments, the communication device is a communication device based on a software-defined wide area network.

第二方面,本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度方法,所述方法应用在全链路路径保护上,包括:In a second aspect, an embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN, which is applied to full-link path protection, including:

通过上层管控平台在第一链路和第二链路之间创建对应的IPSEC全局业务,其中,第一链路由若干通信设备组成,第二链路中也由若干通信设备组成;Creating a corresponding IPSEC global service between a first link and a second link through an upper-layer management and control platform, wherein the first link is composed of a plurality of communication devices, and the second link is also composed of a plurality of communication devices;

为所述IPSEC全局业务分配主用全局业务角色和备用全局业务角色;Allocating a primary global service role and a backup global service role for the IPSEC global service;

通过所述上层管控平台监听第一链路和第二链路,若监听到链路之间的主用全局业务无法运行,则启用链路之间的备用全局业务,同时停用所述主用全局业务。The first link and the second link are monitored by the upper-layer management and control platform. If it is monitored that the primary global service between the links cannot be operated, the backup global service between the links is enabled, and the primary global service is disabled at the same time.

第三方面,本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度系统,所述系统应用在单侧路径保护上,所述系统包括业务创建模块和业务调度模块;In a third aspect, an embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling system based on SDWAN, the system is applied to unilateral path protection, and the system includes a service creation module and a service scheduling module;

所述业务创建模块,用于通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务;将所述第一通信设备上的IPSEC业务分配为主用业务角色,将所述第二通信设备上的IPSEC业务分配为备用业务角色;The service creation module is used to create an IPSEC service on the first communication device and the second communication device respectively through the upper-layer management and control platform; assign the IPSEC service on the first communication device to the primary service role, and assign the IPSEC service on the second communication device to the backup service role;

所述业务调度模块,用于通过所述上层管控平台监听第一通信设备和第二通信设备,若监听到所述第一通信设备上的主用业务无法运行,则启用所述第二通信设备上的备用业务,同时停用所述主用业务。The service scheduling module is used to monitor the first communication device and the second communication device through the upper-level management and control platform. If it is monitored that the main service on the first communication device cannot run, the backup service on the second communication device is enabled and the main service is disabled.

第四方面,本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上述第一方面和第二方面所述的依托于SDWAN的异机IPSEC隧道保护调度方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the heterogeneous IPSEC tunnel protection scheduling method based on SDWAN as described in the first and second aspects above.

相比于相关技术,本申请实施例提供的一种依托于SDWAN的异机IPSEC隧道保护调度方法、系统和介质,其中,该方法应用在单侧路径保护上,通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务;将第一通信设备上的IPSEC业务分配为主用业务角色,将第二通信设备上的IPSEC业务分配为备用业务角色;通过上层管控平台监听第一通信设备和第二通信设备,若监听到第一通信设备上的主用业务无法运行,则启用第二通信设备上的备用业务,同时停用主用业务,解决了多设备间的IPSEC隧道保护方案缺乏高效管理的问题,实现了通过上层管控平台,监控不同设备的IPSEC隧道状态,提高了多设备场景下IPSEC隧道保护的管理效率。Compared with the related art, the embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN, wherein the method is applied to single-side path protection, and an IPSEC service is created on the first communication device and the second communication device respectively through the upper-level management and control platform; the IPSEC service on the first communication device is assigned as the main service role, and the IPSEC service on the second communication device is assigned as the backup service role; the first communication device and the second communication device are monitored by the upper-level management and control platform, and if it is monitored that the main service on the first communication device cannot run, the backup service on the second communication device is enabled, and the main service is disabled at the same time, thereby solving the problem of lack of efficient management of IPSEC tunnel protection schemes between multiple devices, realizing monitoring of the IPSEC tunnel status of different devices through the upper-level management and control platform, and improving the management efficiency of IPSEC tunnel protection in multi-device scenarios.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide a further understanding of the present application and constitute a part of the present application. The illustrative embodiments of the present application and their descriptions are used to explain the present application and do not constitute an improper limitation on the present application. In the drawings:

图1是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度方法的步骤流程图一;FIG1 is a flowchart of a method for scheduling IPSEC tunnel protection for different machines based on SDWAN according to an embodiment of the present application;

图2是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度方法的步骤流程图二;FIG2 is a second flow chart of the steps of the heterogeneous machine IPSEC tunnel protection scheduling method based on SDWAN according to an embodiment of the present application;

图3是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度系统的结构框图;3 is a structural block diagram of a heterogeneous IPSEC tunnel protection scheduling system based on SDWAN according to an embodiment of the present application;

图4是根据本申请实施例的电子设备的内部结构示意图。FIG. 4 is a schematic diagram of the internal structure of an electronic device according to an embodiment of the present application.

附图说明:31、业务创建模块;32、业务调度模块。Description of the drawings: 31. Business creation module; 32. Business scheduling module.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行描述和说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。基于本申请提供的实施例,本领域普通技术人员在没有作出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the present application clearer, the present application is described and illustrated below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application and are not intended to limit the present application. Based on the embodiments provided in the present application, all other embodiments obtained by ordinary technicians in the field without making creative work are within the scope of protection of the present application.

显而易见地,下面描述中的附图仅仅是本申请的一些示例或实施例,对于本领域的普通技术人员而言,在不付出创造性劳动的前提下,还可以根据这些附图将本申请应用于其他类似情景。此外,还可以理解的是,虽然这种开发过程中所作出的努力可能是复杂并且冗长的,然而对于与本申请公开的内容相关的本领域的普通技术人员而言,在本申请揭露的技术内容的基础上进行的一些设计,制造或者生产等变更只是常规的技术手段,不应当理解为本申请公开的内容不充分。Obviously, the drawings described below are only some examples or embodiments of the present application. For ordinary technicians in this field, the present application can also be applied to other similar scenarios based on these drawings without creative work. In addition, it can also be understood that although the efforts made in this development process may be complicated and lengthy, for ordinary technicians in this field related to the content disclosed in this application, some changes in design, manufacturing or production based on the technical content disclosed in this application are just conventional technical means, and should not be understood as insufficient content disclosed in this application.

在本申请中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域普通技术人员显式地和隐式地理解的是,本申请所描述的实施例在不冲突的情况下,可以与其它实施例相结合。Reference to "embodiments" in this application means that a particular feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various locations in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment that is mutually exclusive with other embodiments. It is explicitly and implicitly understood by those of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.

除非另作定义,本申请所涉及的技术术语或者科学术语应当为本申请所属技术领域内具有一般技能的人士所理解的通常意义。本申请所涉及的“一”、“一个”、“一种”、“该”等类似词语并不表示数量限制,可表示单数或复数。本申请所涉及的术语“包括”、“包含”、“具有”以及它们任何变形,意图在于覆盖不排他的包含;例如包含了一系列步骤或模块(单元)的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可以还包括没有列出的步骤或单元,或可以还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。本申请所涉及的“连接”、“相连”、“耦接”等类似的词语并非限定于物理的或者机械的连接,而是可以包括电气的连接,不管是直接的还是间接的。本申请所涉及的“多个”是指两个或两个以上。“和/或”描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。本申请所涉及的术语“第一”、“第二”、“第三”等仅仅是区别类似的对象,不代表针对对象的特定排序。Unless otherwise defined, the technical terms or scientific terms involved in this application should be understood by people with ordinary skills in the technical field to which this application belongs. The words "one", "a", "a", "the" and the like involved in this application do not indicate a quantitative limitation, and may represent the singular or plural. The terms "include", "comprise", "have" and any of their variations involved in this application are intended to cover non-exclusive inclusions; for example, a process, method, system, product or device that includes a series of steps or modules (units) is not limited to the listed steps or units, but may also include steps or units that are not listed, or may also include other steps or units inherent to these processes, methods, products or devices. The words "connect", "connected", "coupled" and the like involved in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The "multiple" involved in this application refers to two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three relationships, for example, "A and/or B" can represent: A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the objects before and after are in an "or" relationship. The terms "first", "second", "third", etc. involved in this application are only used to distinguish similar objects and do not represent a specific ordering of the objects.

本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度方法,图1是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度方法的步骤流程图一,如图1所示,该方法应用在单侧路径保护上,包括以下步骤:The embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN. FIG1 is a flow chart of the steps of the heterogeneous IPSEC tunnel protection scheduling method based on SDWAN according to the embodiment of the present application. As shown in FIG1, the method is applied to unilateral path protection, including the following steps:

步骤S102,通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务;Step S102, creating an IPSEC service on the first communication device and the second communication device respectively through the upper layer management and control platform;

具体地,通过上层管控平台创建IPSEC业务,并判断通信设备是否上线,当第一通信设备和第二通信业务上线后,为第一通信设备和第二通信设备分别下发一个IPSEC业务,并配置IPSEC业务的保护参数。该保护参数定义两种返回方式,一是返回返回值,二是不返回返回值。用于上层管控平台判断通信设备中IPSEC业务的运行状况。Specifically, an IPSEC service is created through the upper-level control platform, and it is determined whether the communication device is online. When the first communication device and the second communication service are online, an IPSEC service is issued to the first communication device and the second communication device respectively, and the protection parameters of the IPSEC service are configured. The protection parameter defines two return modes, one is to return the return value, and the other is not to return the return value. It is used by the upper-level control platform to determine the operating status of the IPSEC service in the communication device.

需要说明的是,上述第一通信设备和第二通信设备为依托于软件定义广域网(Software Defined Wide Area Network或SDWAN)下的通信设备。SDWAN是将SDN技术应用到广域网场景中所形成的一种服务,这种服务用于连接广阔地理范围的企业网络、数据中心、互联网应用及云服务。此外,IPSEC(Internet Protocol Security)是一组基于网络层的、应用密码学的安全通信协议族。IPSEC不是具体指哪个协议,而是一个开放的协议族。IPSEC协议的设计目标:在IPV4和IPV6环境中为网络层流量提供灵活的安全服务。IPSECVPN:基于IPSEC协议族构建的在IP层实现的安全虚拟专用网。通过在数据包中插入一个预定义头部的方式,来保障OSI上层协议数据的安全,主要用于保护TCP、UDP、ICMP和隧道的IP数据包。It should be noted that the first communication device and the second communication device are communication devices based on the Software Defined Wide Area Network (SDWAN). SDWAN is a service formed by applying SDN technology to the wide area network scenario. This service is used to connect enterprise networks, data centers, Internet applications and cloud services in a wide geographical range. In addition, IPSEC (Internet Protocol Security) is a group of secure communication protocols based on the network layer and applied cryptography. IPSEC does not refer to a specific protocol, but an open protocol family. The design goal of the IPSEC protocol: to provide flexible security services for network layer traffic in IPV4 and IPV6 environments. IPSECVPN: A secure virtual private network implemented at the IP layer based on the IPSEC protocol family. The security of OSI upper layer protocol data is guaranteed by inserting a predefined header into the data packet, which is mainly used to protect TCP, UDP, ICMP and tunnel IP data packets.

步骤S104,将第一通信设备上的IPSEC业务分配为主用业务角色,将第二通信设备上的IPSEC业务分配为备用业务角色;Step S104, assigning the IPSEC service on the first communication device to a primary service role, and assigning the IPSEC service on the second communication device to a backup service role;

具体地,将第一通信设备上的IPSEC业务分配为主用业务角色,主用业务的状态为已启用状态;将第二通信设备上的IPSEC业务分配为备用业务角色,备用业务的状态为未启用状态。Specifically, the IPSEC service on the first communication device is assigned to a primary service role, and the status of the primary service is enabled; the IPSEC service on the second communication device is assigned to a backup service role, and the status of the backup service is disabled.

步骤S106,通过上层管控平台监听第一通信设备和第二通信设备,若监听到第一通信设备上的主用业务无法运行,则启用第二通信设备上的备用业务,同时停用主用业务。Step S106, monitoring the first communication device and the second communication device through the upper-level management and control platform, if it is monitored that the primary service on the first communication device cannot run, the backup service on the second communication device is enabled, and the primary service is disabled.

具体地,通过上层管控平台监听第一通信设备和第二通信设备,根据通信设备中IPSEC业务的保护参数的返回值,判断通信设备的运行状态。如若监听到保护参数的返回值为主用业务断连或劣化的信息,则该通信设备的运行状态异常,即该通信设备上的主用业务无法运行。在这种情况下,启用第二通信设备上的备用业务,同时停用主用业务。Specifically, the upper-level control platform monitors the first communication device and the second communication device, and judges the operation status of the communication device according to the return value of the protection parameter of the IPSEC service in the communication device. If the return value of the protection parameter is information that the main service is disconnected or degraded, the operation status of the communication device is abnormal, that is, the main service on the communication device cannot run. In this case, the backup service on the second communication device is enabled, and the main service is disabled at the same time.

优选地,在步骤S106之后,通过上层管控平台继续监听第一通信设备,若监听到第一通信设备上的主用业务恢复运行,则启用主用业务,同时停用第二通信设备上的备用业务。Preferably, after step S106, the first communication device is continuously monitored through the upper-layer management and control platform. If it is monitored that the primary service on the first communication device is restored, the primary service is enabled and the backup service on the second communication device is disabled.

通过本申请实施例中的步骤S102至步骤S106,解决了多设备间的IPSEC隧道保护方案缺乏高效管理的问题,实现了通过上层管控平台,监控不同设备的IPSEC隧道状态,提高了多设备场景下IPSEC隧道保护的管理效率。Through steps S102 to S106 in the embodiment of the present application, the problem of lack of efficient management of IPSEC tunnel protection schemes between multiple devices is solved, and the IPSEC tunnel status of different devices is monitored through the upper-level management and control platform, thereby improving the management efficiency of IPSEC tunnel protection in multi-device scenarios.

本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度方法,图2是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度方法的步骤流程图二,如图2所示,该方法应用在全链路路径保护上,包括以下步骤:The embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN. FIG. 2 is a flow chart of the steps of the heterogeneous IPSEC tunnel protection scheduling method based on SDWAN according to the embodiment of the present application. As shown in FIG. 2 , the method is applied to full-link path protection, including the following steps:

步骤S202,通过上层管控平台在第一链路和第二链路之间创建对应的IPSEC全局业务,其中,第一链路由若干通信设备组成,第二链路中也由若干通信设备组成;Step S202, creating a corresponding IPSEC global service between a first link and a second link through an upper-layer management and control platform, wherein the first link is composed of a plurality of communication devices, and the second link is also composed of a plurality of communication devices;

具体地,通过上层管控平台在第一链路和第二链路之间创建对应的IPSEC全局业务,并配置IPSEC全局业务的保护参数。该保护参数定义两种返回方式,一是返回返回值,二是不返回返回值。用于上层管控平台判断IPSEC全局业务的运行状况。Specifically, a corresponding IPSEC global service is created between the first link and the second link through the upper-layer control platform, and the protection parameters of the IPSEC global service are configured. The protection parameters define two return modes, one is to return a return value, and the other is not to return a return value. The upper-layer control platform is used to judge the operation status of the IPSEC global service.

需要说明的是,该IPSEC全局业务指的是端对端业务(即成对的两个单点业务),如:公司总部有通信设备A、通信设备B,公司办事处有通信设备C、通信设备D;通信设备A与通信设备C连接,通信设备B与通信设备D连接,在A、B、C、D上各建立一个IPSEC业务;那么通信设备A与通信设备C上的两个IPSEC业务组成IPSEC全局业务,通信设备B与通信设备D上的两个IPSEC业务组成IPSEC全局业务。It should be noted that the IPSEC global service refers to an end-to-end service (i.e., two single-point services in pairs), such as: the company headquarters has communication equipment A and communication equipment B, and the company office has communication equipment C and communication equipment D; communication equipment A is connected to communication equipment C, and communication equipment B is connected to communication equipment D, and an IPSEC service is established on each of A, B, C, and D; then the two IPSEC services on communication equipment A and communication equipment C constitute the IPSEC global service, and the two IPSEC services on communication equipment B and communication equipment D constitute the IPSEC global service.

步骤S204,为IPSEC全局业务分配主用全局业务角色和备用全局业务角色;Step S204, allocating a primary global service role and a backup global service role for the IPSEC global service;

具体地,主用全局业务的状态为已启用状态;备用全局业务的状态为未启用状态。Specifically, the state of the primary global service is an enabled state; the state of the backup global service is a disabled state.

步骤S206,通过上层管控平台监听第一链路和第二链路,若监听到链路之间的主用全局业务无法运行,则启用链路之间的备用全局业务,同时停用主用全局业务。Step S206, monitoring the first link and the second link through the upper-layer management and control platform, if it is monitored that the primary global service between the links cannot run, the backup global service between the links is enabled, and the primary global service is disabled.

具体地,通过上层管控平台监听第一链路和第二链路中的通信设备,根据IPSEC全局业务的保护参数的返回值,判断通信设备的运行状态。如若监听到保护参数的返回值为主用全局业务断连或劣化的信息,则该通信设备的运行状态异常,即通信设备上的主用全局业务无法运行。在这种情况下,启用链路间的备用全局业务,同时停用主用全局业务。Specifically, the communication devices in the first link and the second link are monitored by the upper-layer control platform, and the operation status of the communication devices is determined according to the return value of the protection parameter of the IPSEC global service. If the return value of the protection parameter is information that the main global service is disconnected or degraded, the operation status of the communication device is abnormal, that is, the main global service on the communication device cannot run. In this case, the backup global service between the links is enabled, and the main global service is disabled at the same time.

优选地,在步骤S106之后,通过上层管控平台继续监听第一链路和第二链路中的通信设备,若监听到主用全局业务恢复运行,则启用该主用全局业务,同时停用链路间的备用全局业务。Preferably, after step S106, the upper-layer management and control platform continues to monitor the communication devices in the first link and the second link. If it is monitored that the primary global service is restored, the primary global service is enabled and the backup global service between the links is disabled.

通过本申请实施例中的步骤S202至步骤S206,解决了多设备间的IPSEC隧道保护方案缺乏高效管理的问题,实现了通过上层管控平台,监控不同设备的IPSEC隧道状态,提高了多设备场景下IPSEC隧道保护的管理效率。Through steps S202 to S206 in the embodiment of the present application, the problem of lack of efficient management of IPSEC tunnel protection schemes between multiple devices is solved, and the IPSEC tunnel status of different devices is monitored through the upper-level management and control platform, thereby improving the management efficiency of IPSEC tunnel protection in multi-device scenarios.

需要说明的是,在上述流程中或者附图的流程图中示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。It should be noted that the steps shown in the above process or the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

本申请实施例提供了一种依托于SDWAN的异机IPSEC隧道保护调度系统,图3是根据本申请实施例的依托于SDWAN的异机IPSEC隧道保护调度系统的结构框图,如图3所示,该系统应用在单侧路径保护上,包括业务创建模块31和业务调度模块32;The embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling system based on SDWAN. FIG3 is a structural block diagram of the heterogeneous IPSEC tunnel protection scheduling system based on SDWAN according to the embodiment of the present application. As shown in FIG3, the system is applied to single-side path protection, including a service creation module 31 and a service scheduling module 32;

业务创建模块31,用于通过上层管控平台在第一通信设备和第二通信设备上分别创建一个IPSEC业务;将第一通信设备上的IPSEC业务分配为主用业务角色,将第二通信设备上的IPSEC业务分配为备用业务角色;The service creation module 31 is used to create an IPSEC service on the first communication device and the second communication device respectively through the upper-layer management and control platform; assign the IPSEC service on the first communication device to the primary service role, and assign the IPSEC service on the second communication device to the backup service role;

业务调度模块32,用于通过上层管控平台监听第一通信设备和第二通信设备,若监听到第一通信设备上的主用业务无法运行,则启用第二通信设备上的备用业务,同时停用主用业务。The service scheduling module 32 is used to monitor the first communication device and the second communication device through the upper management and control platform. If it is monitored that the main service on the first communication device cannot run, the backup service on the second communication device is enabled and the main service is disabled.

通过本申请实施例中的业务创建模块31和业务调度模块32,解决了多设备间的IPSEC隧道保护方案缺乏高效管理的问题,实现了通过上层管控平台,监控不同设备的IPSEC隧道状态,提高了多设备场景下IPSEC隧道保护的管理效率。Through the service creation module 31 and the service scheduling module 32 in the embodiment of the present application, the problem of lack of efficient management of IPSEC tunnel protection schemes between multiple devices is solved, and the IPSEC tunnel status of different devices is monitored through the upper-level management and control platform, thereby improving the management efficiency of IPSEC tunnel protection in multi-device scenarios.

需要说明的是,上述各个模块可以是功能模块也可以是程序模块,既可以通过软件来实现,也可以通过硬件来实现。对于通过硬件来实现的模块而言,上述各个模块可以位于同一处理器中;或者上述各个模块还可以按照任意组合的形式分别位于不同的处理器中。It should be noted that the above modules can be functional modules or program modules, and can be implemented by software or hardware. For modules implemented by hardware, the above modules can be located in the same processor; or the above modules can be located in different processors in any combination.

本实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。This embodiment further provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.

可选地,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。Optionally, the electronic device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.

需要说明的是,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。It should be noted that the specific examples in this embodiment can refer to the examples described in the above embodiments and optional implementation modes, and this embodiment will not be described in detail here.

另外,结合上述实施例中的依托于SDWAN的异机IPSEC隧道保护调度方法,本申请实施例可提供一种存储介质来实现。该存储介质上存储有计算机程序;该计算机程序被处理器执行时实现上述实施例中的任意一种依托于SDWAN的异机IPSEC隧道保护调度方法。In addition, in combination with the heterogeneous IPSEC tunnel protection scheduling method based on SDWAN in the above embodiment, the embodiment of the present application can provide a storage medium for implementation. The storage medium stores a computer program; when the computer program is executed by the processor, any heterogeneous IPSEC tunnel protection scheduling method based on SDWAN in the above embodiment is implemented.

在一个实施例中,提供了一种计算机设备,该计算机设备可以是终端。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口、显示屏和输入装置。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统和计算机程序。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种依托于SDWAN的异机IPSEC隧道保护调度方法。该计算机设备的显示屏可以是液晶显示屏或者电子墨水显示屏,该计算机设备的输入装置可以是显示屏上覆盖的触摸层,也可以是计算机设备外壳上设置的按键、轨迹球或触控板,还可以是外接的键盘、触控板或鼠标等。In one embodiment, a computer device is provided, which may be a terminal. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected through a system bus. The processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and the computer program in the non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN is implemented. The display screen of the computer device may be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer device may be a touch layer covered on the display screen, or a key, trackball or touchpad provided on the housing of the computer device, or an external keyboard, touchpad or mouse.

在一个实施例中,图4是根据本申请实施例的电子设备的内部结构示意图,如图4所示,提供了一种电子设备,该电子设备可以是服务器,其内部结构图可以如图4所示。该电子设备包括通过内部总线连接的处理器、网络接口、内存储器和非易失性存储器,其中,该非易失性存储器存储有操作系统、计算机程序和数据库。处理器用于提供计算和控制能力,网络接口用于与外部的终端通过网络连接通信,内存储器用于为操作系统和计算机程序的运行提供环境,计算机程序被处理器执行时以实现一种依托于SDWAN的异机IPSEC隧道保护调度方法,数据库用于存储数据。In one embodiment, FIG4 is a schematic diagram of the internal structure of an electronic device according to an embodiment of the present application. As shown in FIG4, an electronic device is provided, which may be a server, and its internal structure diagram may be as shown in FIG4. The electronic device includes a processor, a network interface, an internal memory, and a non-volatile memory connected through an internal bus, wherein the non-volatile memory stores an operating system, a computer program, and a database. The processor is used to provide computing and control capabilities, the network interface is used to communicate with an external terminal through a network connection, the internal memory is used to provide an environment for the operation of the operating system and the computer program, and the computer program is executed by the processor to implement a heterogeneous IPSEC tunnel protection scheduling method based on SDWAN, and the database is used to store data.

本领域技术人员可以理解,图4中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的电子设备的限定,具体的电子设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art will understand that the structure shown in FIG. 4 is merely a block diagram of a partial structure related to the scheme of the present application, and does not constitute a limitation on the electronic device to which the scheme of the present application is applied. The specific electronic device may include more or fewer components than shown in the figure, or combine certain components, or have a different arrangement of components.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,该计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those skilled in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be completed by instructing the relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage medium. When the computer program is executed, it can include the processes of the embodiments of the above-mentioned methods. Among them, any reference to memory, storage, database or other media used in the embodiments provided in this application can include non-volatile and/or volatile memory. Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM) or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. As an illustration and not limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

本领域的技术人员应该明白,以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。Those skilled in the art should understand that the technical features of the above-described embodiments may be arbitrarily combined. To make the description concise, not all possible combinations of the technical features in the above-described embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation methods of the present application, and the descriptions thereof are relatively specific and detailed, but they cannot be understood as limiting the scope of the invention patent. It should be pointed out that, for a person of ordinary skill in the art, several variations and improvements can be made without departing from the concept of the present application, and these all belong to the protection scope of the present application. Therefore, the protection scope of the patent of the present application shall be subject to the attached claims.

Claims (9)

1. The method is characterized by being applied to single-side path protection and comprises the following steps:
respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform;
distributing IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state; the IPSEC service on the second communication equipment is distributed to be a standby service role, the state of the standby service is a non-starting state, wherein the first communication equipment communicates with third communication equipment through the IPSEC service of the main service role, and the second communication equipment communicates with fourth communication equipment through the IPSEC service of the standby service role;
monitoring a first communication device and a second communication device through the upper management and control platform, and if the monitoring that the main service on the first communication device cannot run, starting the standby service on the second communication device and simultaneously stopping the main service.
2. The method of claim 1, wherein creating, by the upper management platform, one IPSEC service on the first communication device and the second communication device respectively comprises:
and establishing IPSEC service through an upper management and control platform, judging whether the communication equipment is on line, respectively issuing an IPSEC service for the first communication equipment and the second communication equipment after the first communication equipment and the second communication equipment are on line, and configuring protection parameters of the IPSEC service.
3. The method of claim 2, wherein listening to the first communication device and the second communication device through the upper management platform comprises:
and monitoring the first communication equipment and the second communication equipment through the upper management and control platform, and judging the running state of the communication equipment according to the return value of the protection parameters of the IPSEC service in the communication equipment.
4. The method of claim 1, wherein after enabling the backup service on the second communication device while disabling the active service, the method further comprises:
and continuing to monitor the first communication equipment through the upper management and control platform, and if the primary service on the first communication equipment is monitored to resume operation, starting the primary service, and simultaneously stopping the standby service on the second communication equipment.
5. The method according to any of claims 1-4, characterized in that the role assignment data, the traffic delivery data and the parameter configuration data are persisted in a local database.
6. The method of any of claims 1-4, wherein the communication device is a software defined wide area network (ww an) based communication device.
7. The method is characterized by being applied to full-link path protection and comprises the following steps:
the first link comprises a communication device A and a communication device B, and the second link comprises a communication device C and a communication device D, wherein the communication device A and the communication device C are connected and communicated by means of a software-defined wide area network SDWAN, and the communication device B and the communication device D are connected and communicated by means of the software-defined wide area network SDWAN;
creating IPSEC services on the communication device a and the communication device C respectively through an upper management and control platform to form a first IPSEC global service, and creating IPSEC services on the communication device B and the communication device D respectively through an upper management and control platform to form a second IPSEC global service;
distributing a main global service role for the first IPSEC global service, and distributing a standby global service role for the second IPSEC global service, wherein the state of the main global service is an enabled state; the state of the standby global service is an inactive state;
and monitoring the first link and the second link through the upper management and control platform, and if the active global service between the links cannot be operated, enabling the standby global service between the links and simultaneously disabling the active global service.
8. The system is characterized by being applied to single-side path protection and comprises a service creation module and a service scheduling module;
the business creation module is used for creating an IPSEC business on the first communication equipment and the second communication equipment through the upper management and control platform respectively; distributing IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state; the IPSEC service on the second communication equipment is distributed to be a standby service role, the state of the standby service is a non-starting state, wherein the first communication equipment communicates with third communication equipment through the IPSEC service of the main service role, and the second communication equipment communicates with fourth communication equipment through the IPSEC service of the standby service role;
the service scheduling module is configured to monitor, through the upper management and control platform, the first communication device and the second communication device, and if it is monitored that the primary service on the first communication device cannot operate, enable the standby service on the second communication device, and simultaneously disable the primary service.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the SDWAN-dependent heterogeneous IPSEC tunnel protection scheduling method according to any of claims 1 to 7.
CN202210605209.5A 2022-05-30 2022-05-30 A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN Active CN115134216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210605209.5A CN115134216B (en) 2022-05-30 2022-05-30 A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210605209.5A CN115134216B (en) 2022-05-30 2022-05-30 A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN

Publications (2)

Publication Number Publication Date
CN115134216A CN115134216A (en) 2022-09-30
CN115134216B true CN115134216B (en) 2024-04-12

Family

ID=83377946

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210605209.5A Active CN115134216B (en) 2022-05-30 2022-05-30 A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN

Country Status (1)

Country Link
CN (1) CN115134216B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931610A (en) * 2009-06-22 2010-12-29 华为技术有限公司 A method and device for protecting an internet protocol security link
CN105704747A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Method and device for base station to transmit control/service data reliably
CN106533884A (en) * 2016-11-28 2017-03-22 迈普通信技术股份有限公司 Message transmission method, convergence device, switch and VRRP system
CN110024432A (en) * 2016-11-29 2019-07-16 华为技术有限公司 A kind of X2 business transmitting method and the network equipment
CN111385180A (en) * 2018-12-28 2020-07-07 中国移动通信集团重庆有限公司 Communication tunnel construction method, device, equipment and medium
CN111835639A (en) * 2020-07-06 2020-10-27 杭州网银互联科技股份有限公司 SD-WAN network intelligent link selection method based on cloud computing
CN113542098A (en) * 2021-07-13 2021-10-22 中国电信股份有限公司 Method, system, device and storage medium for establishing and switching SD-WAN tunnel
CN113676493A (en) * 2021-09-29 2021-11-19 网宿科技股份有限公司 A kind of communication method and electronic device based on MOBIKE protocol
CN114036576A (en) * 2021-10-29 2022-02-11 北京天融信网络安全技术有限公司 Method and device for recovering ipsec tunnel and readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9137198B2 (en) * 2011-10-21 2015-09-15 Hewlett-Packard Development Company, L.P. Centralized configuration with dynamic distributed address management
US10061664B2 (en) * 2015-01-15 2018-08-28 Cisco Technology, Inc. High availability and failover

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931610A (en) * 2009-06-22 2010-12-29 华为技术有限公司 A method and device for protecting an internet protocol security link
CN105704747A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Method and device for base station to transmit control/service data reliably
CN106533884A (en) * 2016-11-28 2017-03-22 迈普通信技术股份有限公司 Message transmission method, convergence device, switch and VRRP system
CN110024432A (en) * 2016-11-29 2019-07-16 华为技术有限公司 A kind of X2 business transmitting method and the network equipment
CN111385180A (en) * 2018-12-28 2020-07-07 中国移动通信集团重庆有限公司 Communication tunnel construction method, device, equipment and medium
CN111835639A (en) * 2020-07-06 2020-10-27 杭州网银互联科技股份有限公司 SD-WAN network intelligent link selection method based on cloud computing
CN113542098A (en) * 2021-07-13 2021-10-22 中国电信股份有限公司 Method, system, device and storage medium for establishing and switching SD-WAN tunnel
CN113676493A (en) * 2021-09-29 2021-11-19 网宿科技股份有限公司 A kind of communication method and electronic device based on MOBIKE protocol
CN114036576A (en) * 2021-10-29 2022-02-11 北京天融信网络安全技术有限公司 Method and device for recovering ipsec tunnel and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Gokul Geetha Narayanan ; RA.K Saravanaguru.Securing VM Migration Through IPSec Tunneling and Onion Routing Algorithm.IEEE.2019,全文. *
基于MPLS的VPN技术应用于企业网络出局线路备份的构想;李洁;陈震;孙蔚;周岐华;;通信技术;20190510(第05期);全文 *

Also Published As

Publication number Publication date
CN115134216A (en) 2022-09-30

Similar Documents

Publication Publication Date Title
US10476762B2 (en) End-to-end policy enforcement in the presence of a traffic midpoint device
CN103580880B (en) Method, equipment and system abnormal a kind of fast notification CGN
US10764127B2 (en) Techniques for virtualized network capacity management
US10091102B2 (en) Tunnel sub-interface using IP header field
US20200244486A1 (en) Dynamic customer vlan identifiers in a telecommunications network
CN102447583B (en) The method and device of the two-node cluster hot backup of network address translation apparatus
CN105531966B (en) The method, apparatus and system of message routing are realized in a kind of network
CN103916320B (en) Message processing method and device after a kind of VM equipment across-the-wire migration
CN105406987A (en) Method for external network client to access private cloud desktop
CN113612866B (en) Address detection method and device, computer equipment and storage medium
CN103580909B (en) A kind of hardware resource method for customizing and device
CN115134216B (en) A heterogeneous IPSEC tunnel protection scheduling method, system and medium based on SDWAN
CN111314567A (en) Communication method based on cascade connection of multiple IAD (inter-integrated access device) devices
CN109743316A (en) Data transmission method, egress router, firewall and dual firewall system
CN118611952A (en) Network access method, device, equipment and storage medium
CN103856460A (en) Access control method, device and system
CN106230980A (en) A kind of address configuration method, Apparatus and system
CN101510901B (en) Communication method, communication apparatus and system between distributed equipment
CN114938516A (en) Method, system, device and medium for protecting communication link
CN112929193B (en) Method and apparatus for configuring aging time of medium access control address
CN116614548A (en) Application service migration method and system, network equipment and storage medium
CN104104599B (en) System and method for simultaneously supporting IPv4 and IPv6 main/standby switching
CN117042078B (en) Communication link configuration method and system based on wireless routing strategy
CN115695206B (en) Method and device for determining network topology, computer equipment and storage medium
CN115333999A (en) Port-based data transmission device and method, computer equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A scheduling method, system, and medium for cross machine IPSEC tunnel protection based on SDWAN

Granted publication date: 20240412

Pledgee: Ningbo Bank Co.,Ltd. Hangzhou Branch

Pledgor: HANGZHOU CNCR INFORMATION TECHNOLOGY CO.,LTD.

Registration number: Y2025980010269