CN117729062A - Networking method, device and system for enterprise network - Google Patents

Networking method, device and system for enterprise network Download PDF

Info

Publication number
CN117729062A
CN117729062A CN202410171990.9A CN202410171990A CN117729062A CN 117729062 A CN117729062 A CN 117729062A CN 202410171990 A CN202410171990 A CN 202410171990A CN 117729062 A CN117729062 A CN 117729062A
Authority
CN
China
Prior art keywords
node
network convergence
center
regional network
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410171990.9A
Other languages
Chinese (zh)
Other versions
CN117729062B (en
Inventor
刘博�
刘铭
常景瑶
马鹏飞
万进
尹福慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huahui Information Technology Co ltd
Original Assignee
Huahui Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huahui Information Technology Co ltd filed Critical Huahui Information Technology Co ltd
Priority to CN202410171990.9A priority Critical patent/CN117729062B/en
Publication of CN117729062A publication Critical patent/CN117729062A/en
Application granted granted Critical
Publication of CN117729062B publication Critical patent/CN117729062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of enterprise networks, and discloses a networking method for an enterprise network, which comprises the following steps: dividing the network level of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode; deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at a member unit node; and deploying SDN controllers and data center switches at the data center nodes, and deploying regional network convergence center switches at the regional network convergence nodes. The data center node and member unit nodes of the enterprise network are communicated with each other through the regional network convergence center node and each CPE device, so that the blocking of the enterprise network can be obviously relieved. The application also discloses a networking device and a networking system for the enterprise network.

Description

Networking method, device and system for enterprise network
Technical Field
The present invention relates to the technical field of enterprise networks, and for example, to a networking method, device and system for an enterprise network.
Background
Under the development of high-speed Internet, everything interconnection and IT cloud on the internet become the trend of current network development, and the traditional networking mode of enterprises adopts a special line networking mode, so that the method cannot be well adapted to the high-speed development environment of the Internet. In the related art, an SDN (Software-defined WAN) technology is applied to a wide area network scenario, a central control server is deployed on a local area network of an enterprise, and the central control server is interconnected with a plurality of devices of the enterprise, so that a controllable enterprise networking is provided for the enterprise, and unified management of the enterprise on network devices is facilitated.
In the process of implementing the embodiments of the present disclosure, it is found that at least the following problems exist in the related art:
and deploying a central control server on the local area network of the enterprise, interconnecting the central control server with a plurality of devices of the enterprise, and uniformly managing the network devices. In the process of data transmission, a large amount of data always passes through an information channel between a central control server and equipment at the same time, so that an enterprise network is easy to block.
It should be noted that the information disclosed in the foregoing background section is only for enhancing understanding of the background of the present application and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview, and is intended to neither identify key/critical elements nor delineate the scope of such embodiments, but is intended as a prelude to the more detailed description that follows.
The embodiment of the disclosure provides a networking method, device and system for an enterprise network, so as to relieve the blocking of the enterprise network and improve the data transmission rate of the enterprise network.
In some embodiments, a networking method for an enterprise network includes: dividing the network level of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode; deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at member unit nodes, wherein the data center CPE equipment, the regional network convergence center CPE equipment and the member unit CPE equipment realize networking through binding codes, and the member unit CPE equipment is configured to forward data information sent by a client to the regional network convergence center CPE equipment; an SDN controller and a data center switch are deployed at a data center node, and an area network convergence center switch is deployed at an area network convergence node, wherein the SDN controller is configured to issue configuration information to the area network convergence center switch and the data center switch, the area network convergence center switch is configured to forward data information sent by the area network convergence center CPE device to the data center CPE device according to the configuration information, and the data center switch is configured to forward the data information sent by the area network convergence center CPE device to a target application server according to the configuration information.
In some embodiments, a networking device for an enterprise network includes a processor and a memory storing program instructions that, when executed, the processor is configured to perform the aforementioned networking method for an enterprise network.
In some embodiments, a networking system for an enterprise network includes a data center node, a regional network convergence center node, a member unit node, and the foregoing networking device for an enterprise network, wherein: the data center node deploys data center CPE equipment, an SDN controller and a data center switch; the regional network convergence center node deploys regional network convergence center CPE equipment and a regional network convergence center switch; the member unit node deploys a member unit CPE device.
The networking method, device and system for the enterprise network provided by the embodiment of the disclosure can realize the following technical effects:
according to the technical scheme, network levels of an enterprise network are divided according to data center nodes, regional network convergence center nodes and member unit nodes in sequence, all levels of nodes are sequentially connected according to an SD-WAN mode, meanwhile, data center CPE equipment is deployed at the data center nodes, regional network convergence center CPE equipment is deployed at the regional network convergence center nodes, member unit CPE equipment is deployed at the member unit nodes, SDN controllers and data center switches are deployed at the data center nodes, and regional network convergence center switches are deployed at the regional network convergence nodes, so that the construction of the enterprise network is completed.
In this way, the enterprise network is constructed into the three-level leaf ridge type network topological structure of the data center node, the regional network convergence center node and the member unit nodes, CPE equipment is deployed at the network boundary of each enterprise network node, and after the data center node and the member unit nodes are communicated with each other through the regional network convergence center node and each CPE equipment, the data transmission channel of the enterprise network is increased, so that the blocking of the enterprise network can be obviously relieved, the data transmission rate of the enterprise network is improved, meanwhile, the requirement of each informatization place for maintaining a network access strategy is greatly reduced, the working efficiency is improved, and the occurrence of strategy overflow is reduced.
The foregoing general description and the following description are exemplary and explanatory only and are not restrictive of the application.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which like reference numerals refer to similar elements, and in which:
FIG. 1 is a schematic diagram of a network topology of an enterprise network provided by embodiments of the present disclosure;
FIG. 2 is a schematic diagram of an enterprise network provided by an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of another enterprise network provided by an embodiment of the present disclosure;
FIG. 4 is a flow chart of a networking method for an enterprise network provided in an embodiment of the present disclosure;
FIG. 5 is a flow diagram of another networking method for an enterprise network provided by embodiments of the present disclosure;
FIG. 6 is a flow diagram of another networking method for an enterprise network provided by embodiments of the present disclosure;
FIG. 7 is a flow chart of a method of access for an enterprise network provided by an embodiment of the present disclosure;
FIG. 8 is a flow chart of another access method for an enterprise network provided by an embodiment of the present disclosure;
FIG. 9 is a flow diagram of another access method for an enterprise network provided by an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a networking device for an enterprise network according to an embodiment of the present disclosure.
Detailed Description
So that the manner in which the features and techniques of the disclosed embodiments can be understood in more detail, a more particular description of the embodiments of the disclosure, briefly summarized below, may be had by reference to the appended drawings, which are not intended to be limiting of the embodiments of the disclosure. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may still be practiced without these details. In other instances, well-known structures and devices may be shown simplified in order to simplify the drawing.
The terms first, second and the like in the description and in the claims of the embodiments of the disclosure and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe embodiments of the present disclosure. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion.
The term "plurality" means two or more, unless otherwise indicated. In the embodiment of the present disclosure, the character "/" indicates that the front and rear objects are an or relationship. For example, A/B represents: a or B. The term "and/or" is an associative relationship that describes an object, meaning that there may be three relationships. For example, a and/or B, represent: a or B, or, A and B. The term "corresponding" may refer to an association or binding relationship, and the correspondence between a and B refers to an association or binding relationship between a and B.
Aiming at the characteristic of obvious cross-regional characteristics of a large enterprise, the method and the device provide a multi-space large-scale off-site networking scheme in an enterprise network networking link so that the flexibility and confidentiality of the network can meet the requirements of the large enterprise.
Key technical terms in the embodiments of the present disclosure are described below:
the data center node is a data center formed by a plurality of groups of cloud controllers, can realize the centralized control of bandwidth resources and the rapid scheduling of routes, and ensures that the data transmission service is more stable and reliable. The data center node constructs an SDN network for dividing a data plane by service and manages regional network center traffic of the cross-region. The SDN network establishes direct links between the different-place data centers on an enterprise network framework of the SDN-WAN so as to realize rapid scheduling.
And the regional network convergence center node bears the communication traffic inside the member unit nodes and among the member unit nodes and manages the network address division of the access member units. Meanwhile, the regional network convergence central node is a public network boundary outlet of the SD-WAN bearing network and is used for realizing regional network convergence and access flow distribution of member unit nodes.
And the member unit node bears the function of accessing the equipment terminal in the member unit node into the enterprise network, such as member unit job site, edge computing machine room, industrial control Internet of things machine room and public cloud resources.
SD-WAN (Software-Defined WAN), a Software Defined Wide area network, is a network management mode, and uses mature Software technology (such as intelligent routing scheduling, application optimization, transmission Control Protocol (TCP) optimization, quality of service (QOS) and the like) to highly integrate traditional network resources (such as Internet, narrow-band private line, multiprotocol label switching (MPLS), long Term Evolution (LTE), bare fiber and the like) with other resources, so as to maximize the performance of the traditional resources.
SDN (Software Defined Networking), a software defined network, is a new network architecture, and is one implementation of network virtualization. The application software is used for participating in the control management of the network, the upper layer service requirement is met, and the network operation and maintenance are simplified through the automatic service deployment.
CPE (Customer-premises equipment), i.e. a Customer premises equipment, is a network termination device located at the Customer's end or branch for interfacing services with the operator, an important component of the network solution.
VXLAN (Virtual eXtensible Local Area Network), namely a virtual extensible local area network, is a network virtualization technology, is an extension of a virtual local area network VLAN, adopts a message encapsulation mode of L2 over L4 (MAC-in-UDP), encapsulates two-layer messages with three-layer messages, can realize the extension of a two-layer network within the range of three layers, and simultaneously meets the requirements of large two-layer virtual migration and multi-tenant of a data center.
With reference to fig. 1, an embodiment of the present disclosure provides a network topology of an enterprise network, including a data center node, a regional network convergence center node, and member unit nodes, where all levels of nodes are connected by means of SD-WAN technology, so as to complete preliminary off-site networking.
The enterprise network of the embodiment of the disclosure adopts a leaf-spine network topology structure, wherein a data center node corresponds to a spine (spine) node, a regional network convergence center node corresponds to a leaf (leaf) node, and a member unit node corresponds to an edge (edge) node.
In practical application, the data center node collects the states of the regional network convergence center node and the links, and perceives and adjusts the network resource allocation. The data center nodes are directly connected through an SDN network, so that quick information sharing is realized. The regional network center node is used as a point-of-presence POP node of the enterprise network and is responsible for communication among member unit nodes, and needs to report own state information to the data center node and receive scheduling of the data center node so as to ensure the quality of service QoS of the member unit nodes. The member unit node accesses the regional network convergence central node nearby.
In the embodiment of the disclosure, as shown in fig. 2, when an enterprise network is constructed, network levels of the enterprise network are divided according to data center nodes, regional network convergence center nodes and member unit nodes in sequence, and all levels of nodes are connected in sequence according to an SD-WAN mode. The data center CPE equipment is deployed at the data center node, the regional network convergence center CPE equipment is deployed at the regional network convergence center node, and the member unit CPE equipment is deployed at the member unit node. And deploying SDN controllers and data center switches at the data center nodes, and deploying regional network convergence center switches at the regional network convergence nodes.
The data center CPE equipment is deployed at the data center node, the regional network convergence center CPE equipment is deployed at the regional network convergence center node, and the member unit CPE equipment is deployed at the member unit node. The enterprise network office terminal of the member unit node enters the enterprise intranet SD-WAN network through the member unit CPE equipment and is distributed to the nearest regional network convergence center node. Through zero trust system verification of the enterprise network, the office terminal positioned at the enterprise network member unit node can access to an external website through the regional network convergence center CPE equipment and the public network outlet of the regional network convergence center node according to the DNS dispatching of the domain name system without converging upwards to the main data center, thereby sharing the flow pressure of the main data center. Meanwhile, office terminals located at member unit nodes of the enterprise network can enter the SD-WAN network of the enterprise network through member unit CPE equipment, and the data center nodes are distributed and accessed up through SDN routes of the enterprise network.
After the enterprise network is constructed in the mode, the network intercommunication between the data center node and each member unit node is realized, the requirement of maintaining network policies in each informatization place can be greatly reduced, the working efficiency of the enterprise network is improved, and the problem of policy overflow is reduced.
In some embodiments, as shown in fig. 3, the network level of the enterprise network is divided sequentially according to data center nodes, regional network convergence center nodes and member unit nodes, and each level of nodes are connected sequentially according to SD-WAN mode; and deploying the data center switch and the zero trust main server at the data center node, and deploying the regional network convergence center switch and the zero trust gateway which is in communication connection with the zero trust server at the regional network convergence center node.
By deploying the zero-trust main server and the zero-trust gateway in the enterprise network and introducing zero-trust access control in the SD-WAN and SDN networking technologies, the network security can be improved from the aspect of access control. Wherein Zero Trust (ZTA), i.e. continuous authentication and dynamic authorization of the user based on the trust elements of access subject identity, network environment, terminal status, etc.
The enterprise network provided by the embodiment of the disclosure combines SD-WAN and SDN technologies, supports the equipment terminals of each member unit to access respective network planes under the condition of no IP address reconstruction, and provides a user with a real-time and dynamic switching capability of a network link without perception, so that service interruption is avoided. Meanwhile, based on the network pre-access CPE equipment, the VXLAN technology is integrated, the zero trust access authentication architecture is integrated, the active security defending capability of the enterprise network is formed in the network system, and the security of the enterprise network is improved.
In some embodiments, as shown in connection with fig. 4, a networking method for an enterprise network is provided, comprising the steps of:
s401, dividing the network level of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode.
S402, deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at a member unit node.
The data center CPE equipment, the regional network convergence center CPE equipment and the member unit CPE equipment realize networking through the binding codes, and the member unit CPE equipment is configured to forward data information sent by the client to the regional network convergence center CPE equipment.
Here, the binding code may be a device identification unique to each CPE device itself. For example, the data center CPE device requests the SDN controller of the data center node to complete authentication through the device identification of the data center CPE device, and then reads the network configuration information from the SDN controller to complete the infrastructure networking. The regional network convergence center CPE equipment requests the SDN controller of the data center node to finish authentication through the equipment identification of the regional network convergence center CPE equipment, and then reads network configuration information from the SDN controller to finish basic networking. The member unit CPE equipment requests the SDN controller of the data center node to finish authentication through the equipment identification of the member unit CPE equipment, and then reads network configuration information from the SDN controller to finish basic networking.
In some practical applications, the member unit CPE device may be deployed on a terminal device of the member unit node, and the vCPE program is installed on the terminal device, and after authentication, the enterprise network may be accessed. The vCPE programs support a variety of operating systems, windows, linux, mac OS, android, etc. The mobile terminal is favorable for smoothly accessing the enterprise network aiming at the enterprise remote office requirement and dynamic access, can access the enterprise network anytime and anywhere, and realizes noninductive access for remote office.
In one possible implementation, the member unit CPE device is configured as follows: converting the IP address of the service access request information sent by the client into a target IP address; and forwarding the converted service access request information to the CPE equipment of the target area network convergence center through an SD-WAN encryption channel based on the target IP address.
Here, the service access request information includes one or more of external network service access request information for accessing an external network service application, data center service access request information for accessing a data center service application, and member unit service access request information for accessing a member unit service application.
The member unit CPE equipment stores an IP address configuration table of the IP address of the service access request information and a corresponding target IP address of the enterprise network unified planning. Based on the IP address of the service access request information sent by the client, converting the network address into a unified target IP address of the enterprise network, thereby rapidly determining the forwarding target and realizing the rapid and accurate forwarding operation of the service access request information. Meanwhile, the SD-WAN encryption channel is utilized to forward service access request information, so that the safety performance of enterprise network communication is improved.
In some possible implementations, the SD-WAN encrypted channels are determined from the target IP address. And determining a service application type corresponding to the service access request information based on the target IP address, and determining a target SD-WAN encryption channel according to the service application type. Different IP addresses generally fix service applications corresponding to different types, so that the service application type corresponding to the service access request information can be determined according to the target IP address. For example, for a service application type requiring a high security level, an SD-WAN encryption channel with a high encryption level is selected as the target SD-WAN encryption channel. Or, for the service application types with larger quantity levels, selecting the SD-WAN encryption channel with faster transmission rate as the target SD-WAN encryption channel. Therefore, the safety and the working efficiency of enterprise network communication are improved.
Optionally, the target area network convergence centre CPE device is determined as follows: determining a plurality of regional network convergence center CPE devices positioned in a preset geographic range centering on the current member unit CPE device; determining the data transmission efficiency of CPE equipment of a plurality of regional network convergence centers; the data transmission efficiency represents the data transmission speed and the transmission accuracy of the CPE equipment in the regional network convergence center in the current state; based on the data transmission efficiency, one regional network convergence center CPE device is screened from a plurality of regional network convergence center CPE devices to serve as a target regional network convergence center CPE device.
Here, the preset geographical range may be a preset distance range centered on the current member unit CPE device (e.g., 100 meters square centered on the current member unit CPE device) or a preset building range centered on the current member unit CPE device (e.g., 10 surrounding building buildings centered on the current member unit CPE device).
In practical application, the data transmission efficiency of the CPE device in the regional network convergence center is calculated according to the following formula:
E=α×S+β×A
wherein E is data transmission efficiency, S is a data transmission speed level, a is a transmission accuracy level, α is a number level weight coefficient of service access request information, β is a service application security level weight coefficient corresponding to a target IP address, α+β=1.
The number-level weight coefficient alpha of the service access request information is positively correlated with the number level of the service access request information, and the larger the number level of the service access request information is, the larger the alpha is, and the smaller the number level of the service access request information is, the smaller the alpha is. The service application security level weight coefficient beta corresponding to the target IP address is positively correlated with the service application security level corresponding to the target IP address, and the larger the service application security level corresponding to the target IP address is, the larger the beta is. The smaller the security level of the service application corresponding to the target IP address, the smaller β.
In practical application, a regional network convergence center CPE device with the greatest data transmission efficiency can be screened from a plurality of regional network convergence center CPE devices to serve as a target regional network convergence center CPE device
And determining a plurality of regional network convergence center CPE devices positioned in a preset geographical range centering on the current member unit CPE device, and screening one regional network convergence center CPE device from the plurality of regional network convergence center CPE devices as a target regional network convergence center CPE device according to the data transmission efficiency of each regional network convergence center CPE device. In this way, on one hand, the fluency and communication capability of the connection between the member unit CPE equipment and the target area network convergence center CPE equipment are improved, and on the other hand, the data transmission efficiency of the area network convergence center CPE equipment is determined according to the quantity level of the service access request information and the service application security level, so that the data transmission efficiency and the security performance of the enterprise network can be improved.
S403, deploying SDN controllers and data center switches at the data center nodes, and deploying regional network convergence center switches at the regional network convergence nodes.
The SDN controller is configured to issue configuration information to the regional network convergence center switch and the data center switch, the regional network convergence center switch is configured to forward the data information sent by the regional network convergence center CPE device to the data center CPE device according to the configuration information, and the data center switch is configured to forward the data information sent by the regional network convergence center CPE device to the target application server according to the configuration information.
Here, the configuration information may be forwarding routes and/or forwarding links of the regional network convergence center switch and the data center switch. The forwarding route may be a forwarding path from the current device to the final target device; the forwarding link may be a communication tunnel adopted under the same forwarding path.
By utilizing the enterprise network constructed by the embodiment of the disclosure, the terminal equipment of the member unit node can access the public network traffic. Specifically, the terminal device of the member unit node accesses the SD-WAN intranet of the enterprise network through the member unit CPE device, and distributes the SD-WAN intranet to the regional network convergence center node with the nearest geographic location. And then, using the CPE equipment of the regional network convergence center to enter a public network through a public network outlet of the regional network convergence center node to access external websites or public cloud and other destination addresses, and not needing to be converged upwards to the data center node, thereby sharing the flow pressure of the data center node.
By utilizing the enterprise network constructed by the embodiment of the disclosure, the terminal equipment of the member unit node can access the service application of the data center node. Specifically, the terminal device of the member unit node accesses the SD-WAN intranet of the enterprise network through the member unit CPE device, and distributes the SD-WAN intranet to the regional network convergence center node with the nearest geographic location. And then, the regional network convergence center CPE equipment is utilized to send the data request information of the access service application and the address information of the terminal equipment to the regional network convergence center switch, and the data request information and the address information are forwarded through the regional network convergence center switch. After the data center CPE equipment receives and sends the data request information and the address information to the data center switch, the data center switch forwards the data request information and the address information of the terminal equipment to the application server. And finally, the application server responds according to the data request information and feeds back a response result to the terminal equipment according to the address information of the terminal equipment.
In one possible implementation, the SDN controller is configured as follows: obtaining an abnormal condition of a first area network convergence central node; and under the condition that the first area network convergence center node is abnormal, switching the link of the first area network convergence center node to the second area network convergence center node.
In practical application, when the node operation state of the first regional network convergence central node is abnormal (for example, the failure rate is greater than the preset failure rate, the congestion rate is greater than the preset congestion rate and/or the network jitter amplitude is greater than the preset network jitter amplitude), the first regional network convergence central node is confirmed to be abnormal.
The SDN controller can intelligently select different link types for transmission according to the requirements of different applications on link delay and reliability, and the core service is preferentially ensured. When the first area network convergence center node is abnormal, the communication link of the first area network convergence center node is switched to the second area network convergence center node, so that the non-inductive switching is realized, and the high availability of the whole enterprise network is ensured.
Optionally, the second area network hub node is determined as follows: obtaining a plurality of regional network convergence central nodes associated with the first regional network convergence central node; determining node operation states of a plurality of regional network convergence center nodes; the node operation state comprises one or more of failure rate, congestion rate and network jitter amplitude; and screening one regional network convergence central node from the plurality of regional network convergence central nodes based on the node operation state to serve as a second regional network convergence central node.
The plurality of regional network convergence central nodes associated with the first regional network convergence central node may be regional network convergence central nodes that are geographically close to the first regional network convergence central node, or regional network convergence central nodes that are in the same administrative area (e.g., the same city, district/county) as the first regional network convergence central node.
The failure rate of the regional network convergence center node is the probability of data transmission failure of the regional network convergence center node in a preset time period. For example, the probability of the data transmission failure of the CPE device of the regional network convergence center in the preset time period (for example, the previous month) may be the probability of the data transmission failure of the CPE device of the regional network convergence center in the preset time period, or the total probability of the data transmission failure of the CPE device of the regional network convergence center and the switch of the regional network convergence center in the preset time period.
The congestion rate of the regional network convergence center node is the number of data packets (including the number of transmitted data packets and the number of queued data packets) required to be transmitted by the regional network convergence center node in a preset time period. For example, the number of data packets that the regional network convergence center CPE device needs to transmit in a preset time period (for example, the first 5 minutes) may be the number of data packets that the regional network convergence center switch needs to transmit in the preset time period, or the total number of data packets that the regional network convergence center CPE device and the regional network convergence center switch need to transmit in the preset time period.
The network jitter amplitude of the regional network convergence center node is the maximum network jitter amplitude of the regional network convergence center node in the data transmission process of a preset time period. For example, the maximum network jitter amplitude of the CPE device in the regional network convergence center during the data transmission process in the preset time period (for example, 1 hour) may be the maximum network jitter amplitude of the CPE device in the regional network convergence center during the data transmission process in the preset time period, or the maximum network jitter amplitudes of the CPE device in the regional network convergence center and the CPE device in the regional network convergence center during the data transmission process in the preset time period. The maximum network jitter amplitude generated in the data transmission process can be determined by detecting the maximum delay time of the regional network convergence central node when network congestion occurs.
And based on the node operation states of the regional network convergence central nodes, selecting the regional network convergence central node with the best node operation state (such as the minimum fault rate, the minimum congestion rate and/or the minimum network jitter amplitude) from the plurality of regional network convergence central nodes as a second regional network convergence central node. In this way, the communication link of the first regional network convergence central node with poor node operation state is timely switched to the second regional network convergence central node, so that the smoothness and communication capacity of enterprise network communication can be improved.
In one possible implementation, the regional network convergence central switch is configured as follows: adding a virtual extensible local area network (VXLAN) tag to the service access request information according to the IP address information of the service access request information; matching an access control strategy through a VXLAN label; and forwarding the service access request information to the CPE equipment of the data center according to the access control strategy.
Based on IP address information of service access request information, terminals, devices, applications and the like participating in networking are divided into corresponding virtual network segments by using VXLAN technology in the face of a large number of network devices of member unit nodes. The introduction of VXLAN can well solve the source and flow direction problems of user data traffic in access control. The VXLAN can be used for constructing an independent virtual coverage network, can be quickly networked under the condition of not carrying out IP planning transformation, can support VXLAN sections up to 16M, can finely divide traffic of different sources and different services in an enterprise network, and can meet the organization and management requirements of large enterprises.
Optionally, forwarding the service access request information to the CPE device of the data center according to the access control policy includes: determining a request source of service access request information and a target source of access control strategy; forwarding the service access request information to the data center CPE equipment under the condition that a request source of the service access request information and a target source of the access control strategy are in the same data plane; and stopping forwarding the service access request information to the data center CPE equipment under the condition that the request source of the service access request information and the target source of the access control strategy are in different data planes.
The request source of the service access request information is an enterprise network node for storing the target service application in the service access request information. For example, if the target service application in the service access request information is a service application of a public network traffic or member unit node, the corresponding enterprise network node is a regional network convergence center node; and if the target service application in the service access request information is the service application of the data center node, the corresponding enterprise network node is the data center node.
The target source of the access control policy is a target enterprise network forwarding node (e.g., a data center node) in the access control policy of the regional network convergence center switch.
When the request source of the service access request information and the target source of the access control policy are in the same data plane (for example, the request source is the same as the data center node), the regional network convergence center switch forwards the service access request information to the data center CPE device, and when the request source of the service access request information and the target source of the access control policy are in different data planes (for example, the request source of the service access request information is the regional network convergence center node, and the target source of the access control policy is the data center node), the regional network convergence center switch stops forwarding the service access request information to the data center CPE device. Therefore, service access request information screening is performed in advance, and service access request information which is not required to be processed by the data center node is intercepted by the enterprise network node (such as a regional network convergence center node) at the lower edge, and is not required to be converged to the data center node any more, so that the flow pressure of the data center node is shared.
According to the networking method for the enterprise network, network levels of the enterprise network are divided according to the data center node, the regional network convergence center node and the member unit nodes in sequence, all levels of nodes are connected in sequence according to an SD-WAN mode, meanwhile, data center CPE equipment is deployed at the data center node, regional network convergence center CPE equipment is deployed at the regional network convergence center node, member unit CPE equipment is deployed at the member unit node, SDN controllers and data center switches are deployed at the data center node, and regional network convergence center switches are deployed at the regional network convergence node, so that the enterprise network is built.
In this way, the enterprise network is constructed into the three-level leaf ridge type network topological structure of the data center node, the regional network convergence center node and the member unit nodes, CPE equipment is deployed at the network boundary of each enterprise network node, and after the data center node and the member unit nodes are communicated with each other through the regional network convergence center node and each CPE equipment, the data transmission channel of the enterprise network is increased, so that the blocking of the enterprise network can be obviously relieved, the data transmission rate of the enterprise network is improved, meanwhile, the requirement of each informatization place for maintaining a network access strategy is greatly reduced, the working efficiency is improved, and the occurrence of strategy overflow is reduced.
As shown in connection with fig. 5, in some embodiments, a networking method for an enterprise network is provided, comprising the steps of:
s501, dividing the network hierarchy of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode.
S502, deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at a member unit node.
S503, deploying SDN controllers and data center switches at the data center nodes, and deploying regional network convergence center switches at the regional network convergence nodes.
S504, deploying a zero trust main server at a data center node, and deploying a zero trust gateway at a regional network convergence center node; the zero trust main server is in communication connection with the zero trust gateway.
S505, verifying the access data packet sent by the client through the zero trust server and notifying the zero trust gateway to establish a communication tunnel with the client according to the verification result.
In the embodiment of the disclosure, the enterprise network is constructed into the three-level leaf ridge type network topology structure of the data center node, the regional network convergence center node and the member unit nodes, CPE equipment is deployed at the network boundary of each enterprise network node, and after the data center node and the member unit nodes are communicated with each other through the regional network convergence center node and each CPE equipment, the data transmission channel of the enterprise network is increased, so that the blocking of the enterprise network can be obviously relieved, and the data transmission rate of the enterprise network is improved. Meanwhile, VXLAN labels are introduced to serve as authentication factors for the identity access of the client side located in the member unit node, and an authentication mechanism of a zero trust system is combined to realize the expansion of access control authentication elements of the enterprise network, so that the risk of the enterprise network can be obviously reduced, and the security of the enterprise network is improved.
As shown in connection with fig. 6, in some embodiments, a networking method for an enterprise network is provided, comprising the steps of:
s601, the SDN controller sends configuration information to a data center switch.
S602, the SDN controller sends configuration information to a regional network convergence center switch.
S603, the client sends service access request information to the member unit CPE equipment.
S604, the member unit CPE equipment converts the IP address of the service access request information sent by the client into a target IP address.
S605, the member unit CPE equipment forwards the converted service access request information to the target area network convergence center CPE equipment through an SD-WAN encryption channel based on the target IP address.
S606, the regional network convergence center CPE equipment sends service access request information to the regional network convergence center switch.
S607, the local area network convergence center exchanger adds a virtual extensible local area network VXLAN label to the service access request information according to the IP address information of the service access request information.
S608, the regional network convergence central switch matches the access control policy with the VXLAN tag.
S609, the regional network convergence center switch forwards the service access request information to the data center CPE equipment according to the access control strategy.
S610, the data center CPE equipment sends service access request information to the data center switch.
S611, the data center switch transmits service access request information to the application server.
S612, the application server responds to the service access request information and sends a response result to the client.
In the embodiment of the disclosure, the enterprise network is constructed into the three-level leaf ridge type network topology structure of the data center node, the regional network convergence center node and the member unit nodes, CPE equipment is deployed at the network boundary of each enterprise network node, and after the data center node and the member unit nodes are communicated with each other through the regional network convergence center node and each CPE equipment, the data transmission channel of the enterprise network is increased, so that the blocking of the enterprise network can be obviously relieved, and the data transmission rate of the enterprise network is improved. Meanwhile, by combining SD-WAN and SDN technologies, the device terminals supporting each member unit access respective network planes under the condition of no IP address transformation, and provide a user with the real-time and dynamic switching capability of a network link without perception, so as to avoid service interruption. And based on the network pre-access CPE equipment, the VXLAN technology is integrated, the zero trust access authentication architecture is integrated, the active security defending capability of the enterprise network is formed in the network system, and the security of the enterprise network is improved.
As described above, the network hierarchy of the enterprise network is divided sequentially according to the data center node, the regional network convergence center node, and the member unit node, and sequentially connects the nodes at all levels according to the SD-WAN manner. And deploying the data center switch and the zero trust main server at the data center node, and deploying the regional network convergence center switch and the zero trust gateway which is in communication connection with the zero trust server at the regional network convergence center node.
The enterprise network is built as follows: dividing the network level of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode; deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at member unit nodes, wherein the data center CPE equipment, the regional network convergence center CPE equipment and the member unit CPE equipment realize networking through binding codes, and the member unit CPE equipment is configured to forward data information sent by a client to the regional network convergence center CPE equipment; an SDN controller and a data center switch are deployed at a data center node, and an area network convergence center switch is deployed at an area network convergence node, wherein the SDN controller is configured to issue configuration information to the area network convergence center switch and the data center switch, the area network convergence center switch is configured to forward data information sent by the area network convergence center CPE device to the data center CPE device according to the configuration information, and the data center switch is configured to forward the data information sent by the area network convergence center CPE device to a target application server according to the configuration information.
In some embodiments, as shown in connection with fig. 7, based on the foregoing enterprise network, an access method for an enterprise network is provided, including the steps of:
s701, the access data packet sent by the client is marked with a virtual extensible local area network VXLAN label through the regional network convergence center switch, and the access data packet is forwarded to the data center switch according to the VXLAN network access strategy.
The VXLAN protocol encapsulates the original data packet, encapsulates the content of the VXLAN label into the data packet and adds the data packet as the header of the new access data packet. The VXLAN tags may be predefined, and access packets with different VXLAN tags may form different data planes, so as to achieve mutual isolation. In addition, the VXLAN label has 8 bytes and 24 bits for identifying different two-layer networks, so that the total number of the VXLAN sections of 16M is 1600 or more tens of thousands, and the requirement of data plane division in a complex network environment can be completely met.
S702, sending an access data packet carrying a VXLAN label to the zero trust master server through the data center switch, so that the zero trust master server verifies the access data packet and notifies the zero trust gateway to establish a communication tunnel with the client.
By utilizing the enterprise network constructed by the embodiment of the disclosure, the terminal equipment of the member unit node can realize service application interconnection of the member unit node. Specifically, the terminal device of the member unit node accesses the SD-WAN intranet of the enterprise network through the member unit CPE device, and distributes the SD-WAN intranet to the regional network convergence center node with the nearest geographic location. And then, through verification of the zero trust gateway, the zero trust gateway establishes a safe communication tunnel with the terminal equipment, the zero trust gateway sends access routes of other regional network convergence center nodes to the terminal equipment, and the terminal equipment accesses the other regional network convergence center nodes (the regional network convergence center nodes are connected with the member unit nodes) through the access routes, so that the member unit service application is accessed, and service application interconnection of the member unit nodes is realized.
The zero trust gateway and the client (terminal equipment/office terminal) establish a transport layer security protocol TLS communication tunnel, the access flow of the data plane does not need to be bypassed to the data center node, the interaction path is shorter, the communication efficiency is higher, and the dynamic flow control capability can be realized by adjusting the access route of the link in real time.
In some possible embodiments, the zero trust gateway is configured as follows: under the condition that verification success notification information sent by a zero trust master server is received, a session token is generated; a communication tunnel is established between the zero trust gateway and the client based on the session token.
The session token is an identity authentication bill, the zero trust gateway can verify the session token, if the authentication passes, the authentication proves that the identity of the client is legal, a trusted communication tunnel is established with the zero trust client, otherwise, the client is determined to be illegal, and the communication tunnel is not established. Therefore, the risk of the enterprise network can be reduced, and the security of the enterprise network is improved.
In some possible embodiments, the zero trust master server is configured as follows: determining a VXLAN ID tag of the access data packet, and carrying out identity authentication through the VXLAN ID tag; and after the identity authentication is passed, sending notice information of successful authentication to the zero trust gateway.
The VXLAN ID tag has uniqueness, and forms a unique corresponding relation with each member unit node, and the corresponding relation is preset in the zero trust main server. The service access authority can be configured for the primary key according to the actual service requirement, so that when an access request data packet exists, the VXLAN ID tag is used as a tag for zero trust gateway identification.
Zero trust access control is introduced into an enterprise network, an access control model in the enterprise network is expanded, a VXLAN ID label in SDN technology is used as an identity access authentication factor, and an authentication mechanism of a zero trust system is combined to realize expansion of network access control authentication elements. Therefore, the control of the user source and the control of the user identity are realized, and the security of the network access control is higher.
By adopting the access method for the enterprise network, which is provided by the embodiment of the disclosure, the network hierarchy of the enterprise network is divided according to the data center node, the regional network convergence center node and the member unit node in sequence, all levels of nodes are sequentially connected in an SD-WAN mode, meanwhile, a data center switch and a zero trust main server are deployed in the data center node, and a regional network convergence center switch and a zero trust gateway which is in communication connection with the zero trust server are deployed in the regional network convergence center node. Firstly, an access data packet sent by a client is marked with a virtual extensible local area network (VXLAN) label through a regional network convergence center switch, and then the access data packet carrying the VXLAN label is sent to a zero trust main server through the data center switch, so that the zero trust main server verifies the access data packet and notifies a zero trust gateway to establish a communication tunnel with the client.
In this way, the enterprise network is constructed into the three-level leaf ridge network topology structure of the data center node, the regional network convergence center node and the member unit node, VXLAN labels are introduced to serve as authentication factors for the identity access of the clients located in the member unit node, the authentication mechanism of the zero trust system is combined to realize the expansion of the enterprise network access control authentication elements, the risk of the enterprise network can be obviously reduced, the safety of the enterprise network is improved, and meanwhile, after the data center node and the member unit node are communicated through the regional network convergence center node, the data transmission channel of the enterprise network is increased, the blocking of the enterprise network can be obviously relieved, and the data transmission rate of the enterprise network is improved.
As shown in connection with fig. 8, in some embodiments, an access method for an enterprise network is provided, comprising the steps of:
s801, the access data packet sent by the client is marked with a virtual extensible local area network VXLAN label through the regional network convergence central switch, and the access data packet is forwarded to the data central switch according to the VXLAN network access strategy.
S802, sending an access data packet carrying a VXLAN label to the zero trust master server through the data center switch, so that the zero trust master server verifies the access data packet and notifies the zero trust gateway to establish a communication tunnel with the client.
S803, after the zero trust gateway establishes a communication tunnel with the client, VXLAN labels are marked on the access data packets sent by the client through the regional network convergence center switch.
S804, the local area network convergence center switch forwards the access data packet to the zero trust gateway according to the VXLAN network access policy.
S805, sending the access data packet forwarded by the zero trust gateway to the application server through the data center switch, so that the application server responds to the access data packet and sends a response result to the client.
In some practical applications, after the zero trust gateway establishes a communication tunnel with the client, VXLAN tags are applied to access data packets sent by the client through the regional network convergence center switch. And the regional network convergence center switch forwards the access data packet to the zero trust gateway according to the VXLAN network access policy, the zero trust gateway sends the access data packet to the zero trust server through a transport layer security protocol (TLS) communication tunnel between the zero trust gateway and the zero trust server, and the zero trust server forwards the access data packet to the application server so that the application server responds to the access data packet and sends a response result to the client.
In some practical applications, after the zero trust gateway establishes a communication tunnel with the client, VXLAN tags are applied to access data packets sent by the client through the regional network convergence center switch. The regional network convergence center switch forwards the access data packet to the client according to the VXLAN network access policy, the client sends the access data packet to the zero trust gateway through a communication tunnel between the zero trust gateway and the client, the zero trust gateway sends the access data packet to the zero trust server through a communication tunnel between the zero trust gateway and the zero trust server, and the zero trust server forwards the access data packet to the application server so that the application server responds to the access data packet and sends a response result to the client.
After the zero trust gateway and the client establish a communication tunnel, the access flow of the data plane does not need to be bypassed to the data center node, the interaction path is shorter, the communication efficiency is higher, and the dynamic flow control capability can be realized by adjusting the access route of the link in real time
In the embodiment of the disclosure, an enterprise network is constructed into a three-level leaf ridge network topology structure of a data center node, a regional network convergence center node and member unit nodes, VXLAN labels are introduced to serve as authentication factors for client identity access of the member unit nodes, an authentication mechanism of a zero trust system is combined to realize the expansion of enterprise network access control authentication factors, the risk of the enterprise network can be obviously reduced, the safety of the enterprise network is improved, and meanwhile, after the data center node and the member unit nodes are communicated through the regional network convergence center node, a data transmission channel of the enterprise network is increased, the blockage of the enterprise network can be obviously relieved, and the data transmission rate of the enterprise network is improved.
As shown in connection with fig. 9, in some embodiments, an access method for an enterprise network is provided, comprising the steps of:
and S901, the client sends an authentication request data packet to the regional network convergence center switch.
S902, the local area network convergence center switch marks the virtual extensible local area network VXLAN label on the authentication request data packet sent by the client.
S903, the regional network convergence center switch forwards the authentication request data packet to the data center switch according to the VXLAN network access policy.
S904, the data center switch sends an authentication request packet carrying the VXLAN tag to the zero trust master server.
S905, the zero trust master server determines the VXLAN ID tag of the access data packet and performs identity authentication through the VXLAN ID tag.
S906, after the identity authentication is passed, the zero trust master server sends notification information of successful authentication to the zero trust gateway.
S907, the zero trust gateway generates a session token under the condition that the zero trust gateway receives the verification success notification information sent by the zero trust master server.
S908, the zero trust gateway establishes a communication tunnel between the zero trust gateway and the client according to the session token.
S909, the client sends an access packet to the regional network convergence central switch.
S910, the regional network convergence center switch marks the VXLAN label on the access data packet sent by the client.
And S911, the regional network convergence center switch forwards the access data packet to the zero trust gateway according to the VXLAN network access policy.
S912, the zero trust gateway sends an access packet to the regional network convergence central switch.
And S913, the regional network convergence central switch forwards the access data packet to the data central switch.
S914, the data center switch forwards the access data packet to the application server.
S915, the application server responds to the access data packet and sends a response result to the client.
In the embodiment of the disclosure, an enterprise network is constructed into a three-level leaf ridge network topology structure of a data center node, a regional network convergence center node and member unit nodes, VXLAN labels are introduced to serve as authentication factors for client identity access of the member unit nodes, an authentication mechanism of a zero trust system is combined to realize the expansion of enterprise network access control authentication factors, the risk of the enterprise network can be obviously reduced, the safety of the enterprise network is improved, and meanwhile, after the data center node and the member unit nodes are communicated through the regional network convergence center node, a data transmission channel of the enterprise network is increased, the blockage of the enterprise network can be obviously relieved, and the data transmission rate of the enterprise network is improved.
The disclosed embodiment shown in connection with fig. 10 provides a networking device 1000 for an enterprise network, comprising a processor (processor) 100 and a memory (memory) 101, and may further comprise a communication interface (Communication Interface) 102 and a bus 103. The processor 100, the communication interface 102, and the memory 101 may communicate with each other via the bus 103. The communication interface 102 may be used for information transfer. Processor 100 may invoke logic instructions in memory 101 to perform the networking methods for enterprise networks of the above-described embodiments.
Further, the logic instructions in the memory 101 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product.
The memory 101 is a computer readable storage medium that can be used to store a software program, a computer executable program, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 100 executes functional applications and data processing by running program instructions/modules stored in the memory 101, i.e. implements the networking method for enterprise networks in the method embodiments described above.
The memory 101 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the terminal device, etc. Further, the memory 101 may include a high-speed random access memory, and may also include a nonvolatile memory.
The networking device for the enterprise network is adopted, the enterprise network is constructed into a three-level leaf ridge network topological structure of a data center node, an area network convergence center node and member unit nodes, CPE equipment is deployed at the network boundary of each enterprise network node, after the data center node and the member unit nodes are communicated with each other through the area network convergence center node and each CPE equipment, a data transmission channel of the enterprise network is increased, the blocking of the enterprise network can be obviously relieved, the data transmission rate of the enterprise network is improved, meanwhile, the requirement of maintaining network access strategies in each informatization place can be greatly reduced, the working efficiency is improved, and the occurrence of strategy overflow problems is reduced.
Embodiments of the present disclosure provide a computer-readable storage medium storing computer-executable instructions configured to perform the networking method for an enterprise network described above.
The disclosed embodiments provide a computer program product comprising a computer program stored on a computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the networking method for an enterprise network described above.
The computer readable storage medium may be a transitory computer readable storage medium or a non-transitory computer readable storage medium.
Embodiments of the present disclosure may be embodied in a software product stored on a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of a method according to embodiments of the present disclosure. And the aforementioned storage medium may be a non-transitory storage medium including: a plurality of media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or a transitory storage medium.
The above description and the drawings illustrate embodiments of the disclosure sufficiently to enable those skilled in the art to practice them. Other embodiments may involve structural, logical, electrical, process, and other changes. The embodiments represent only possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in, or substituted for, those of others. The scope of the embodiments of the present disclosure encompasses the full ambit of the claims, as well as all available equivalents of the claims. When used in this application, although the terms "first," "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without changing the meaning of the description, so long as all occurrences of the "first element" are renamed consistently and all occurrences of the "second element" are renamed consistently. The first element and the second element are both elements, but may not be the same element. Moreover, the terminology used in the present application is for the purpose of describing embodiments only and is not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a," "an," and "the" (the) are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, when used in this application, the terms "comprises," "comprising," and/or "includes," and variations thereof, mean that the stated features, integers, steps, operations, elements, and/or components are present, but that the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof is not precluded. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements. In this context, each embodiment may be described with emphasis on the differences from the other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the methods, products, etc. disclosed in the embodiments, if they correspond to the method sections disclosed in the embodiments, the description of the method sections may be referred to for relevance.
Those of skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. The skilled artisan may use different methods for each particular application to achieve the described functionality, but such implementation should not be considered to be beyond the scope of the embodiments of the present disclosure. It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the embodiments disclosed herein, the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be practiced in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the units may be merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to implement the present embodiment. In addition, each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Claims (10)

1. A networking method for an enterprise network, comprising:
dividing the network level of the enterprise network according to the data center node, the regional network convergence center node and the member unit node in sequence, and connecting all levels of nodes in sequence according to an SD-WAN mode;
deploying data center CPE equipment at a data center node, deploying regional network convergence center CPE equipment at a regional network convergence center node, and deploying member unit CPE equipment at a member unit node; the system comprises a data center CPE device, a regional network convergence center CPE device and a member unit CPE device, wherein the data center CPE device, the regional network convergence center CPE device and the member unit CPE device realize networking through binding codes, and the member unit CPE device is configured to forward data information sent by a client to the regional network convergence center CPE device;
deploying SDN controllers and data center switches at the data center nodes, and deploying regional network convergence center switches at the regional network convergence nodes; the SDN controller is configured to issue configuration information to the regional network convergence center switch and the data center switch, the regional network convergence center switch is configured to forward the data information sent by the regional network convergence center CPE device to the data center CPE device according to the configuration information, and the data center switch is configured to forward the data information sent by the regional network convergence center CPE device to the target application server according to the configuration information.
2. The networking method of claim 1, wherein the SDN controller is configured as follows:
obtaining an abnormal condition of a first area network convergence central node;
and under the condition that the first area network convergence center node is abnormal, switching the link of the first area network convergence center node to the second area network convergence center node.
3. The networking method of claim 2, wherein the second regional network convergence central node is determined as follows:
obtaining a plurality of regional network convergence central nodes associated with the first regional network convergence central node;
determining node operation states of a plurality of regional network convergence center nodes; the node operation state comprises one or more of failure rate, congestion rate and network jitter amplitude;
and screening one regional network convergence central node from the plurality of regional network convergence central nodes based on the node operation state to serve as a second regional network convergence central node.
4. The networking method of claim 1, wherein the member unit CPE devices are configured as follows:
converting the IP address of the service access request information sent by the client into a target IP address;
And forwarding the converted service access request information to the CPE equipment of the target area network convergence center through an SD-WAN encryption channel based on the target IP address.
5. The networking method of claim 4, wherein the target area network convergence center CPE device is determined as follows:
determining a plurality of regional network convergence center CPE devices positioned in a preset geographic range centering on the current member unit CPE device;
determining the data transmission efficiency of CPE equipment of a plurality of regional network convergence centers; the data transmission efficiency represents the data transmission speed and the transmission accuracy of the CPE equipment in the regional network convergence center in the current state;
based on the data transmission efficiency, one regional network convergence center CPE device is screened from a plurality of regional network convergence center CPE devices to serve as a target regional network convergence center CPE device.
6. The networking method of claim 1, wherein the regional network convergence central switch is configured as follows:
adding a virtual extensible local area network (VXLAN) tag to the service access request information according to the IP address information of the service access request information;
matching an access control strategy through a VXLAN label;
And forwarding the service access request information to the CPE equipment of the data center according to the access control strategy.
7. The networking method of claim 6, wherein forwarding the service access request information to the data center CPE device according to the access control policy comprises:
determining a request source of service access request information and a target source of access control strategy;
and forwarding the service access request information to the data center CPE equipment under the condition that the request source of the service access request information and the target source of the access control strategy are in the same data plane.
8. The networking method of any one of claims 1 to 7, further comprising:
a zero trust main server is deployed at a data center node, and a zero trust gateway is deployed at a regional network convergence center node; the zero trust main server is in communication connection with the zero trust gateway;
and verifying the access data packet sent by the client through the zero trust server, and informing the zero trust gateway to establish a communication tunnel with the client according to the verification result.
9. A networking device for an enterprise network, comprising a processor and a memory storing program instructions, wherein the processor is configured to perform the networking method for an enterprise network of any one of claims 1 to 8 when the program instructions are run.
10. A networking system for an enterprise network, comprising:
a data center node for deploying data center CPE equipment, SDN controllers and data center switches;
the regional network convergence center node is used for deploying regional network convergence center CPE equipment and a regional network convergence center switch;
a member unit node deploying member unit CPE equipment;
the networking device for an enterprise network of claim 9.
CN202410171990.9A 2024-02-07 2024-02-07 Networking method, device and system for enterprise network Active CN117729062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410171990.9A CN117729062B (en) 2024-02-07 2024-02-07 Networking method, device and system for enterprise network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410171990.9A CN117729062B (en) 2024-02-07 2024-02-07 Networking method, device and system for enterprise network

Publications (2)

Publication Number Publication Date
CN117729062A true CN117729062A (en) 2024-03-19
CN117729062B CN117729062B (en) 2024-05-28

Family

ID=90209203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410171990.9A Active CN117729062B (en) 2024-02-07 2024-02-07 Networking method, device and system for enterprise network

Country Status (1)

Country Link
CN (1) CN117729062B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN208656813U (en) * 2018-09-28 2019-03-26 贵州白山云科技股份有限公司 A kind of enterprise branch office's access request processing system
WO2019178756A1 (en) * 2018-03-21 2019-09-26 深圳前海达闼云端智能科技有限公司 Sd-wan system, use method of sd-wan system, and related apparatus
CN111556492A (en) * 2020-05-05 2020-08-18 华中科技大学同济医学院附属协和医院 Wireless local area network architecture and construction method thereof
US20210022041A1 (en) * 2019-07-18 2021-01-21 Telefonaktiebolaget Lm Ericsson (Publ) 5g fixed mobile convergence user plane encapsulation
CN115209378A (en) * 2022-07-25 2022-10-18 北京东土军悦科技有限公司 Service resource dynamic allocation method, system, management server and medium for vehicle
CN115442100A (en) * 2022-08-29 2022-12-06 北京从云科技有限公司 Data access method based on multi-node zero-trust gateway and related equipment
CN115473729A (en) * 2022-09-09 2022-12-13 中国联合网络通信集团有限公司 Data transmission method, gateway, SDN controller and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019178756A1 (en) * 2018-03-21 2019-09-26 深圳前海达闼云端智能科技有限公司 Sd-wan system, use method of sd-wan system, and related apparatus
CN208656813U (en) * 2018-09-28 2019-03-26 贵州白山云科技股份有限公司 A kind of enterprise branch office's access request processing system
US20210022041A1 (en) * 2019-07-18 2021-01-21 Telefonaktiebolaget Lm Ericsson (Publ) 5g fixed mobile convergence user plane encapsulation
CN111556492A (en) * 2020-05-05 2020-08-18 华中科技大学同济医学院附属协和医院 Wireless local area network architecture and construction method thereof
CN115209378A (en) * 2022-07-25 2022-10-18 北京东土军悦科技有限公司 Service resource dynamic allocation method, system, management server and medium for vehicle
CN115442100A (en) * 2022-08-29 2022-12-06 北京从云科技有限公司 Data access method based on multi-node zero-trust gateway and related equipment
CN115473729A (en) * 2022-09-09 2022-12-13 中国联合网络通信集团有限公司 Data transmission method, gateway, SDN controller and storage medium

Also Published As

Publication number Publication date
CN117729062B (en) 2024-05-28

Similar Documents

Publication Publication Date Title
CN108551464B (en) Connection establishment and data transmission method, device and system of hybrid cloud
CN107852365B (en) Method and apparatus for dynamic VPN policy model
CN101079729B (en) Method for reserving network resource
CN115277489B (en) System, method and computer readable medium for monitoring and controlling network traffic
WO2021254029A1 (en) Consensus and resource transmission methods, device, and storage medium
WO2021007963A1 (en) Route distribution method and controller, information routing method and network node device
US20200374127A1 (en) Blockchain-powered cloud management system
US11323366B2 (en) Path determining method, apparatus, and system
CN111654438B (en) Method, controller and system for establishing forwarding path in network
EP2999172B1 (en) Method and devices to certify a trusted path in a software defined network
CN106685903B (en) SDN-based data transmission method, SDN controller and SDN system
CN102263646B (en) Multicasting within a distributed control plane of a switch
KR20160056191A (en) System and method for virtual network-based distributed multi-domain routing
CN103477612A (en) Cloud service control and management architecture expanded to interface the network stratum
CN107733795B (en) Ethernet virtual private network EVPN and public network intercommunication method and device
CN103069783A (en) Cross-stratum optimization protocol
CN101001264B (en) Method, device, network edge equipment and addressing server for L1VPN address distribution
CN107735989B (en) Method and system for site interconnection on a transport network
CN104901825B (en) A kind of method and apparatus for realizing zero configuration starting
US20170310581A1 (en) Communication Network, Communication Network Management Method, and Management System
CN112822037B (en) Flow arrangement method and system for security resource pool
CN110035081A (en) A kind of publish/subscribe architectural framework based on block chain
CN107615721A (en) Transmitting software defines network (SDN) logical links polymerization (LAG) member's signaling
CN105141512A (en) Unified network configuration and control method supporting packet/circuit mixed exchange network
CN110875889B (en) Method and device for acquiring path

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant