CN118118422A - Traffic forwarding method and device and electronic equipment - Google Patents
Traffic forwarding method and device and electronic equipment Download PDFInfo
- Publication number
- CN118118422A CN118118422A CN202410371167.2A CN202410371167A CN118118422A CN 118118422 A CN118118422 A CN 118118422A CN 202410371167 A CN202410371167 A CN 202410371167A CN 118118422 A CN118118422 A CN 118118422A
- Authority
- CN
- China
- Prior art keywords
- address
- forwarding
- traffic
- intranet
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 238000012795 verification Methods 0.000 claims abstract description 83
- 230000003287 optical effect Effects 0.000 claims abstract description 18
- 230000006870 function Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 230000009191 jumping Effects 0.000 claims description 4
- 238000010200 validation analysis Methods 0.000 claims 1
- 238000007726 management method Methods 0.000 description 35
- 238000012545 processing Methods 0.000 description 18
- 238000013519 translation Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002708 enhancing effect Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 101150012579 ADSL gene Proteins 0.000 description 1
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 1
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a device for forwarding traffic and electronic equipment. Wherein the method comprises the following steps: obtaining the outlet flow of an optical line terminal; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow. The application solves the technical problems that in the traditional intranet environment, the flow of accessing the intranet and the extranet by the user is the same, intelligent shunting cannot be realized, and the network speed is low.
Description
Technical Field
The present application relates to the field of broadband networks, and in particular, to a method, an apparatus, and an electronic device for forwarding traffic.
Background
In the traditional intranet environment, the flow of a user accessing the intranet and the extranet is not distinguished, so that the congestion of network traffic is caused, and intelligent shunting cannot be realized. This design not only limits network rate, but also affects user experience, and in the context of high concurrent access, the problem is more pronounced. Therefore, how to optimize the network structure, realize intelligent distribution, and improve the network rate becomes a problem to be solved in the industry.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a method, a device and electronic equipment for forwarding traffic, which are used for at least solving the technical problem that in the traditional intranet environment, the flow of accessing an intranet and an extranet by a user is the same, intelligent shunting cannot be realized, and the network rate is low.
According to an aspect of an embodiment of the present application, there is provided a method for forwarding traffic, including: obtaining the outlet flow of an optical line terminal; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
Optionally, forwarding the egress traffic to the intranet through a first forwarding policy includes: forwarding the outlet flow to a service cloud gateway, wherein the service cloud gateway is used for converting a source IP address of the outlet flow; and forwarding the outlet traffic after the service cloud gateway address conversion to a destination IP address of the outlet traffic.
Optionally, before forwarding the egress traffic to the external network server through the second forwarding policy, the method further includes: intercepting an access request of the outlet flow and returning an address of an interception page; receiving a click operation of a target object on an address of an interception page, and jumping to the interception page according to the click operation, wherein the interception page comprises a reason that the interception page cannot be accessed, and the target object is a user initiating an access request; and under the condition that the interception page is accessed by the target object, redirecting the interception page to the portal page for verification.
Optionally, redirecting the interception page to the portal page for verification includes: determining the IP address of a service cloud gateway to which the source IP address of the outlet flow belongs; and determining a corresponding portal page according to the IP address of the service cloud gateway.
Optionally, redirecting the interception page to the portal page for verification includes: receiving login information input by a target object on a portal page under the condition that the login state of the target object is not logged in, wherein the login information comprises an account number and a password; determining whether login information exists in an external network access list; under the condition that the login information does not exist in the external network access list, determining that the verification result of the target object is verification failure; and under the condition that the login information exists in the external network access list, determining that the verification result of the target object is verification success.
Optionally, after determining that the verification result of the target object is verification success, the method further includes: acquiring an account number and a password in login information, and acquiring an IP address of a service cloud gateway to which a source IP address of an outlet flow belongs; sending a query request to a cloud gateway management platform through a portal server, wherein the query request comprises login information and an IP address of a service cloud gateway; receiving an inquiry result returned by the cloud gateway management platform, wherein the inquiry result comprises account information, region information of an account, local area network side information of the account and wireless local area network side information of the account; and establishing a target tunnel between the query result and the virtual broadband access server, wherein the target tunnel is associated with a channel at the local area network side and a channel at the wireless local area network side.
Optionally, forwarding the egress traffic to the external network server through a second forwarding policy includes: obtaining dialing information, wherein the dialing information comprises a query result and login information; the Ethernet point-to-point protocol dialing of the WAN port is started according to the dialing information, and the dialing information is sent to the AAA server for verification through the broadband access server; and forwarding the outlet flow to the external network server through the broadband access server under the condition that the verification result is that the verification is passed.
According to another aspect of the embodiment of the present application, there is also provided a traffic forwarding apparatus, including: the acquisition module is used for acquiring the outlet flow of the optical line terminal; the determining module is used for determining whether the destination IP address of the outlet flow is an intranet IP address; the first forwarding module is used for forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and the second forwarding module is used for forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
According to still another aspect of the embodiment of the present application, there is also provided an electronic device including: a memory for storing program instructions; a processor coupled to the memory for executing program instructions that perform the following functions: obtaining the outlet flow of an optical line terminal; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
According to yet another aspect of an embodiment of the present application, there is also provided a computer program product comprising computer instructions which, when executed by a processor, implement the above-described method of traffic forwarding.
In the embodiment of the application, the outlet flow of the optical line terminal is obtained; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; under the condition that the destination IP address of the outlet flow is not the intranet IP address, the outlet flow is forwarded to the extranet server through a second forwarding strategy, wherein the second forwarding strategy comprises a verification flow, the purpose of intelligently distinguishing the flows of the extranets and the extranets is achieved, the technical effects of improving the network rate and enhancing the network safety are achieved, and the technical problems that in a traditional intranet environment, the flow of a user accessing the intranet and the extranet is the same, intelligent diversion cannot be achieved, and the network rate is low are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
fig. 1 is a hardware block diagram of a computer terminal for implementing a method for traffic forwarding according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of traffic forwarding according to an embodiment of the present application;
Fig. 3 is a schematic diagram of a campus network under cloud broadband according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a conventional campus network according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a campus network under cloud broadband according to an embodiment of the present application;
fig. 6 is a block diagram of an apparatus for forwarding traffic according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The information collected by the embodiment of the application is information and data which are authorized by a user or fully authorized by each party, and the processing of collection, storage, use, processing, transmission, provision, disclosure, application and the like of related data all obeys the related laws and regulations and standards of related areas, necessary security measures are adopted, the public order is not violated, and a corresponding operation entrance is provided for the user to select authorization or reject an automatic decision result; if the user selects refusal, the expert decision flow is entered.
First, partial terms or terminology appearing in the course of explaining the embodiments of the present application are applicable to the following explanation:
SRv6 (Segment Routing IPv, IPv6 forwarding plane based segment routing): i.e., SR (Segment Routing) and IPv6, are new generation IP bearer protocols. The method adopts the existing IPv6 forwarding technology, and realizes the network programming through a flexible IPv6 extension head. SRv6 simplifies the network protocol type, has good expansibility and programmability, can meet the diversified requirements of more new services, provides high reliability, and has good application prospect in cloud services.
NAT (Network Address Translation ): by means of NAT, when the "internal" network of private (reserved) addresses sends data packets through the router, the private addresses are converted into legitimate IP addresses, and a local area network can realize the communication requirements of all computers in the private address network with the Internet by using only a small number of IP addresses (even 1).
DNS (Domain NAME SYSTEM), a distributed database for TCP/IP applications, provides translation services between Domain names and IP addresses.
Leaf, in the embodiment of the present application, refers to a switch. There are two important components in the leaf-spine architecture, the leaf switch and the spine switch. The spine switch can be used as a core switch in a traditional three-layer architecture, except that the spine switch is not a large chassis type switch in the three-layer architecture any more, but is a switch with high port density. The leaf switch is an access layer, and provides network connection to the terminal and the server, and is connected to the spine switch. The leaf-spine topology network structure is mainly used for solving the rapid increase of traffic in a data center and the continuous expansion of the scale of the data center, and meets the requirement of high-speed interconnection in the data center which cannot be met by the traditional three-layer network topology structure. The a-Leaf node is responsible for interfacing with access devices such as OLT's. And the S-Leaf node is accessed to related cloud platform services such as a center cloud, an edge cloud and the like.
VSW/VSW (vSwitch), representing a virtual network switch. The VSW modules in the access cloud gateway and the service cloud gateway are mainly used for forwarding traffic.
SNAT (Source Network Address Translation ): network Address Translation (NAT) is an important network technology for communication between private and public networks. Wherein the Destination Network Address Translation (DNAT) is used to translate the destination IP address of the external request to a specific IP address in the internal network, and SNAT is used to translate the source IP address in the internal network to a public network routable IP address.
QinQ means that the VLAN label of the private network of the user is encapsulated in the VLAN label of the public network, so that the message passes through the backbone network of the operator with the two layers of VLAN labels, and the VLAN label of the private network is shielded only according to the propagation of the VLAN label of the outer layer in the public network, thus, not only distinguishing the data stream, but also different VLAN labels of the user can be reused as the VLAN label of the private network is transmitted transparently, only the VLAN label of the outer layer is required to be unique on the public network, and the number of the VLAN labels which can be utilized is enlarged in practice. The traffic of the user in the tunnel can be marked through QinQ to carry out forwarding scheduling. In the embodiment of the present application, qinQ refers to SVLAN and CVLAN numbers, and CVLAN and SVLAN are mainly different in their manager and application scenario. The CVLAN is managed and configured by the client, and is mainly used for dividing an internal network; while SVLANs are managed and configured by service providers, primarily to provide multi-tenant network services.
The BRAS (Broadband Remote ACCESS SERVER) is a novel access gateway for Broadband network application, is positioned at the edge layer of a backbone network, can finish the data access of an IP/ATM network with a user bandwidth, and realizes Broadband Internet surfing of commercial buildings and residential community households.
VBAS (Virtual BAS, virtual broadband access server): the method for obtaining the port number of the broadband access user by the broadband access server solves the problem that after broadband access users (including ADSL, VDSL and LAN) adopt an IP access server, the server cannot determine user information only according to the IP. The VBAS is beneficial to realizing more flexible and efficient large-scale broadband access, can run the BRAS function in a virtualized environment, and converts BRAS equipment into a pure software system to run in a virtual machine, thereby improving the flexibility and efficiency of network management.
EOR (Edge of the Routed network, edge routing network) is a switch operating at the edge of a local area network that connects end devices within the local area network to external networks. Typically, EOR switches are deployed in networks of large businesses, schools, and institutions, functioning as bridges connecting internal and external networks.
In order to solve the problem that the network rate is low due to the fact that intelligent diversion cannot be achieved in the traditional intranet environment, the embodiment of the application provides a flow forwarding method which can be operated in a computer terminal shown in fig. 1 and is described below.
The flow forwarding method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or similar computing devices. Fig. 1 shows a block diagram of a hardware architecture of a computer terminal for implementing a method of traffic forwarding. As shown in fig. 1, the computer terminal 10 may include one or more processors (shown as 102a, 102b, … …,102n in the figures) which may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions connected via a wired and/or wireless network. In addition, the method may further include: a display, a keyboard, a cursor control device, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a BUS. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module or incorporated, in whole or in part, into any of the other elements in the computer terminal 10. As referred to in embodiments of the application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the method of forwarding traffic in the embodiments of the present application, and the processor executes the software programs and modules stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the method of forwarding traffic as described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 106 is used to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module 106 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission module 106 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10.
It should be noted here that, in some alternative embodiments, the computer terminal shown in fig. 1 may include hardware elements (including circuits), software elements (including computer code stored on a computer readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a specific example, and is intended to illustrate the types of components that may be present in the computer terminals described above.
In the above-described operating environment, embodiments of the present application provide a method embodiment for traffic forwarding, it should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions, and although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
Fig. 2 is a flow chart of a method of forwarding traffic according to an embodiment of the present application, as shown in fig. 2, the method includes the steps of:
Step S202, obtaining the outlet flow of the optical line terminal.
In the step S202, the Optical line terminal may be, for example, an OLT (Optical LINE TERMINAL), and the OLT egress traffic is forwarded to the access cloud gateway through the a-leaf device.
Step S204, determining whether the destination IP address of the outlet flow is an intranet IP address.
In the above-mentioned step S204, in the scenario of intelligent offloading, when the access cloud gateway receives a data packet (i.e., egress traffic), it checks the destination IP address of the data packet. The destination IP address is the IP address of the destination device to which the packet is intended. By identifying this address, the access cloud gateway can decide how to route or process this packet. In this step, intranet IP addresses generally refer to IP addresses used inside a private network, which are not directly exposed on the internet, but are used to organize the communication of the internal network. In contrast, the external network IP address, i.e., the IP address on the public internet. This determination is important for the access cloud gateway because it determines where the data packet should be forwarded and whether additional processing steps (e.g., NAT translation, security verification, etc.) need to be performed.
In step S206, if the destination IP address of the outgoing traffic is the intranet IP address, the outgoing traffic is forwarded to the intranet through the first forwarding policy, where the first forwarding policy does not include a verification flow.
In step S206, if the destination IP address is an intranet IP address, the data packet is generally forwarded directly to the corresponding device in the intranet, and no additional security verification or address translation may be required.
In step S208, if the destination IP address of the outgoing traffic is not the intranet IP address, the outgoing traffic is forwarded to the extranet server through a second forwarding policy, where the second forwarding policy includes a verification procedure.
In step S208, if the destination IP address is not an intranet IP address but an extranet IP address, the data packet may need to undergo a series of processing steps including address translation and security verification, so as to be sent to the internet, for example, to an extranet server.
Through the steps S202 to S208 in the flow forwarding method, independent broadband control during the access of the Internet and the intranet to the flow can be realized, the mutual influence is avoided, and the purpose of intelligently distinguishing the flows of the internal network and the external network is achieved, so that the technical effects of improving the network rate and enhancing the network safety are realized, and the technical problem that the network rate is low because the flow of the user accessing the intranet and the external network is the same in the traditional intranet environment and the intelligent diversion cannot be realized is solved. The following is a detailed description.
In step S206 in the above-mentioned traffic forwarding method, forwarding the egress traffic to the intranet through the first forwarding policy specifically includes the following steps: forwarding the outlet flow to a service cloud gateway, wherein the service cloud gateway is used for converting a source IP address of the outlet flow; and forwarding the outlet traffic after the service cloud gateway address conversion to a destination IP address of the outlet traffic.
In the embodiment of the present application, according to the first forwarding policy, the access cloud gateway forwards the egress traffic to the service cloud gateway, and after receiving the egress traffic, the service cloud gateway performs necessary conversion on the source IP address thereof, that is, performs NAT operation on the source IP address in the egress traffic, where this address conversion may be for a plurality of reasons, for example, IP address planning of the internal network, security consideration, or network isolation requirement. The step of converting the source IP address of the outgoing traffic to an internal network-approved, appropriate IP address via address translation ensures that the traffic is routed correctly in the internal network and complies with the internal network's address allocation and management rules. After the service cloud gateway address is converted, the service cloud gateway address is forwarded to corresponding internal network equipment or terminals according to the destination IP address of the outlet flow. Since the destination IP address is an intranet IP address, this forwarding process is typically performed within the intranet, and no additional routing or security verification is required. Because the verification flow is not included, the first forwarding strategy can process intranet traffic more quickly, and network delay and unnecessary processing overhead are reduced. Meanwhile, address conversion is carried out through the service cloud gateway, so that the stability and the safety of the internal network are ensured.
In step S208 in the above method for forwarding traffic, before forwarding the egress traffic to the external network server through the second forwarding policy, the method further includes: intercepting an access request of the outlet flow and returning an address of an interception page; receiving a click operation of a target object on an address of an interception page, and jumping to the interception page according to the click operation, wherein the interception page comprises a reason that the interception page cannot be accessed, and the target object is a user initiating an access request; and under the condition that the interception page is accessed by the target object, redirecting the interception page to the portal page for verification.
In the embodiment of the application, when the access cloud gateway detects that the destination IP address of the outlet flow is the address of the external network server, the access cloud gateway firstly intercepts the access request corresponding to the outlet flow. This means that the request from the user to access the external network server is not immediately handled but is temporarily suspended. After the interception is successful, an address of an interception page is returned to the user through the network equipment. This address is typically a specific web page link for presenting the user with information about the interception of his access request. After receiving the address of the interception page, the user (i.e., the target object) typically needs to click on this link to access the interception page. This step is to ensure that the user is able to know explicitly that his access request is intercepted. When the user clicks on the address of the interception page, the user is navigated to the interception page. This page typically contains information about reasons for the inability to access the extranet server, such as network failures, lack of rights, access policy restrictions, etc. The content of the interception page explicitly informs the user why his access request was intercepted, which helps the user to understand the current situation and to make the corresponding processing. If the user accesses the intercept page and wishes to continue with his access request, the system redirects the intercept page to a portal page. This portal page typically contains a series of authentication steps such as authentication, access rights checking, etc. Only after passing these verifications will the user's access request be allowed to continue and eventually forwarded to the foreign network server via the second forwarding policy. Through such steps, the network management system can perform necessary authentication and reminding to the user before allowing access to the external network server, thereby improving the security of the network. At the same time, clear feedback is provided for the user, so that the user can understand why the access request is intercepted and how to continue the access.
In the step, redirecting the interception page to the portal page for verification comprises the following steps: determining the IP address of a service cloud gateway to which the source IP address of the outlet flow belongs; and determining a corresponding portal page according to the IP address of the service cloud gateway.
In the embodiment of the application, after the access request of the user is intercepted and jumps to the intercepted page, the system needs to identify the source of the request. In this process, the most critical information is the source IP address of the egress traffic. This source IP address is typically assigned by the network device or terminal where the user is located. However, this source IP address may not be directed to the user's real device because of the multiple layers of forwarding and address translation that may exist in the network architecture. Therefore, the system needs to further analyze this source IP address to determine the IP address of the service cloud gateway to which it belongs. A traffic cloud gateway is typically a device responsible for managing and controlling the forwarding of internal network traffic and is capable of identifying and recording information of different devices and traffic in the internal network. Once the IP address of the service cloud gateway to which the source IP address of the egress traffic belongs is determined, the system may search for a corresponding portal page according to this information. Different business cloud gateways may correspond to different network areas, business scenarios, or security policies, and thus they may require the user to verify through different portal pages. These portal pages typically include the necessary authentication steps of user login, permission checking, security authentication, etc. to ensure that only users meeting certain criteria can access the extranet server. The method can realize the fine management of the user access request, can identify the source of the user, can redirect the user to a proper portal page for verification according to the source and service requirements of the user, improves the security of the network, prevents unauthorized access, and can provide more personalized and convenient service experience for the user.
In the step, redirecting the interception page to the portal page for verification comprises the following steps: receiving login information input by a target object on a portal page under the condition that the login state of the target object is not logged in, wherein the login information comprises an account number and a password; determining whether login information exists in an external network access list; under the condition that the login information does not exist in the external network access list, determining that the verification result of the target object is verification failure; and under the condition that the login information exists in the external network access list, determining that the verification result of the target object is verification success.
In the embodiment of the application, after the access request of the user is intercepted, the system redirects the user to a specific portal page. This portal page is typically used to collect login information of the user for authentication. If the user is currently in an unregistered state, the system prompts the user to enter login information on the portal page. The login information typically includes an account number and a password, which are key credentials for the user to prove his identity in the network environment. After receiving login information input by a user, the system performs a series of verification operations. First, it checks whether these login information exist in the foreign network access list. The foreign network access list is a preset list, and includes account information of users allowed to access the foreign network server. If the system finds that the login information input by the user does not exist in the external network access list, it determines that the authentication result of the user is failure. This typically means that the user has no access to the extranet server or that the entered account and password are incorrect. Conversely, if the system confirms that the login information entered by the user does exist in the foreign network access list, it will determine that the user's authentication result is successful. This means that the user has passed the authentication and can continue with his access request. Once the verification result is determined, the system takes corresponding processing measures according to the result. If the authentication fails, the system may prompt the user to reenter the login information or deny their access request. If the verification is successful, the system allows the user's access request to continue and forwards it to the extranet server. Through the process, only the legally authorized user can access the external network server, so that the network security is effectively improved. Meanwhile, an explicit authentication flow is provided for the user, so that the user can clearly know the processing state of the access request.
In the above step, after determining that the verification result of the target object is verification success, the method further includes: acquiring an account number and a password in login information, and acquiring an IP address of a service cloud gateway to which a source IP address of an outlet flow belongs; sending a query request to a cloud gateway management platform through a portal server, wherein the query request comprises login information and an IP address of a service cloud gateway; receiving an inquiry result returned by the cloud gateway management platform, wherein the inquiry result comprises account information, region information of an account, local area network side information of the account and wireless local area network side information of the account; and establishing a target tunnel between the query result and the virtual broadband access server, wherein the target tunnel is associated with a channel at the local area network side and a channel at the wireless local area network side.
In the embodiment of the application, once the verification result of the target object is determined to be successful, the system firstly acquires login information input by the user on the portal page, wherein the login information comprises an account number and a password. Meanwhile, the system can acquire the IP address of the service cloud gateway to which the source IP address of the outlet flow belongs, and the information is the basis of subsequent operation and is used for determining the identity of the user and the network environment in which the user is located. The system sends a query request to a cloud gateway management platform through a portal server, wherein the query request comprises login information of a user and an IP address of a service cloud gateway, and the cloud gateway management platform is a system responsible for managing cloud gateway equipment, maintaining user account information and network configuration. After receiving the query request, the cloud gateway management platform queries according to the login information and the IP address of the service cloud gateway, and returns a query result to the system. The query result generally includes account information (such as account status, authority, etc.), area information to which the account belongs (such as network area to which the user belongs), lan side information to which the account belongs (such as specific configuration and status of the lan to which the user is connected), and wireless lan side information to which the account belongs (such as specific configuration and status of the wireless lan to which the user is connected). According to the received inquiry result, a target tunnel is established between the system and a Virtual Broadband Access Server (VBAS), wherein the tunnel is a channel for data transmission between a user and an external network server, and the tunnel is associated with a channel at the local area network side and a channel at the wireless local area network side, so that data can be safely and efficiently transmitted between the two networks. In this way, the system not only verifies the identity of the user, but also establishes a suitable tunnel for the user to support communication with the extranet server, depending on the user's network environment and configuration. This both improves the security of the network (since only authenticated users can establish tunnels) and ensures the efficiency and stability of data transmission (by establishing tunnels according to the user's network environment).
In step S208 in the above-mentioned traffic forwarding method, forwarding the egress traffic to the external network server through the second forwarding policy includes: obtaining dialing information, wherein the dialing information comprises a query result and login information; the Ethernet point-to-point protocol dialing of the WAN port is started according to the dialing information, and the dialing information is sent to the AAA server for verification through the broadband access server; and forwarding the outlet flow to the external network server through the broadband access server under the condition that the verification result is that the verification is passed.
In the embodiment of the application, the dialing information is key information for establishing connection with the external network server after the user authentication is successful. The information comprises query results (such as account information, area information, local area network side information, wireless local area network side information and the like) acquired from the cloud gateway management platform before, and login information (account and password) input by a user on a portal page. Based on the acquired dialing information, the system initiates a Point-to-Point protocol (PPPoE) dialing on the WAN (wide area network interface). PPPoE is a network tunneling protocol that establishes point-to-point connections over ethernet, commonly used for broadband access. Through this step, the system begins to establish a connection with the external network server. The dial-up information is transmitted to an AAA server (Authentication, authorization, and Accounting Server) through a Broadband access server (BAS, broadband ACCESS SERVER) for verification, wherein the AAA server is responsible for Authentication, access rights control, and accounting management of the user. In the process, the identity and the access authority of the user can be verified according to the account number, the password and other information in the dialing information. If the AAA server passes the verification result, the user identity is valid and the user has the authority to access the external network server. At this point, the broadband access server will further process and forward the egress traffic to the foreign network server. If the verification result is not passed, the broadband access server refuses to forward the egress traffic, and typically returns an error message to the user prompting the user to reenter the login information or perform other operations. If the verification result is that the output traffic is passed, the broadband access server forwards the output traffic to the external network server, which means that the request or data of the user can be smoothly sent to the external network server for processing or obtaining resources. Through this series of steps, the system ensures that only authenticated and authorized users will their outgoing traffic be forwarded to the extranet server. This greatly enhances the security of the network and provides more reliable and efficient network services to the user. Meanwhile, the combination of the Ethernet point-to-point protocol and the AAA server is utilized to realize the fine control and management of the access authority of the user.
The method for forwarding the traffic is explained and described below by taking the campus network egress traffic as an example.
S1, forwarding the campus OLT outlet flow to an access cloud gateway through the A-leaf equipment.
Specifically, the user broadband follows the original access network, and the traffic is transmitted to the access module in the main cloud gateway through EVPN vpws over SRv tunnels established between the A-Leaf and the access cloud gateway.
S2, the access cloud gateway identifies a target IP of the outlet flow, if the target IP is an intranet address, the step S3 is executed, and otherwise, the step S4 is executed.
Specifically, the destination IP of the outgoing traffic is identified, including the original IP and the IP after domain name DNS resolution. The intranet in this step refers to an intranet environment such as an enterprise intranet and a campus intranet.
S3, the intranet flow is forwarded to the service cloud gateway by the access cloud gateway, and is forwarded to the intranet after passing through the NAT of the service cloud gateway.
Specifically, the intranet accesses traffic, and the source IP of the egress traffic passes through the service cloud gateway from the NAT of the user intranet address (e.g., 192.168.71.2) to the intranet address (30.0.0.1), i.e., NAT-IP of the service cloud gateway (30.0.0.1).
S4, the access request is intercepted and redirected to the portal server for authentication.
Specifically, the domain name accessing the public network is answered by the access cloud gateway, and the interception page address is returned, so that the user accesses the interception page and redirects to the portal page (namely the portal page).
And S5, after the user authentication is passed, the access cloud gateway dials and connects with the broadband access server.
When a user accesses a portal, the portal can customize a page according to the NAT-IP (for example, a user in one area uses one service cloud gateway NAT-IP as 30.0.0.1, and a user in another area uses another service cloud gateway NAT-IP as 30.0.0.2, so that users in different areas can be distinguished according to the NAT-IP, and different portal authentication services can be customized). After user initiates portal authentication, portal extracts account number + password + NAT-IP to inquire the cloud gateway management platform, returns account number status (login time) and other information (area information, intranet application entrance, user's wok know, etc.), then the cloud gateway management platform issues account number information (account number information, area information, LAN side information (user terminal intranet IP, MAC, lan side QinQ, NAT-IP and NAT-PORT), WAN side information (Wan side QinQ, PPPoE account number information)) to the access cloud gateway, establishes SRv tunnel between the access cloud gateway and vBras, and associates Lan side and Wan side channel. The vCPE accessing to the cloud gateway starts the PPPoE dialing of the WAN port, carries account number, password, regional information and QinQ information, and is verified to the AAA server by the broadband access server, and after verification, the broadband access server releases the access of the Internet side.
S6, the internet directional traffic is forwarded to a broadband access server (or the external network server) through the access cloud gateway.
It should be noted that, the steps S1 to S6 are applicable to a scenario that a plurality of university campus networks access to an edge cloud of an operator through a cloud broadband, and include three parts, namely an access cloud gateway, a service cloud gateway and a campus network integrated management platform, which are all software products, and can be deployed in a container environment in a cloud resource pool of the operator.
Fig. 3 is a schematic diagram of a campus network under cloud broadband according to an embodiment of the present application, as shown in fig. 3, an edge cloud is connected to an access network or a metropolitan area network through broadband network interfaces LAN/WAN and SRv tunnel, and is connected to the campus intranet through an edge service interface and IP/tunnel, where the edge cloud includes an access cloud gateway and a service cloud gateway, and is deployed in a cloud base. The edge cloud builds a cloud gateway integrated management platform through gRPC (a high-performance remote procedure call RPC framework, which is suitable for building high-performance micro-service application), and the cloud gateway integrated management platform comprises a work order interface to realize IBP (Integration Business Platform, integrated service platform) function, an AAA server to realize account authentication, a Portal page to realize campus account authentication, an operation data interface to communicate with a network management (network management) platform, an integrated notification (comprehensive notification) platform and a big data platform.
Fig. 4 is a schematic diagram of a conventional campus network according to an embodiment of the present application, as shown in fig. 4, a dormitory in a campus accesses to a campus intranet and an external internet through devices such as an optical splitter, an OLT, and a dedicated Bras in the campus, so that a problem of low network rate exists. In order to solve the problems existing in the traditional campus network, the traffic forwarding method provided by the embodiment of the application can be operated in the campus network under the cloud broadband shown in fig. 5, as shown in fig. 5, in the campus intranet, such as libraries, teaching buildings, offices and the like, the traffic forwarding method is communicated with a service gateway through EOR, or the dormitory network is connected to an access gateway (dormitory) through optical splitting, OLT, convergence switch and A-leaf equipment and then through EOR, wherein the access gateway (dormitory), the service gateway and the EOR belong to edge vDC nodes, the access gateway (dormitory) and the service gateway can be mutually accessed, the access gateway (dormitory) and the service gateway can be communicated with a Portal Server and a cloud gateway management platform through a B plane, and the Portal Server and the cloud gateway management platform can be communicated through the network; when the dormitory network accesses the Internet, the traffic is forwarded to EOR after passing through optical splitters, OLTs, aggregation switches, A-leaf and Spine equipment, and is communicated with an access gateway (dormitory) through the EOR, and the access gateway (dormitory) forwards the traffic to the Internet through a vBras pool.
The following describes how to access the internet through the cloud broadband and how to access the campus intranet through the cloud broadband respectively in combination with specific examples.
Scene one: student access to the internet through cloud broadband
1. The dormitory broadband uses the original access network, and the flow is transmitted to an access module in the main cloud gateway through a EVPN vpws over SRv tunnel established between the A-Leaf and the access vSW;
2. the access VSW identifies the IP of the traffic destination and forwards the IP to the service VSW through a SRv tunnel;
3. The service VSW forwards the flow to the Portal Server through the B-plane service channel;
Portal checks the account number through Nat-IP, inquires the legitimacy of the account number (the account number and the password of student login) input by the user from a campus cloud gateway integrated management platform, and returns the account number state (login duration) and other information (school information, intranet application entrance, user's fibrous knowledge and the like) to the page;
5. the cloud gateway integrated management platform transmits user account information to vCPE, and the vCPE dials;
6. a SRv tunnel is established between the cloud gateway and vBras to send the user traffic to the public network.
Scene II: student accesses campus intranet through cloud broadband
1. The static IP address of the campus intranet business system is added to an access vSW forwarding routing table;
2. students directly access the campus intranet domain name;
3. completing campus DNS proxy by the access gateway, and completing domain name/IP conversion;
4. the access VSW identifies the student access destination IP and forwards the school intranet flow to the service VSW;
5. The service VSW completes SNAT of the IP address of the student intranet, is communicated with the campus intranet, and completes flow forwarding;
6. When the campus intranet traffic is traced, the cloud gateway system supports the query of line information such as QinQ+SID+VPWS (which forms a unique identifier of the user, the identifier is an account number for the user), which is translated to the cloud gateway, and the like and the IP+MAC information of the user terminal through NAT IP.
The flow forwarding method provided by the application realizes high-speed access of the user to the intranet and the Internet through networking under the cloud broadband, and has the following advantages: (1) The cloud gateway is used for shunting the user outlet flow to access the public network and the intranet, so that compared with the traditional enterprise networking, the speed of the user accessing the intranet and the Internet is improved; (2) The public network access needs authentication, and the intranet access does not need authentication, so that the method is more convenient than the traditional method; (3) Compared with the traditional networking, the method can realize that the public network bandwidth of a single user is limited by the broadband package (the channel bandwidth of broadband dialing of the user is the broadband package bandwidth of the user), the intranet access can be limited by the intranet link resources (determined by the intranet link resources, such as the link bandwidth of VPN dialing connection to the intranet (the service cloud gateway is connected to the campus intranet through VPN dialing), or the private line bandwidth (the service cloud gateway is connected to the campus intranet through private line)), and the two bandwidths are not influenced by each other.
Aiming at the traffic forwarding method, the embodiment of the application also provides a traffic forwarding system which can realize the access of the internal and external networks based on the cloud broadband, comprising the following steps: the system comprises an access cloud gateway module, a service cloud gateway module, a cloud gateway management module and a network authentication module. Wherein:
and accessing a cloud gateway module: the vSwitch in the access cloud gateway is responsible for the access and flow scheduling of the flow, the vCPE is a gateway functional entity realized by software and is responsible for PPPOE dialing and hanging down terminal management, the DPI provides an application recognition engine function, the application flow of a user is supported to be recognized and labeled, and the application feature library is supported to be updated.
Service cloud gateway module: the vSwitch of the service cloud gateway is responsible for forwarding the value-added application traffic and service proxy; vCollector is responsible for collecting the running state of the internal network element and collecting and reporting data; the system has each value added service sub-module, and realizes functions of service execution configuration management, flow matching and execution, log generation, reporting and the like according to corresponding service policies.
Cloud gateway management module: the system comprises a service opening and configuration service, a cloud gateway controller, a cloud gateway monitoring service, a data acquisition service and a control panel module, and functions of network configuration management, broadband service opening, cloud gateway monitoring, service module operation monitoring and the like are realized. The integrated management platform provides a series of northbound interfaces including interfaces of service opening, service migration configuration, operation data acquisition and the like, and is used for interfacing with a broadband work order system, an integrated network management system, a value added service application system and the like.
And a network authentication module: and realizing portal authentication of the user, and informing the cloud gateway management module to open the broadband service.
It should be noted that, the above-mentioned traffic forwarding system is used to execute the traffic forwarding method shown in fig. 2, so the explanation of the above-mentioned traffic forwarding method is also applicable to the traffic forwarding system, and will not be repeated here.
Fig. 6 is a block diagram of an apparatus for forwarding traffic according to an embodiment of the present application, as shown in fig. 6, the apparatus includes:
an obtaining module 40, configured to obtain an outlet flow of the optical line terminal;
a determining module 42, configured to determine whether the destination IP address of the egress traffic is an intranet IP address;
The first forwarding module 44 is configured to forward, when the destination IP address of the outgoing traffic is an intranet IP address, the outgoing traffic to the intranet through a first forwarding policy, where the first forwarding policy does not include a verification flow;
and a second forwarding module 46, configured to forward the egress traffic to the external network server through a second forwarding policy if the destination IP address of the egress traffic is not the internal network IP address, where the second forwarding policy includes a verification procedure.
The acquisition module 40, the determination module 42, the first forwarding module 44 and the second forwarding module 46 in the traffic forwarding device achieve the purpose of intelligently distinguishing the traffic of the internal network and the external network, so that the technical effects of improving the network rate and enhancing the network security are achieved, and the technical problem that in the traditional intranet environment, the flow of users accessing the intranet and the external network is the same, intelligent diversion cannot be achieved, and the network rate is low is solved.
In the first forwarding module in the traffic forwarding device, the first forwarding module is configured to forward the egress traffic to a service cloud gateway, where the service cloud gateway is configured to convert a source IP address of the egress traffic; and forwarding the outlet traffic after the service cloud gateway address conversion to a destination IP address of the outlet traffic.
In the second forwarding module in the traffic forwarding device, before forwarding the outlet traffic to the external network server through the second forwarding policy, the second forwarding module is further configured to intercept an access request where the outlet traffic is located, and return an address of an interception page; receiving a click operation of a target object on an address of an interception page, and jumping to the interception page according to the click operation, wherein the interception page comprises a reason that the interception page cannot be accessed, and the target object is a user initiating an access request; and under the condition that the interception page is accessed by the target object, redirecting the interception page to the portal page for verification.
In the second forwarding module in the traffic forwarding device, the second forwarding module is further configured to determine an IP address of a service cloud gateway to which a source IP address of the egress traffic belongs; and determining a corresponding portal page according to the IP address of the service cloud gateway.
In the second forwarding module in the traffic forwarding device, the second forwarding module is further configured to receive login information input by the target object on the portal page when the login state of the target object is not logged in, where the login information includes an account number and a password; determining whether login information exists in an external network access list; under the condition that the login information does not exist in the external network access list, determining that the verification result of the target object is verification failure; and under the condition that the login information exists in the external network access list, determining that the verification result of the target object is verification success.
In the second forwarding module in the device for forwarding the traffic, the second forwarding module is further configured to obtain an account number and a password in the login information, and obtain an IP address of a service cloud gateway to which a source IP address of the egress traffic belongs; sending a query request to a cloud gateway management platform through a portal server, wherein the query request comprises login information and an IP address of a service cloud gateway; receiving an inquiry result returned by the cloud gateway management platform, wherein the inquiry result comprises account information, region information of an account, local area network side information of the account and wireless local area network side information of the account; and establishing a target tunnel between the query result and the virtual broadband access server, wherein the target tunnel is associated with a channel at the local area network side and a channel at the wireless local area network side.
In the second forwarding module in the traffic forwarding device, the second forwarding module is further configured to obtain dialing information, where the dialing information includes a query result and login information; the Ethernet point-to-point protocol dialing of the WAN port is started according to the dialing information, and the dialing information is sent to the AAA server for verification through the broadband access server; and forwarding the outlet flow to the external network server through the broadband access server under the condition that the verification result is that the verification is passed.
It should be noted that, the apparatus for forwarding traffic shown in fig. 6 is used to perform the method for forwarding traffic shown in fig. 2, so the explanation of the method for forwarding traffic is also applicable to the apparatus for forwarding traffic, and is not repeated here.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory is used for storing program instructions; the processor is coupled to the memory for executing program instructions that perform the following functions: obtaining the outlet flow of an optical line terminal; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
It should be noted that, the electronic device is configured to execute the method of forwarding the traffic shown in fig. 2, so the explanation of the method of forwarding the traffic is also applicable to the electronic device, and is not repeated herein.
The embodiment of the application also provides a nonvolatile storage medium, which comprises a stored computer program, wherein the equipment of the nonvolatile storage medium executes the following traffic forwarding method by running the computer program: obtaining the outlet flow of an optical line terminal; determining whether a destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to the intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to the external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
It should be noted that, the above-mentioned nonvolatile storage medium is used to execute the method of forwarding the traffic shown in fig. 2, so the explanation of the above-mentioned method of forwarding the traffic is also applicable to the nonvolatile storage medium, and will not be repeated here.
Embodiments of the present application also provide a computer program product comprising a non-transitory computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method of traffic forwarding in the various embodiments of the application.
Embodiments of the present application also provide a computer program product comprising computer instructions which, when executed by a processor, implement the steps of the method of traffic forwarding in the various embodiments of the present application.
The embodiments of the present application also provide a computer program which, when executed by a processor, implements the steps of the method for forwarding traffic in the various embodiments of the present application.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. The traffic forwarding method is characterized by being applied to a cloud gateway and comprising the following steps:
Obtaining the outlet flow of an optical line terminal;
Determining whether the destination IP address of the outlet flow is an intranet IP address;
Forwarding the outlet flow to an intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow;
And forwarding the outlet traffic to an external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
2. The method of claim 1, wherein forwarding the egress traffic to an intranet through a first forwarding policy comprises:
forwarding the outlet flow to a service cloud gateway, wherein the service cloud gateway is used for converting a source IP address of the outlet flow;
And forwarding the outlet traffic after the service cloud gateway address conversion to a destination IP address of the outlet traffic.
3. The method of claim 1, wherein before forwarding the egress traffic to an external network server via a second forwarding policy, the method further comprises:
intercepting an access request of the outlet flow, and returning an address of an interception page;
Receiving a click operation of a target object on the address of the interception page, and jumping to the interception page according to the click operation, wherein the interception page comprises a reason that the target object cannot be accessed, and the target object is a user initiating the access request;
And under the condition that the interception page is accessed by the target object, redirecting the interception page to a portal page for verification.
4. A method according to claim 3, wherein redirecting the intercepted page to a portal page for verification comprises:
determining the IP address of a service cloud gateway to which the source IP address of the outlet flow belongs;
And determining a corresponding portal page according to the IP address of the service cloud gateway.
5. The method of claim 4, wherein redirecting the intercept page to a portal page for validation comprises:
Receiving login information input by the target object on the portal page under the condition that the login state of the target object is not logged in, wherein the login information comprises an account number and a password;
determining whether the login information exists in an external network access list;
Under the condition that the login information does not exist in the external network access list, determining that the verification result of the target object is verification failure;
And under the condition that the login information exists in the external network access list, determining that the verification result of the target object is verification success.
6. The method of claim 5, wherein after determining that the verification result of the target object is verification success, the method further comprises:
acquiring an account number and a password in the login information, and acquiring an IP address of a service cloud gateway to which a source IP address of the outlet flow belongs;
Sending a query request to a cloud gateway management platform through a portal server, wherein the query request comprises the login information and the IP address of the service cloud gateway;
receiving a query result returned by the cloud gateway management platform, wherein the query result comprises account information, region information to which the account belongs, local area network side information to which the account belongs and wireless local area network side information to which the account belongs;
And establishing a target tunnel between the query result and the virtual broadband access server, wherein the target tunnel is associated with a channel at the local area network side and a channel at the wireless local area network side.
7. The method of claim 6, wherein forwarding the egress traffic to an external network server via a second forwarding policy comprises:
Obtaining dialing information, wherein the dialing information comprises the query result and the login information;
According to the dialing information, starting the Ethernet point-to-point protocol dialing of the WAN port, and transmitting the dialing information to an AAA server for verification through a broadband access server;
and forwarding the outlet flow to the external network server through the broadband access server under the condition that the verification result is that the verification is passed.
8. An apparatus for forwarding traffic, comprising:
the acquisition module is used for acquiring the outlet flow of the optical line terminal;
the determining module is used for determining whether the destination IP address of the outlet flow is an intranet IP address;
the first forwarding module is configured to forward the output traffic to an intranet through a first forwarding policy when the destination IP address of the output traffic is the intranet IP address, where the first forwarding policy does not include a verification flow;
and the second forwarding module is used for forwarding the outlet traffic to an external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
9. An electronic device, comprising:
a memory for storing program instructions;
A processor, coupled to the memory, for executing program instructions that perform the following functions: obtaining the outlet flow of an optical line terminal; determining whether the destination IP address of the outlet flow is an intranet IP address; forwarding the outlet flow to an intranet through a first forwarding strategy under the condition that the destination IP address of the outlet flow is the intranet IP address, wherein the first forwarding strategy does not comprise a verification flow; and forwarding the outlet traffic to an external network server through a second forwarding strategy under the condition that the destination IP address of the outlet traffic is not the internal network IP address, wherein the second forwarding strategy comprises a verification flow.
10. A computer program product comprising computer instructions which, when executed by a processor, implement the method of traffic forwarding according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410371167.2A CN118118422A (en) | 2024-03-28 | 2024-03-28 | Traffic forwarding method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410371167.2A CN118118422A (en) | 2024-03-28 | 2024-03-28 | Traffic forwarding method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118118422A true CN118118422A (en) | 2024-05-31 |
Family
ID=91214162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410371167.2A Pending CN118118422A (en) | 2024-03-28 | 2024-03-28 | Traffic forwarding method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118118422A (en) |
-
2024
- 2024-03-28 CN CN202410371167.2A patent/CN118118422A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8649292B2 (en) | Method, apparatus and system for virtual network configuration and partition handover | |
| US7411975B1 (en) | Multimedia over internet protocol border controller for network-based virtual private networks | |
| US9015855B2 (en) | Secure tunneling platform system and method | |
| EP1628437B1 (en) | Broadband access method with great capacity and the system thereof | |
| EP2051473B1 (en) | Method and system to trace the ip traffic back to the sender or receiver of user data in public wireless networks | |
| EP2040431A1 (en) | A system and method for the multi-service access | |
| US20130185446A1 (en) | Method and device for connecting to virtual private network across domains | |
| CN103685026A (en) | Virtual network access method and system | |
| CN101326763A (en) | System and method for authentication of SP Ethernet aggregation networks | |
| KR101358775B1 (en) | User access method, system, and access server, access device | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| KR102079508B1 (en) | Method and device for managing traffics in order to efficiently manage networks on basis of requirements of users | |
| Kind et al. | Splitarchitecture: Applying the software defined networking concept to carrier networks | |
| Matias et al. | Towards neutrality in access networks: A NANDO deployment with OpenFlow | |
| WO2011147334A1 (en) | Method, device and system for providing virtual private network service | |
| JP5261432B2 (en) | Communication system, packet transfer method, network switching apparatus, access control apparatus, and program | |
| WO2020029793A1 (en) | Internet access behavior management system, device and method | |
| CN118118422A (en) | Traffic forwarding method and device and electronic equipment | |
| EP2887577B1 (en) | Method for establishing and/or configuring an internet protocol network connection between a customer premises equipment and a telecommunications network | |
| Cisco | Cisco IOS Switching Services Configuration Guide Cisco IOS Release 12.0 | |
| Cisco | Provisioning MPLS VPN Cable Services | |
| Cisco | Cisco IOS Command Modes | |
| Cisco | Configuring Virtual Private Dialup Networks | |
| Cisco | Configuring Virtual Private Dialup Networks | |
| KR102092015B1 (en) | Method, apparatus and computer program for recognizing network equipment in a software defined network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |