CN1617541A - Realizing method for virtual special dial network - Google Patents
Realizing method for virtual special dial network Download PDFInfo
- Publication number
- CN1617541A CN1617541A CN 200410066908 CN200410066908A CN1617541A CN 1617541 A CN1617541 A CN 1617541A CN 200410066908 CN200410066908 CN 200410066908 CN 200410066908 A CN200410066908 A CN 200410066908A CN 1617541 A CN1617541 A CN 1617541A
- Authority
- CN
- China
- Prior art keywords
- transponder
- vpdn
- authentication
- user
- network server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention discloses a realization method for a virtual special dial network, which adds at least one certification authorization counting repeater and a service network station in the current virtual special dialing network. The repeater processes the certification authorization requests from a two-layer tunnel protocol access centralizer and a two-layer tunnel protocol network server and repeats them to a certification authorization counting system, the service network receive access of users to realize a more practical virtual dialing network technological scheme.
Description
Technical field
The invention belongs to the data communication technology field, refer more particularly to a kind of implementation method of VPDN.
Background technology
VPDN (VPDN) is based on dial user's Virtual Private Dialup Network business.Utilize the bearing function of IP (Internet protocol) network,, can set up safe VPN (virtual private network) in conjunction with corresponding authentication and authorization mechanism.The long-distance user adopts PSTN (public switch telephone network), ISDN (integrated services digital network), DSL (digital subscriber line), cable or wireless mode, insert the Internet with dial mode, utilize common network resource to set up virtual link, access enterprise networks internal data resource.The VPDN business is not only shared for enterprise staff, enterprise customer, business tie-up partner provide remote information, and provides solution for enterprise staff be in or go on business office, the service of ICP/ISP special project, long-range declaration, long-range declare dutiable goods etc.At present, China Telecom has carried out the construction of VPDN in the whole nation, and the VPDN business has expanded to all cities, the whole nation.
The core of VPDN is to set up the tunnel on Internet protocol.The tunnel is set up by Level 2 Tunnel Protocol, main type has three kinds of L2F (Layer Two Forwarding Protocol), PPTP (Point to Point Tunnel Protocol), L2TP (Layer 2 Tunneling Protocol), tunnel protocol is made up of the carrier of transmission, different encapsulation format and data packets for transmission, and the professional main L2TP agreement that adopts of VPDN is as tunnel protocol at present.L2TP (Layer 2 Tunneling Protocol) is present widely used a kind of VPDN standard.In the L2TP agreement, the VPDN user sets up L2TP Tunnel by " Layer 2 Tunneling Protocol LAC " LAC (L2TP AccessConcentrator) and " L2TP Network Server " LNS (L2TP Network Server), and the user is inserted private network.
Existing telecommunications VPDN networking plan as shown in Figure 1.General transformation Radius (the Remote Authentication Dial In User Service that requires, remote validation subscriber dialing service) system, dispose Layer 2 Tunneling Protocol LAC and L2TP Network Server then, make Layer 2 Tunneling Protocol LAC and L2TP Network Server set up the tunnel by demonstration ground designated domain name during user capture Layer 2 Tunneling Protocol LAC, and surf the Net by L2TP Network Server.There is following several of main problems in actual applications in such scheme, has seriously influenced the practicality of scheme:
A, very limited when existing VPDN networking plan is registered domain name for the user, the current version of existing system can not be supported this set well; In addition, the user does not often know how to revise domain name yet, perhaps feels difficult with use, thereby influences the normal popularization of telecommunication service.
B, existing system comprise that authenticated authorization accounting system, BRAS (BAS Broadband Access Server) current edition can not support well or be difficult to solve port binding, rate limit, evade specification requirements such as Single Point of Faliure risk.
C, existing systems poor expandability, as when adjusting L2TP Network Server owing to service needed, cutover trouble influences widely, can not finish automatically, even can have influence on user's normal use.
Summary of the invention
The object of the present invention is to provide all implementation methods of better VPDN of a kind of operability, manageability, extensibility and reliability.
The object of the present invention is achieved like this, a kind of implementation method of VPDN, and the performing step of this method is as follows:
One, at existing telecommunications VPDN (VPDN, set up Radius transponder (authentication authorization and accounting mandate charging transponder) down together), processing is from LAC (Layer 2 Tunneling Protocol LAC, together following) and LNS (L2TP Network Server) Radius asks (authentication authorization and accounting mandate charging is asked) and is forwarded to Radius system (authentication authorization and accounting mandate charge system) down together;
Two, the Radius transponder determines that the user type of setting up dial-up connection belongs to L2TP (Layer 2 Tunneling Protocol, down together) dial user;
Three, the LNS of LAC and the appointment of Radius transponder sets up L2TP Tunnel and session for this user;
Four, in existing telecommunications VPDN, set up at least one professional website, accept user capture;
Five, the user selects type of service by professional website;
Six, user identity is confirmed by the Radius transponder in professional website, and the spendable type of service of notice transponder change user.
In the described step 1, when in existing telecommunications VPDN, setting up a plurality of Radius transponder, to realize fault-tolerant or load balancing.
Radius transponder described in the step 1 is supported various ports binding, rate limit by rewriteeing mechanism.
Radius transponder described in the step 1 supports the user by showing the specific business of designated domain name visit.
Tunnel protocol described in step 2 and the step 3 is supported L2F (Layer Two Forwarding Protocol, down together) agreement and other tunnel protocols.
In the described step 3, when LNS has when a plurality of, the Radius transponder is selected a LNS based on a kind of load-balancing algorithm from the available LNS tabulation of this type of service of LAC.
Be provided with the configuration information of LAC, type of service, domain name and LNS in the professional website described in the step 4, the keeper can manage these information.
Professional website described in the step 4 is that every kind of type of service or domain name are specified one or more LNS, supports multi-service to insert.
Monitoring LNS operate as normal whether when the service network described in the step 4 is stood firm, when finding that certain LNS quits work, the request that then sends is to the Radius transponder, and the Radius transponder is removed this LNS from available LNS tabulation, return to respond and give professional website, and notify other Radius transponders.
In the described step 6, when Radius transponder when being a plurality of, this transponder is with other transponder of business change advisory.
The implementation method of VPDN of the present invention is by setting up two kinds of function devices of authentication and authorization charging transponder and professional website in existing telecommunications VPDN, created a kind of more practical VPDN technical scheme, make it compared with prior art, have following tangible advantage and good effect:
1, easy to use, the popularization of promoting business
The inventive method has been introduced professional website and transponder, is convenient to the user and selects type of service, is convenient to management maintenance, the popularization that can promote business better.
2, technology maturation, operability is good
The inventive method technology maturation, but actual deployment and operation.All kinds of current editions of its compatible existing network BAS Broadband Access Server, compatible existing network authenticated authorization accounting system is supported to realize port binding by the user, supports to realize rate limit by the user.The existing network user can directly insert, and does not need to adjust client.
3, be with good expansibility, support flash cut
The present invention program is with good expansibility, and can constantly increase L2TP Network Server with the development of business, and can adjust and optimize the deployed position of L2TP Network Server according to the flow situation.Simultaneously it also supports flash cut, when the needs flash cut, as removes or when adding certain L2TP Network Server, only needs the configuration file by professional website change transponder; Whole cut-over process can promptly be finished automatically, the process of the imperceptible cutover of user.
4, has good debugging property
The inventive method has good debugging property, as: can keep the daily record of the authentication and authorization charging message of Layer 2 Tunneling Protocol LAC and L2TP Network Server transmission on the transponder, the keeper can diagnose user's connectivity problem by inquiry log; Part debugging number of the account can be set on the transponder, and the indication L2TP Network Server is realized inserting according to the Point to Point Tunnel Protocol mode, so that webmaster can reach the needs that satisfy the professional remote debugging value-added service relevant with the internet protocol address binding easily by portable notebook remote diagnosis problem.
5, can carry multi-service
The present invention program can be carried multiple business, can support these professional constantly addings, debugging and drop into actual operation.The keeper can be that every kind of type of service or domain name are specified one or more L2TP Network Servers by professional website, thereby supports multi-service to insert.
Description of drawings
Fig. 1 is the typical networking diagram of existing telecommunications VPDN;
Fig. 2 is the typical networking diagram of the VPDN of the implementation method of VPDN of the present invention;
Fig. 3 is the realization flow figure of the implementation method of VPDN of the present invention.
Embodiment
The typical network construction form of the implementation method of VPDN of the present invention as shown in Figure 2.The present invention is based on Layer 2 Tunneling Protocol and come networking, with the existing network BAS Broadband Access Server as Layer 2 Tunneling Protocol LAC and L2TP Network Server, set up at least one authentication and authorization charging transponder and handle from the authentication and authorization charging request of Layer 2 Tunneling Protocol LAC and L2TP Network Server and be forwarded to authenticated authorization accounting system, other sets up at least one professional website to accept user capture.
Radius transponder among the present invention, professional website can be equipped with many groups, and correspondingly LNS is also can supporting one-tenth a plurality of, so just can realize load balancing and fault-tolerant function.
According to the method difference of various places telecommunications realization port binding, transponder can support that field rewrites mechanism so that support the different requirements of various places telecommunications flexibly.
According to the method difference of various places telecommunications realization rate limit, transponder can support that field rewrites mechanism so that support the different requirements of various places telecommunications flexibly.
Transponder can support the user to visit specific business by showing designated domain name, thus compatible existing scheme.
The inventive method is set up the agreement in tunnel both can support L2TP, also can support L2F or other tunnel protocols.
If LNS has a plurality of, then transponder is selected a LNS based on a kind of load-balancing algorithm from the available LNS tabulation of this type of service of this LAC.
The keeper can be provided with information such as LAC, type of service, domain name and LNS by WEB in professional website.
The keeper can be that every kind of type of service or domain name are specified one or more LNS by professional website, thereby supports multi-service to insert.
Whether operate as normal of LNS can regularly be monitored in professional website, if when finding that certain LNS quits work, the request that then sends is to transponder, and transponder can be removed this LNS from available LNS tabulation, return to respond and give professional website, and notify other transponders.
If transponder has a plurality of, then this transponder can be with other transponder of business change advisory.
The realization flow of the implementation method of VPDN of the present invention as shown in Figure 3, according to the implementation method of VPDN of the present invention, the running of common dialing is as follows:
1, the user initiates dial-up connection to LAC, and LAC sends Access-Request to transponder;
2, transponder checks whether explicitly has provided domain name for user type and user, finds that the user belongs to common dialing user;
3, transponder is transmitted Access-Request to Radius system;
4, the Radius system returns Access-Accept or Access-Reject and gives transponder;
5, transponder forwarding Access-Accept or Access-Reject give LAC;
6, the user is given in LAC distributing IP address from the IP Pool of this locality;
7, LAC sends Accounting-Request to transponder;
8, the IP-dial user name corresponding relation that contains among the transponder record Accounting-Request is forwarded to Accounting-Request the Radius system then, and notifies other transponders with IP-dial user name corresponding relation;
9, the Radius system returns Accounting-Response and gives transponder;
10, transponder is transmitted Accounting-Response and is given LAC;
11, LAC accepts user's online;
12, the user asks to disconnect when connecting, and BRAS sends Accounting-Request to transponder;
13, transponder is transmitted Accounting-Request and is given the Radius system;
14, the Radius system returns Accounting-Response and gives transponder;
15 transponders are transmitted Accounting-Response and are given LAC;
16, LAC disconnect user.
According to the implementation method of VPDN of the present invention, the running of L2TP dialing is as follows:
1, the user initiates dial-up connection to LAC, and LAC sends Accounting-Request to transponder;
2, transponder checks whether explicitly has provided domain name for user type and user, finds that the user belongs to the L2TP dial user;
3, transponder is from the available LNS tabulation of this type of service of this BRAS/LAC, select a LNS based on a kind of load-balancing algorithm, and return Access-Accept rapidly and give LAC, and in Access-Accept, specify the needed Radius information of L2TP of setting up;
4, LAC send Accounting-Request to give transponder;
5, transponder returns Accounting-Response rapidly and gives LAC;
6, the LNS of appointment sets up L2TP Tunnel and l2tp session among LAC and the Access-Accept;
7, LNS sends Access-Request to transponder;
8, transponder is made amendment to Access-Request, makes request meet the requirement of Radius system, as the port binding parameter etc., is transmitted to the Radius system then;
9, Radius returns Access-Accept or Accept-Reject and gives transponder;
10, transponder is made amendment to the result who returns, and makes the result meet the requirement of LNS, as rate limit parameter etc., is transmitted to LNS then;
11, LNS gives user's distributing IP address from local IP Pool;
12, LNS sends Access-Request to transponder;
13, the IP-dial user name corresponding relation that contains among the transponder record Access-Request, Access-Request is made amendment, make request meet the requirement of Radius system, then Access-Request is transmitted to Radius, and notifies other transponders IP-dial user name corresponding relation;
14, the Radius system returns Accounting-Response and gives transponder;
15, transponder is transmitted Accounting-Response and is given LNS;
16, LNS accepts user's online;
When 17, the user asked to disconnect visit, LNS sent Accounting-Request to transponder;
18, transponder is made amendment to Accounting-Request, makes request meet the requirement of Radius system, then Accounting-Request is transmitted to Radius;
19, Radius returns Accounting-Response and gives transponder;
20, transponder is transmitted Accounting-Response and is given LNS;
21, LNS disconnect user disconnects L2TP Session, if do not exist other Session then to disconnect L2TPTunnel;
22, LAC sends Accounting-Request to transponder;
23, transponder returns Accounting-Response rapidly and gives LAC;
24, LAC disconnect user, L2TP Session and L2TP Tunnel;
Port binding is realized the difference of technology according to various places telecommunications, transponder only can adopt that LAC authentification of user/charging, only LNS authentification of user/charging, LAC and LNS do these three kinds of schemes of authentification of user/charging simultaneously, and said process is described is the scheme of LNS authentification of user/charging only.
According to the implementation method of VPDN of the present invention, the user selects professional process as follows:
1, the user sends the WEB request to professional website after dialling up on the telephone, and selects a kind of type of service;
2, professional website sends Access-Request to transponder, requires transponder to confirm user identity according to IP address, and notice transponder change type of service;
3, transponder is confirmed user identity, and record traffic change situation, sends Access-Accept or Access-Reject to professional website, notifies other transponders then;
4, professional website is responded by WEB and is confirmed the change situation to the user, and notifies the user to break.
Claims (10)
1, a kind of implementation method of VPDN is characterized in that: the performing step of this method is as follows:
One, in existing telecommunications VPDN, sets up the authentication and authorization charging transponder, handle from the authentication and authorization charging request of Layer 2 Tunneling Protocol LAC and L2TP Network Server and be forwarded to authenticated authorization accounting system;
Two, the authentication and authorization charging transponder determines that the user type of setting up dial-up connection belongs to the Layer 2 Tunneling Protocol dial user;
Three, the L2TP Network Server of Layer 2 Tunneling Protocol LAC and the appointment of authentication and authorization charging transponder is set up Layer 2 Tunneling Protocol tunnel and session for this user;
Four, in existing telecommunications VPDN, set up at least one professional website, accept user capture;
Five, the user selects type of service by professional website;
Six, user identity is confirmed by the authentication and authorization charging transponder in professional website, and the spendable type of service of notice transponder change user.
2, the implementation method of a kind of VPDN according to claim 1 is characterized in that: in the described step 1, when setting up a plurality of authentication and authorization charging transponder in existing telecommunications VPDN, can realize fault-tolerant or load balancing.
3, the implementation method of a kind of VPDN according to claim 1 is characterized in that: the authentication and authorization charging transponder described in the step 1 is supported various ports binding, rate limit by rewriteeing mechanism.
4, the implementation method of a kind of VPDN according to claim 1 is characterized in that: the authentication and authorization charging transponder described in the step 1 supports the user by showing the specific business of designated domain name visit.
5, the implementation method of a kind of VPDN according to claim 1 is characterized in that: the tunnel protocol described in step 2 and the step 3 is supported Layer Two Forwarding Protocol and other tunnel protocols.
6, the implementation method of a kind of VPDN according to claim 1, it is characterized in that: in the described step 3, when L2TP Network Server has when a plurality of, the authentication and authorization charging transponder is selected a L2TP Network Server based on a kind of load-balancing algorithm from the available L2TP Network Server tabulation of this type of service of Layer 2 Tunneling Protocol LAC.
7, the implementation method of a kind of VPDN according to claim 1, it is characterized in that: be provided with the configuration information of Layer 2 Tunneling Protocol LAC, type of service, domain name and L2TP Network Server in the professional website described in the step 4, the keeper can manage these information.
8, the implementation method of a kind of VPDN according to claim 1, it is characterized in that: the professional website described in the step 4 is that every kind of type of service or domain name are specified one or more L2TP Network Servers, supports multi-service to insert.
9, the implementation method of a kind of VPDN according to claim 1, it is characterized in that: monitoring L2TP Network Server operate as normal whether when the service network described in the step 4 is stood firm, when finding that certain L2TP Network Server quits work, the request that then sends is to the authentication and authorization charging transponder, the authentication and authorization charging transponder is removed this L2TP Network Server from available L2TP Network Server tabulation, return to respond and give professional website, and notify other authentication and authorization charging transponders.
10, the implementation method of a kind of VPDN according to claim 1 is characterized in that: in the described step 6, when authentication and authorization charging transponder when being a plurality of, this transponder is with other transponder of business change advisory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410066908 CN1617541A (en) | 2004-09-30 | 2004-09-30 | Realizing method for virtual special dial network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410066908 CN1617541A (en) | 2004-09-30 | 2004-09-30 | Realizing method for virtual special dial network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1617541A true CN1617541A (en) | 2005-05-18 |
Family
ID=34764963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410066908 Pending CN1617541A (en) | 2004-09-30 | 2004-09-30 | Realizing method for virtual special dial network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1617541A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100420220C (en) * | 2006-01-09 | 2008-09-17 | 华为技术有限公司 | Two layer tunnel protocol network server and method for establishing tunnel thereof |
| CN100433625C (en) * | 2006-07-12 | 2008-11-12 | 华为技术有限公司 | Multi-service selective network and implementation method for service supporting same |
| CN100583799C (en) * | 2007-11-16 | 2010-01-20 | 中国电信集团公司 | Method and system for implementing CDMA1xLNS load balancing |
| CN101442418B (en) * | 2008-12-16 | 2011-04-20 | 中兴通讯股份有限公司 | Charging method for second layer tunnel protocol user based on point-to-point protocol mode |
| CN107634884A (en) * | 2017-08-28 | 2018-01-26 | 深信服科技股份有限公司 | Cloud network log-in management system and method based on Virtual Private Dialup Network |
| CN107896187A (en) * | 2017-11-07 | 2018-04-10 | 北京首信科技股份有限公司 | A kind of method and apparatus that LNS equipment is issued in VPDN networks |
| WO2018103665A1 (en) * | 2016-12-08 | 2018-06-14 | 华为技术有限公司 | L2tp-based device management method, apparatus and system |
| CN109600292A (en) * | 2018-12-24 | 2019-04-09 | 安徽皖通邮电股份有限公司 | A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing |
-
2004
- 2004-09-30 CN CN 200410066908 patent/CN1617541A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100420220C (en) * | 2006-01-09 | 2008-09-17 | 华为技术有限公司 | Two layer tunnel protocol network server and method for establishing tunnel thereof |
| CN100433625C (en) * | 2006-07-12 | 2008-11-12 | 华为技术有限公司 | Multi-service selective network and implementation method for service supporting same |
| CN100583799C (en) * | 2007-11-16 | 2010-01-20 | 中国电信集团公司 | Method and system for implementing CDMA1xLNS load balancing |
| CN101442418B (en) * | 2008-12-16 | 2011-04-20 | 中兴通讯股份有限公司 | Charging method for second layer tunnel protocol user based on point-to-point protocol mode |
| WO2018103665A1 (en) * | 2016-12-08 | 2018-06-14 | 华为技术有限公司 | L2tp-based device management method, apparatus and system |
| CN108183849A (en) * | 2016-12-08 | 2018-06-19 | 华为技术有限公司 | Device management method, equipment and system based on L2TP |
| CN108183849B (en) * | 2016-12-08 | 2021-01-08 | 上海朋熙半导体有限公司 | Device management method, device and system based on L2TP |
| CN107634884A (en) * | 2017-08-28 | 2018-01-26 | 深信服科技股份有限公司 | Cloud network log-in management system and method based on Virtual Private Dialup Network |
| CN107634884B (en) * | 2017-08-28 | 2020-12-04 | 深信服科技股份有限公司 | Cloud networking behavior management system and method based on virtual private dial-up network |
| CN107896187A (en) * | 2017-11-07 | 2018-04-10 | 北京首信科技股份有限公司 | A kind of method and apparatus that LNS equipment is issued in VPDN networks |
| CN109600292A (en) * | 2018-12-24 | 2019-04-09 | 安徽皖通邮电股份有限公司 | A kind of LAC router initiates the method and system of L2TP Tunnel connection from dialing |
| CN109600292B (en) * | 2018-12-24 | 2021-09-28 | 安徽皖通邮电股份有限公司 | Method and system for LAC router to initiate L2TP tunnel connection by self dialing number |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1232088C (en) | Method for supporting mobility on internet | |
| CN1213567C (en) | Concentrated network equipment managing method | |
| EP2704372A1 (en) | Method for virtual private cloud to access network, network side device and data centre device | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| CN1197297C (en) | A platform information switch | |
| CN1855926A (en) | Method and system for contributing DHCP addresses safely | |
| CN1241368C (en) | Virtual private network | |
| CN1823506A (en) | Methods and apparatus for routing of information depending on the traffic direction | |
| KR100690762B1 (en) | A telephone call method and system for using many number in mobile communication station | |
| CN1553691A (en) | High-capacity wide-band inserting method and system | |
| CN1874226A (en) | Terminal access method and system | |
| CN1809072A (en) | Network architecture of backward compatible authentication, authorization and accounting system and implementation method | |
| CN1713629A (en) | Realization of user login name and IP address binding | |
| CN100346601C (en) | Access server with function of collecting communication statistics information | |
| CN1496641A (en) | Method for connection of data terminal devices to data network | |
| CN1392708A (en) | Allocation method of wide band access user | |
| CN1929482A (en) | Network business identification method and device | |
| CN1297105C (en) | Method for implementing multirole main machine based on virtual local network | |
| CN1617541A (en) | Realizing method for virtual special dial network | |
| CN1863218A (en) | Method for providing automatic service by PPP terminal | |
| CN101030882A (en) | Method for accessing user network management platform | |
| CN1647486A (en) | Device for managing data filters | |
| CN1176540C (en) | Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices | |
| CN1947455A (en) | Supporting a network behind a wireless station | |
| CN1777132A (en) | Method for setting up connections for access of roaming user terminals to data networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |