JP5450227B2 - Traffic control instruction device, traffic control instruction program, traffic control instruction system, and traffic control instruction method - Google Patents

Description

  The present invention relates to a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method.

  In recent years, services have emerged that provide a collaborative space by connecting multiple locations. In particular, there is a high demand for an on-demand service, that is, a service for connecting between bases in a timely manner upon request. Here, the “base” is an isolated network domain whose reachability is limited by VPN (Virtual Private Network) or geographical conditions. In addition, “inter-base connection” means that information for transferring a packet transmitted from a terminal at a base to a terminal at a base is set in each device existing on the path between the bases. It is interconnecting the bases so that they can communicate with each other. The “collaborative space” is a network domain generated by inter-base connection, and is a network domain having the interconnected range as a new reachable range.

  By the way, in the inter-base connection, it is generally considered that traffic control is performed. For example, in an inter-VPN connection that connects a plurality of VPNs via a wide area network, each VPN is accommodated in an aggregate virtual router that controls packet transfer in the wide area network, and the aggregate virtual router is used as a set of route information. A packet related to one connection between VPNs is transferred through one set route. In such a case, for example, the collective virtual router can perform traffic control such as quality assurance for one connection between VPNs.

Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Soetsu Iwamura, “Proposal of VPN Connection Management System”, IEICE Technical Report IN 2009-48 (2009-09), P.A. 53-58

  However, the above-described prior art has a problem that traffic control cannot be performed appropriately. In a service that provides a collaborative space, traffic control at a finer granularity is desired, for example, for each application or each user. In this regard, in the above-described prior art, the collective virtual router transfers a packet related to one inter-VPN connection through one route, so that traffic control can only be performed collectively for one inter-VPN connection.

  The disclosed technology has been made in view of the above, and provides a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method capable of appropriately performing traffic control. With the goal.

  In one aspect, a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application include a transfer control device that controls packet transfer of a wide area network, and the transfer control device. The packet transmitted from the base station side is separated for each traffic type and accommodates each base belonging to the base-to-base connection, and is formed for each traffic type between the terminal device and the packet transmitted from the base side. A traffic control instructing device that controls traffic in a base-to-site connection system including a traffic control device that transmits to each of a plurality of received routes, and monitors at least one of the transfer control device and the traffic control device By doing so, information related to traffic, Monitoring means for acquiring at least one of the information on the source and determining whether or not the acquired information satisfies a predetermined condition; and when it is determined that the information satisfies the condition, And control means for transmitting instruction information for controlling traffic on the route to at least one of the transfer control device and the traffic control device.

  In addition, in one aspect, a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application include a transfer control device that controls packet transfer in a wide area network, and the transfer control device. The terminal device that accommodates each site belonging to the connection between the sites via the network and terminates the accommodated site and the packet transmitted from the site side are separated for each traffic type, and for each traffic type between the transfer control device A traffic control instruction method for controlling the traffic of the inter-base connection system including a traffic control device that transmits to each of a plurality of routes formed in the network, wherein the computer includes at least one of the transfer control device and the traffic control device. By monitoring one device, the device can A monitoring step of acquiring at least one of the information regarding the resource and the information regarding the resource, and determining whether the acquired information meets a predetermined condition; and determining that the information meets the condition A control step of transmitting instruction information for controlling traffic on the route to at least one of the transfer control device and the traffic control device.

  In one aspect, a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application cause a computer to function as a traffic control instruction device. It is a program.

  In addition, in one aspect, a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application include a transfer control device that controls packet transfer in a wide area network, and the transfer control device. The terminal device that accommodates each site belonging to the connection between the sites via the network and terminates the accommodated site and the packet transmitted from the site side are separated for each traffic type, and for each traffic type between the transfer control device A traffic control instruction system that controls traffic in a base-to-site connection system including a traffic control device that transmits to each of a plurality of routes formed in the network, the traffic control instruction device comprising: the transfer control device; and the traffic control device. By monitoring at least one device, And at least one of traffic information and resource information, and monitoring means for determining whether or not the acquired information meets a predetermined condition; and when the information meets the condition And control means for transmitting instruction information for controlling traffic on the route to at least one of the transfer control device and the traffic control device when determined. At least one of the apparatus and the traffic control apparatus, when requested by the traffic control instruction apparatus, a transmission means for transmitting information related to traffic to the traffic control instruction apparatus; and the traffic control instruction apparatus Control means for controlling traffic according to the received instruction information when the instruction information is received from Equipped with a.

  In addition, in one aspect, a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application include a transfer control device that controls packet transfer in a wide area network, and the transfer control device. The terminal device that accommodates each site belonging to the connection between the sites via the network and terminates the accommodated site and the packet transmitted from the site side are separated for each traffic type, and for each traffic type between the transfer control device A traffic control instruction method for controlling traffic of a base-to-site connection system including a traffic control device that transmits to each of a plurality of routes formed in the network, wherein the computer as the traffic control instruction device includes the transfer control device, the traffic Monitor at least one of the control devices A monitoring step of acquiring at least one of information on traffic and information on resources from the device and determining whether the acquired information satisfies a predetermined condition; and A control step of transmitting instruction information for controlling traffic on the route to at least one of the transfer control device and the traffic control device when it is determined that the condition is met. A transmission step of transmitting information related to traffic to the traffic control instruction device when a computer as at least one of the transfer control device and the traffic control device is requested by the traffic control instruction device; And the received instruction information when the instruction information is received from the traffic control instruction device. Therefore and a control step of controlling the traffic.

  According to one aspect of the traffic control instruction device, the traffic control instruction program, the traffic control instruction system, and the traffic control instruction method disclosed in the present application, it is possible to appropriately perform traffic control.

FIG. 1 is a diagram for explaining the outline of the inter-VPN communication system according to the first embodiment. FIG. 2 is a diagram for explaining policy routing. FIG. 3 is a diagram for explaining the IP address delivery method (i). FIG. 4 is a diagram for explaining the IP address payout method (ii). FIG. 5 is a diagram showing the address conversion relationship. FIG. 6A is a diagram for explaining the merit of separating routes for each traffic type. FIG. 6B is a diagram for explaining the merit of separating routes for each traffic type. FIG. 7 is a diagram for explaining traffic control according to the first embodiment. FIG. 8 is a block diagram illustrating the configuration of the integrated AAA device according to the first embodiment. FIG. 9 is a diagram for explaining conditions for determining whether or not a congestion state has occurred. FIG. 10 is a diagram for explaining conditions for determining whether or not a congestion state has occurred. FIG. 11 is a diagram for explaining the control information. FIG. 12 is a flowchart illustrating the traffic control processing procedure according to the first embodiment. FIG. 13 is a diagram for explaining traffic control according to the second embodiment. FIG. 14 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the second embodiment. FIG. 15 is a diagram for explaining the control information. FIG. 16 is a diagram for explaining the separation information. FIG. 17 is a flowchart illustrating a traffic control processing procedure according to the second embodiment. FIG. 18 is a diagram for explaining traffic control according to the third embodiment. FIG. 19 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the third embodiment. FIG. 20 is a diagram for explaining the control information. FIG. 21 is a diagram for explaining the control information. FIG. 22 is a diagram for explaining the setting information. FIG. 23 is a flowchart illustrating a traffic control processing procedure according to the third embodiment. FIG. 24 is a diagram for explaining traffic control according to the fourth embodiment. FIG. 25 is a diagram for explaining traffic control according to the fourth embodiment. FIG. 26 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the fourth embodiment. FIG. 27 is a diagram for explaining the control information. FIG. 28 is a diagram for explaining a list of application servers. FIG. 29 is a flowchart illustrating a traffic control processing procedure according to the fourth embodiment. FIG. 30 is a diagram for explaining a redundant path. FIG. 31 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service. FIG. 32 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service. FIG. 33 is a diagram for explaining bases as a plurality of local area network groups connected by the VPN service. FIG. 34 is a block diagram showing a configuration of the inter-VPN connection management system 200. FIG. 35 is a diagram for explaining the VPN connection information storage unit 221. FIG. 36 is an example of the setting pattern of the collective virtual router. FIG. 37 is an example of a setting pattern of the VPN termination device. FIG. 38 is a diagram for explaining the VPN connection request storage unit 223. FIG. 39 is a diagram for explaining the address conversion information storage unit 224. FIG. 40 is a diagram for explaining the routing information storage unit 225. FIG. 41 is a diagram for explaining the routing information storage unit 225. FIG. 42 is a diagram for explaining the attachment storage unit 226. FIG. 43 is a diagram for explaining the pre-configuration information of the collective virtual router. FIG. 44 is a diagram for explaining the pre-setting information of the VPN terminating device. FIG. 45 is a diagram for explaining an example of a VPN connection request input screen. FIG. 46 is a flowchart showing a processing procedure performed by the inter-VPN connection management system 200. FIG. 47 is a diagram for explaining an example of access in the collaborative space.

  Embodiments of a traffic control instruction device, a traffic control instruction program, a traffic control instruction system, and a traffic control instruction method disclosed in the present application will be described below. In the following embodiment, an inter-VPN connection will be described as an example of inter-base connection. In the first embodiment, after describing the outline of the inter-VPN communication system according to the first embodiment, “congestion control” will be described as an example of traffic control. In the second embodiment, “load distribution control” will be described as an example of traffic control. In the third embodiment, “failure switching control” will be described as an example of traffic control. In the fourth embodiment, “resource lending control” will be described as an example of traffic control. Example 5 is another example. It should be noted that the present invention is not limited to the following embodiments. For example, these traffic controls can be arbitrarily combined.

[Outline of Inter-VPN Communication System According to Embodiment 1]
First, the outline | summary of the communication system between VPNs which concerns on Example 1 is demonstrated using FIGS. FIG. 1 is a diagram for explaining the outline of the inter-VPN communication system according to the first embodiment. As illustrated in FIG. 1, the inter-VPN communication system according to the first embodiment realizes connection between VPNs by forming a plurality of paths separated for each traffic type between VPNs. Hereinafter, a base connected between VPNs is referred to as “VPN”. “VPN _i ” is a VPN name. A virtual router set in an aggregate virtual router (also referred to as a “transfer control device”) that controls packet transfer in a wide area network is referred to as “VRF”. “VRF _m ” is a virtual router name. VRF is an abbreviation for Virtual Routing and Forwarding.

In FIG. 1, VPN _i and VPN _j (i and j are positive integer values independent of each other, where i ≠ j in particular) are connected between VPNs, and terminals α under VPN _{i are} connected to each other. An example in which a collaborative space is provided with a terminal β under VPN _j is shown. The collective virtual router illustrated in FIG. 1 transfers a packet related to the connection between VPNs according to the path information set in the collective virtual router. Here, the “virtual router” illustrated in FIG. 1 divides resources in a router as a physical casing by using a virtualization technique and functions as routers that are logically independent from each other. In FIG. 1, a virtual router “VRF _m ” and a virtual router “VRF _n ” (m and n are positive integer values independent of each other, where m ≠ n in particular) are set in the collective virtual router. A plurality of routes are formed as routes for transferring packets related to one VPN connection (one cooperating space). These plural routes are routes separated for each traffic type, as will be described later. As illustrated by the dotted frame in FIG. 1, the route on the virtual router “VRF _m ” side and the route on the virtual router “VRF _n ” side correspond to the collaboration space “VCS (Virtual Collaboration Space) _α ”. .

Each VPN termination device illustrated in FIG. 1 accommodates each VPN (VPN _i , VPN _j ) belonging to a predetermined connection between VPNs, and terminates each accommodated VPN on the wide area network side. The VPN termination device is a router or a switch installed at the boundary between the VPN and the wide area network. Further, the address translation device illustrated in FIG. 1 translates the address of the packet received from the VPN termination device, and transmits the packet after the address translation to the collective virtual router. The address translation device translates the address of the packet received from the collective virtual router, and transmits the packet after the address translation to the VPN termination device.

  Here, in the inter-VPN communication system according to the first embodiment, as illustrated in FIG. 1, a traffic separation and integration device is installed between the VPN termination device and the address translation device. The traffic separating and integrating device separates the traffic received from the VPN side for each traffic type and sends it to a plurality of routes for each traffic type. Further, the traffic separating and integrating device integrates the traffic separated for each traffic type and passed through the virtual router into one traffic and sends it to the VPN side.

  Specifically, the traffic separation and integration apparatus according to the first embodiment performs policy-based routing. Policy-based routing is to perform a specific process (routing) specified in advance when the traffic matches a predetermined condition. The traffic separation and integration device stores the condition in advance as an ACL (Access Control List). Further, the traffic separation and integration apparatus stores a specific process as a policy in advance. Then, when receiving the packet, the traffic separating and integrating device extracts a packet that matches the condition defined as the ACL, and performs a specific process defined as the policy on the extracted packet. In the policy, for example, a route is defined for each application or each user, a route is defined according to a ToS (Type of Service) value corresponding to a QoS (Quality of Service) class, and others. A route whose path is defined according to an IP (Internet Protocol) address or a port number is included. The traffic separation and integration device can be realized by a known technique.

For example, the traffic separation and integration apparatus according to the first embodiment transfers a packet to the route of the virtual router “VRF _m ” for the traffic whose application type is “APL (Application) 1”, and the application type is “APL 2”. For traffic, it is assumed that a policy specifying that a packet is transferred to the route of the virtual router “VRF _n ” is stored. Then, for example, when the traffic separation and integration device 0 receives the “APL1” packet from the VPN _i side, the traffic separation and integration device 0 forcibly transfers the packet to the “I / F (interface) 0.1” side. In other words, the traffic separation and integration device 0 transfers the packet to the route of the virtual router “VRF _m ”. Further, for example, when the traffic separation and integration device 0 receives the “APL2” packet from the VPN _i side, it forcibly forwards it to the “I / F0.2” side. That is, the traffic separation and integration device 0 transfers the packet to the route of the virtual router “VRF _n ”.

On the other hand, for example, when receiving the packet “APL1” from the VPN _j side, the traffic separating and integrating device 1 forcibly forwards the packet to the “I / F1.1” side. That is, the traffic separating and integrating device 1 transfers the packet to the route of the virtual router “VRF _m ”. Further, for example, when the traffic separation and integration apparatus 1 receives the packet of “APL2” from the VPN _j side, it is forcibly transferred to the “I / F1.2” side. That is, the traffic separating and integrating device 1 transfers the packet to the route of the virtual router “VRF _n ”.

  As described above, the inter-VPN communication system according to the first embodiment realizes connection between VPNs by forming a plurality of paths separated for each traffic type between VPNs. Such an inter-VPN connection is established by an inter-VPN connection management system (not shown in FIG. 1) and provided as an inter-VPN connection service by the inter-VPN connection management system. Therefore, a process for establishing such an inter-VPN connection will be briefly described.

  The predetermined connection between VPNs is established in response to a connection request between VPNs from a user, for example. For example, when a user who uses a terminal under VPN applies an inter-VPN connection request to an operator providing an inter-VPN connection service, the name and IP address of the server that is allowed to access in the collaborative space. Apply in advance.

For example, consider an inter-VPN connection between VPN _i and VPN _j . It is assumed that the VPN _j side server is used by the VPN _i side user. The user on the VPN _j side applies for “serverA@vpnj.example.com”, “serverB@vpnj.example.com”, and “serverC@vpnj.example.com” as server names. Note that the IP address of the server may be dynamically assigned in each VPN. In such a case, since the IP address is acquired afterwards (after being paid out) on the inter-VPN connection management system side, it is not always necessary to apply for the IP address in advance.

In addition, the user groups routes for servers that allow access in the collaborative space, and applies for a route group. For example, a user who uses a terminal under VPN considers services (applications, etc.) provided by each server, and groups routes according to services that want to share routes or services that want to individualize routes. When applying for an inter-VPN connection request to an operator providing an inter-VPN connection service, an application is made for a route group. For example, a user on the VPN _j side includes a mail server (“serverA@vpnj.example.com”) and a Web server (“serverB@vpnj.example.com”) in “route group 1”, “route group Apply to include the video distribution server (“serverB@vpnj.example.com”) in “2” and to include the real-time collaboration server (“serverC@vpnj.example.com”) in “route group 3”.

  For example, as a specification for the inter-VPN connection service, association between a route group and a quality assurance class may be defined. For example, four types of route groups are defined in advance in association with four quality assurance classes. Then, the user examines the quality assurance class required for the service provided by each server, selects a route group of an appropriate quality assurance class from the four types of route groups defined in advance, and applies. . Alternatively, for example, an appropriate quality assurance class route group may be automatically selected by the user applying for a type of service provided by each server.

On the other hand, the inter-VPN connection management system accepts an application for the name and IP address of a terminal from a user on the VPN _i side, and recognizes a route formed between VPN _i and VPN _j based on these pieces of information. . For example, the inter-VPN connection management system forms three routes between VPN _i and VPN _j based on the application for “route group 1”, “route group 2”, and “route group 3”. Recognize that it should be done (for example, virtual routers “VRF ₁ ”, “VRF _m ”, “VRF _n ”).

The inter-VPN connection management system generates DNS (Domain Name System) registration information corresponding to the route. For example, the inter-VPN connection management system generates “mail@vcsα.vpnj.example.com” for the mail server of “route group 1” and “www@vcsα.vpnj.example.com” for the Web server. Generate “movie@vcsα.vpnj.example.com” for the video distribution server of “route group 2”, and “collabo@vcsα.vpnj.example.com” for the real-time collaboration server of “route group 3”. Is generated. These pieces of information are notified to the VPN _i user through e-mail, mail, or an application screen.

  Further, the inter-VPN connection management system generates setting information for forming a route. For example, the inter-VPN connection management system generates setting information for forming three routes. For example, the setting information of the three virtual routers set in the collective virtual router is associated in the collective virtual router. The contents are the same except that the I / F is different. The same applies to the setting information set in the address translation device, as will be described later. In other words, the inter-VPN connection management system only has to duplicate the information for generating the setting information for one virtual router and generate the setting information for each of the three virtual routers.

  After that, the inter-VPN connection management system, for example, sets the setting information for forming a route in the collective virtual router, the VPN terminator, the address translator, etc. at the start time for providing the inter-VPN connection service, Also, DNS registration information is set in the DNS device.

  The inter-VPN connection management system also generates policy routing information set in the traffic separation and integration device. For example, when the start time for providing the inter-VPN connection service is reached, the generated policy routing information is sent to the traffic separation and integration device. Set. Policy routing will be described with reference to FIG. FIG. 2 is a diagram for explaining policy routing.

  First, the inter-VPN connection management system separates traffic to be subject to policy routing for each type in the traffic separation and integration apparatus. The inter-VPN connection management system defines a policy for each route group. For example, “policy 1” defines that only mail traffic and Web traffic corresponding to “route group 1” are allowed to pass, and other types of traffic are not allowed to pass. In addition, “policy 2” defines that only the moving image distribution traffic corresponding to “route group 2” is allowed to pass, and other types of traffic are not allowed to pass. “Policy 3” defines that only real-time collaboration traffic corresponding to “route group 3” is allowed to pass, and other types of traffic are not allowed to pass. The inter-VPN connection management system applies each policy to each interface of the traffic separation and integration apparatus. For example, as illustrated in FIG. 2, “policy 1” is applied to the interface “ether0”, “policy 2” is applied to the interface “ether1”, and “policy 3” is applied to the interface “ether2”.

  An extension in such an inter-VPN connection will be described. For example, when an inter-VPN connection by two VPNs has already been established, one VPN is added here to establish an inter-VPN connection by three VPNs. In such a case, the setting of simply adding one VPN may be performed for the case of two VPNs. For example, a newly added VPN route is added to the existing route group so that the newly added VPN can use an application included in the existing route group that has already been formed. . In addition, when a VPN is newly added, an application is newly added, and an application that cannot be added to an existing route group is newly added so that three VPNs can be used. A virtual router may be generated.

  More generally, it is assumed that an inter-VPN connection using N VPNs has already been established. It is always possible to add a new VPN here until the IP address is exhausted. A newly added VPN route is added to the existing route group so that the newly added VPN can use an application included in the existing route group that has already been formed. In addition, when a VPN is newly added, an application is newly added, and an application that cannot be added to an existing route group is newly added so that N + 1 VPNs can be used. Virtual routers can be created in From the above discussion, the number of VPNs and the number of virtual routers can be arbitrarily set at any point in this way.

[About address delivery method]
By the way, the inter-VPN communication system according to the first embodiment includes an address translation device as illustrated in FIG. 1, and the address translation device performs address translation of the IP address. Here, in the first embodiment, the RFC (Request for Comments) 2663 technology (hereinafter “Twice-NAT”) published by the IETF (Internet Engineering Task Force) is used as the address translation technology. The address payout method will be described below with reference to FIGS.

  As described above, in the first embodiment, Twice-NAT is used. That is, the address translation device translates both the source IP address and the destination IP address. Here, an IP address assigned to identify a terminal under each VPN belonging to the connection between VPNs in the VPN is referred to as an “in-base address”. In addition, an IP address for identifying a terminal under another VPN serving as a communication partner in the VPN is referred to as a “first address”. Further, an IP address for identifying a terminal under each VPN belonging to the connection between VPNs by the collective virtual router is referred to as a “second address”.

  Then, for example, when the terminal α and the terminal β communicate with each other, the address translation device installed on the VPN side under the control of the terminal α is (source address, destination address) = (base address of the terminal α, (First address of terminal β) is converted to (source address, destination address) = (second address of terminal α, second address of terminal β). Accordingly, the address conversion information includes address conversion information for converting the in-base address of the terminal α and the second address of the terminal α, and address conversion information for converting the first address of the terminal β and the second address of the terminal β. And registered in the address translation device.

FIG. 3 is a diagram for explaining the IP address delivery method (i). In FIG. 3, “a _i ” is an in-base address for identifying the terminal α in VPN _i , and “a _j ” is an in-base address for identifying the terminal β in VPN _j . Equation (1) is a conversion operator representing address conversion from VPN _i to VRF _m . Equation (2) is a conversion operator that represents address conversion from VRF _m to VPN _j .

Therefore, in FIG. 3, the second address for identifying the terminal α under the VPN _i and the terminal β under the VPN _j belonging to the virtual router “VRF _m ” by the collective virtual router is the in-base address “a _i ”. And the in-site address “a _j ” are IP addresses converted once by the address conversion device, respectively, which is expressed by equation (3). On the other hand, the second address for identifying the terminal α under VPN _i and the terminal β under VPN _j belonging to the virtual router “VRF _n ” by the collective virtual router is the base address “a _i ” and the base address “A _j ” is an IP address converted once by the address conversion device, and is expressed by equation (4).

Further, in FIG. 3, the first address for identifying the terminal β under the VPN _{j serving as the} communication partner in the VPN _i is expressed by the equations (5) and (6). Similarly, the first address for identifying the terminal α under the VPN _{i serving} as the communication partner in the VPN _j is expressed by the equations (7) and (8).

Here, in the IP address delivery method (i), the first address for identifying the terminal β under the VPN _{j serving as the} communication partner in the VPN _i is not different for each route. That is, the first address is paid out so that the expressions (9) and (10) are satisfied. This is because the traffic separation and integration apparatus according to the first embodiment performs the policy-based routing without performing the routing based on the IP address, so that the routing is correctly performed even if the first address is the same.

  For this reason, in the IP address delivery method (i), it is only necessary to issue an IP address as in the case of one route, and the same setting information is assigned to each virtual router and each address translation device. Or address conversion information may be set.

Next, FIG. 4 is a diagram for explaining an IP address delivery method (ii). As described above, in the IP address payout method (i), the IP address is paid out so that the above equations (9) and (10) are satisfied. However, the disclosed technique is not limited to the payout in which the above expressions (9) and (10) are satisfied. For example, the above formulas (9) and (10) do not hold and the relationship between the formulas (11) and (12) may be considered.

When such an IP address is issued, the traffic separation and integration device performs policy-based routing and does not perform routing based on the destination IP address of the packet. In some cases, routing based on the destination IP address of the packet From this point of view, a packet to be routed to the route on the virtual router “VRF _m ” side may be sent to the route on the virtual router “VRF _n ” side.

For example, a packet routed from the VPN _i to the route on the virtual router “VRF _m ” side should be a packet whose destination IP address is the expression (5) from the viewpoint of IP address-based routing. Due to the base routing, there is a possibility that the packet having the destination IP address of the expression (6) may be routed. Therefore, in the IP address payout method (ii), in order to appropriately perform address conversion even for a packet that is considered to be erroneously routed from the viewpoint of IP address-based routing in the traffic separation and integration apparatus as described above. Address translation information according to the translation rules (13) and (14) is added to the address translation device. Similarly, address translation information according to translation rules (15) and (16) is added to the address translation device.

That is, even if a packet with the destination IP address (6) is routed to the route on the virtual router “VRF _m ” side by policy-based routing, the address is converted according to the conversion rule of (13).

When the address conversion information indicated by the conversion rules (13) to (16) is described by the conversion operator, the following expressions (19) to (22) are newly defined. First, in normal IP address-based routing, equation (17) is established. FIG. 5 is a diagram showing the address conversion relationship. Since equation (18) is established from the relationship shown in FIG. 5, equation (17) is established.

However, when the IP address is issued by the IP address delivery method (ii), the address translation device must perform address translation according to the translation rules (13) to (16). Hereinafter, the conversion expressed by the equations (19) to (22) must be newly defined.

In other words, in the IP address-based routing, it is not considered that the packet with the destination IP address of the expression (6) is routed to the route on the virtual router “VRF _m ” side, so the conversion represented by the expression (23) Is defined, but the conversion expressed by the equation (24) is not defined. However, when the IP address is issued by the IP address issue method (ii), for example, the equation (24) is newly added. Must be defined. Note that conversion relationships not defined here have no meaning and no value is determined. For example, symbols such as the following conversion rule (25) and conversion rule (26) are meaningless because there is no corresponding actual conversion.

  Subsequently, as in the communication system between VPNs according to the first embodiment, a merit of separating a route for each traffic type will be described. FIGS. 6A and 6B are diagrams for explaining the merit of separating a route for each traffic type.

For example, in the inter-VPN connection illustrated in FIG. 6A, the traffic route is separated for each QoS (Quality of Service) class (or for each SLA (Service Level Agreement)). As described above, in the inter-VPN communication system according to the first embodiment, different routes are used depending on the type of traffic, even if the traffic is between the same users. A queue is used. As a result, for example, it is possible to collectively control traffic of the same QoS class. In other words, as a result of separating the traffic of different QoS classes, it is only necessary to handle all packets fairly without performing complicated traffic control such as priority control for traffic of the same QoS class. Can be simplified.

  For example, as illustrated in FIG. 6B, each of the aggregate virtual router, the address translation device, the traffic separation and integration device, and the VPN termination device prepares a sufficient buffer in the ingress I / F. Next, if the outgoing I / F bandwidth is greater than or equal to the sum of the incoming I / F bandwidths, it is input from the VPN terminating device, exits from another VPN terminating device via the collective virtual router. By the time, traffic is not discarded. Alternatively, if the outgoing I / F band is smaller than the sum of the incoming I / F bands, a discarded packet that cannot be absorbed by the buffer may occur. Since the number is proportional to the amount of traffic, it is discarded fairly among users. For example, as illustrated in FIG. 6B, each device of the collective virtual router, the address translation device, and the traffic separation and integration device prepares a shaper for adjusting the packet interval at the outgoing I / F. Each device handles all packets fairly without performing complicated traffic control such as priority control within the device, and it is only necessary to reliably shape the traffic at the outgoing I / F, thus simplifying traffic control. can do. Strict QoS is provided depending on the type of VPN, and in that case, strict priority control in the VPN terminating device is possible. Therefore, if the traffic separated by class transmitted from the collective virtual router side passes through different physical paths with sufficient bandwidth until the traffic separating and integrating device enters the VPN terminating device, only the VPN terminating device can Priority control is performed, and as a result, fair QoS guarantee is possible for each class of traffic over the entire route. Thus, by dividing the route for each traffic, it becomes possible to guarantee different quality classes and SLA fairly and strictly if priority control is applied in the VPN terminating device.

  Also, for example, the VPN density of each aggregate virtual router is changed (for example, QoS class 1 accommodates only up to 100% of the performance of the aggregate virtual router, while QoS class 2 accommodates up to 300%, etc.) Thus, traffic control for each QoS class can be controlled from the viewpoint of accommodation in a collective virtual router. Similarly to the above, if strict priority control is possible with the VPN terminating device, the traffic separating and integrating device and the collective virtual router provide sufficient bandwidth and buffers and received for each traffic of the same class. The packets may be transferred as they are without special priority control in the order of arrival. In this way, for example, even if all devices do not have a special priority control function, fair and strict QoS guarantees and SLA guarantees can be made for each class over the entire route.

[Traffic Control by Integrated AAA Device According to Embodiment 1]
So far, the outline of the inter-VPN communication system according to the first embodiment has been described. In the following, as a technique disclosed by the present application, an integrated AAA (Authentication Authorization Accounting) apparatus according to the first embodiment will be mainly described. explain.

  When a plurality of routes separated for each traffic type are formed between VPNs, the integrated AAA device determines whether a congestion state has occurred from the device by monitoring the devices on the route. Information is acquired, and it is determined whether or not the acquired information meets a predetermined condition. When the integrated AAA device determines that the acquired information satisfies the condition, the integrated AAA device transmits instruction information for controlling traffic on the route to the device that forms the route.

  Information for determining whether a congestion state has occurred includes, for example, information related to traffic and information related to resources. Specific examples include, for example, “CPU (Central Processing Unit) usage rate of aggregate virtual router”, “band in use measured by I / F of aggregate virtual router”, “I of aggregate virtual router” "Available bandwidth measured at / F", "Usage rate of bandwidth measured at I / F of aggregate virtual router (ratio of bandwidth in use to bandwidth allocated to I / F)", "Aggregate “Transfer amount of packets measured by virtual router I / F (number of packets per unit time and packet size)”, “Packet discard rate measured by I / F of aggregate virtual router”, “Aggregate virtual Queue length measured by router I / F ”. Further, for example, there are “delay times of measurement packets and user packets flowing on the route”.

  In this regard, hereinafter, an explanation will be given using an example in which the integrated AAA device acquires “CPU usage rate of aggregate virtual router” as information for determining whether or not a congestion state has occurred. The integrated AAA device according to the first embodiment acquires the “CPU usage rate of the collective virtual router” as information for determining whether or not a congestion state has occurred, and the acquired information exceeds a predetermined threshold. To determine whether a congestion state has occurred. In addition, when the integrated AAA device determines that a congestion state has occurred, the integrated AAA device provides the device that forms the route with instruction information for instructing to discard the traffic on the low-priority traffic route among the plurality of routes. Send to.

  FIG. 7 is a diagram for explaining traffic control according to the first embodiment. As illustrated in FIG. 7, in the first embodiment, a route on the virtual router “VRF1” side and a virtual router “VRF2” side are divided between the VPN1 and the VPN2 as a plurality of routes separated for each QoS class. The path is formed. The route on the virtual router “VRF1” side and the route on the virtual router “VRF2” side are considered as one collaborative space. The route on the virtual router “VRF1” side is a route for “Priority Class” traffic, and the route on the virtual router “VRF2” side is a route for traffic of “Best Effort Class”. The traffic of “Best Effort Class” is lower in priority than the traffic of “Priority Class”. That is, the route on the virtual router “VRF2” side is a low-priority traffic route. In the example of FIG. 7, there are two VPNs. However, in reality, it is considered that more VPNs are accommodated in the collective virtual router and more traffic is processed in the collective virtual router.

  As illustrated in FIG. 7, the integrated AAA device acquires information for determining whether or not a congestion state has occurred, for example, from an aggregate virtual router, and the acquired information exceeds a predetermined threshold value. It is determined whether or not a congestion state has occurred. Further, when the integrated AAA device determines that a congestion state has occurred, the traffic route having a low priority among a plurality of routes, that is, the route on the virtual router “VRF2” side (for example, the entry side of the collective virtual router) Instructed to discard the traffic at (I / F), for example, is transmitted to the collective virtual router.

  FIG. 8 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the first embodiment. As illustrated in FIG. 8, the integrated AAA device 100 according to the first embodiment includes a communication unit 110, an input unit 111, an output unit 112, an input / output control I / F unit 113, a storage unit 120, and a control. Part 130.

  The communication unit 110 is, for example, a general interface for IP (Internet Protocol) communication, and performs communication with a collective virtual router, a traffic separation and integration device, and the like. It is assumed that the integrated AAA device 100 is connected to the collective virtual router, the traffic separation and integration device, and the like through a monitoring network (not shown).

  The input unit 111 is, for example, a keyboard or a mouse, and receives input of various operations. In the first embodiment, for example, the input unit 111 receives an input of an information threshold value for determining whether or not a congestion state has occurred by using a keyboard or a mouse. The output unit 112 is a display, for example, and outputs information for various operations. In the first embodiment, the output unit 112 outputs, for example, an input screen for inputting a threshold value. The input / output control I / F (Interface) unit 113 controls input / output among the input unit 111, the output unit 112, the storage unit 120, and the control unit 130. The integrated AAA device 100 does not necessarily include the input unit 111 and the output unit 112. For example, the integrated AAA device 100 communicates with another management terminal or a user Web server via the communication unit 110, and inputs and outputs information. May be sent and received.

  The storage unit 120 is, for example, a semiconductor memory device such as a random access memory (RAM), a read only memory (ROM), or a flash memory, a hard disk, an optical disk, and the like, and stores various types of information. Specifically, the storage unit 120 includes a condition storage unit 121 and a control information storage unit 122 as illustrated in FIG.

  The condition storage unit 121 stores a condition for determining whether or not a congestion state has occurred. Specifically, the condition storage unit 121 stores conditions in advance by being input by, for example, an operator of an inter-VPN connection service, and the conditions stored in the condition storage unit 121 are processed by the traffic monitoring unit 131 described later. Used for.

  9 and 10 are diagrams for explaining conditions for determining whether or not a congestion state has occurred. There is a relationship as illustrated in FIG. 9 between the CPU usage rate of the aggregate virtual router and the throughput. That is, when the CPU usage rate exceeds 70%, the throughput is remarkably reduced (quality is remarkably deteriorated). Further, there is a relationship as illustrated in FIG. 10 between the CPU usage rate of the collective virtual router and the latency. That is, when the CPU usage rate exceeds 70%, the latency is remarkably increased (quality is remarkably deteriorated). For this reason, for example, the condition storage unit 121 stores a threshold value of “CPU usage rate 70%” as a condition for determining whether or not a congestion state has occurred. The condition storage unit 121 stores a condition for determining whether or not the congestion state has been resolved. For example, the condition storage unit 121 stores a condition that “the threshold value of the CPU usage rate of 50% has not been exceeded for 5 seconds continuously”.

  The control information storage unit 122 stores various information used for control by the integrated AAA device 100. Specifically, the control information storage unit 122 stores control information in advance by being input by, for example, an operator of an inter-VPN connection service, and the control information stored in the control information storage unit 122 is traffic monitoring described later. Used for processing by the unit 131 and the traffic control unit 132.

  FIG. 11 is a diagram for explaining the control information. For example, as illustrated in FIG. 11, the control information storage unit 122 stores identification information and an address for the collective virtual router to be monitored. Further, as illustrated in FIG. 11, the control information storage unit 122 stores information acquisition triggers, determination conditions, control when conditions are met, control when conditions are not met, and the like. Note that these pieces of control information are only examples. For example, information acquisition triggers and judgment conditions, control when conditions are met, control when conditions are not met may differ depending on the device to be monitored, and the same type of device (for example, between aggregate virtual routers, etc.) ) May be the same.

  For example, in the example of FIG. 11, the collective virtual router monitored by the integrated AAA device 100 is “aggregate virtual router 1” (for example, the collective virtual router illustrated in FIG. 7). "IP address 1" is used when communicating with the. Further, the control information storage unit 122 stores, for example, “1 second interval” as an information acquisition trigger, that is, a monitoring timing. In addition, the control information storage unit 122 stores “conditions stored in the condition storage unit 121” as determination conditions. That is, as described above, the threshold value “CPU usage rate 70%” indicates the determination condition. In addition, the control information storage unit 122 discards traffic at the I / F that is the path on the side of the virtual router “VRF2” and that is on the entrance side of the “collective virtual router 1” as the control content when the condition is met. "Send instruction information for instructing to be sent to" collective virtual router 1 "".

  Further, as illustrated in FIG. 11, the control information storage unit 122 associates “instruction virtual router 1” with instruction information for instructing to stop discarding traffic in association with “control when condition is not met”. “Send to” is stored. That is, when the integrated AAA device 100 continues monitoring and determines that the congestion state has been resolved (the condition that “the threshold of 50% of the CPU usage rate has not been exceeded for 5 seconds continuously”). If applicable, instruction information for instructing to stop discarding traffic is transmitted to the corresponding device.

  The control unit 130 controls various processes executed in the integrated AAA device 100. Specifically, as illustrated in FIG. 8, the control unit 130 includes a traffic monitoring unit 131 and a traffic control unit 132.

  The traffic monitoring unit 131 acquires information for determining whether or not a congestion state has occurred, and determines whether or not a congestion state has occurred because the acquired information exceeds a predetermined threshold. If the traffic monitoring unit 131 determines that a congestion state has occurred, the traffic monitoring unit 131 notifies the traffic control unit 132 accordingly.

  For example, the traffic monitoring unit 131 communicates with the collective virtual router periodically (or at an appropriate timing), and the CPU usage rate collected by the collective virtual router is determined based on whether or not a congestion state has occurred. Received from the collective virtual router as information for determination. At this time, the traffic monitoring unit 131 refers to the control information storage unit 122 and communicates with the “aggregate virtual router 1” using “IP address 1”, for example, and the information acquisition opportunity “1 second interval” ”To receive the CPU usage rate. Next, when the traffic monitoring unit 131 receives the CPU usage rate from the collective virtual router, the traffic monitoring unit 131 refers to the condition storage unit 121 and determines whether or not the received CPU usage rate exceeds the threshold value of “CPU usage rate 70%”. Determine. When the traffic monitoring unit 131 determines that the traffic exceeds the traffic monitoring unit 131, the traffic monitoring unit 131 notifies the traffic control unit 132 accordingly.

  When the traffic monitoring unit 131 determines that a congestion state has occurred, the traffic control unit 132 provides instruction information for instructing the traffic to be discarded on a traffic route having a low priority among a plurality of routes. To the device that forms

  For example, when receiving a notification from the traffic monitoring unit 131 that the traffic control unit 132 determines that the threshold value is exceeded, the traffic control unit 132 refers to the control information storage unit 122 and acquires information stored as control content when a condition is met. Then, the traffic control unit 132 provides instruction information for instructing to discard the traffic of “Best Effort Class” at the I / F on the virtual router “VRF2” side and on the entrance side of the collective virtual router. For example, it transmits to “Aggregate Virtual Router 1”. Generally, the traffic of the “Best Effort Class” traffic is larger than the traffic of the “Priority Class”, and therefore the effectiveness is considered high. It should be noted that how much traffic of “Best Effort Class” is allowed to pass and how much is to be discarded may be controlled based on a predetermined value, or the I / F on the entry side may be controlled. You may control dynamically, measuring the traffic amount to pass.

  In the first embodiment, the example of acquiring the “CPU usage rate of the collective virtual router” as information for determining whether or not a congestion state has occurred has been described. However, the disclosed technique is limited to this. is not. As described above, for example, as information for determining whether or not a congestion state has occurred, “band in use measured by the I / F of the collective virtual router”, “I / F of the collective virtual router” ”Available bandwidth measured”, “Availability of bandwidth measured at I / F of aggregate virtual router (ratio of bandwidth in use to bandwidth allocated to I / F)”, “Availability of aggregate virtual router "Transfer amount of packets measured by I / F (number of packets per unit time and packet size)", "Packet discard rate measured by I / F of aggregate virtual router", "I of aggregate virtual router The “Queue length measured at / F” may be used.

  For example, the integrated AAA device 100 determines that a congestion state has occurred if the “band in use” is greater than a predetermined threshold. Further, for example, the integrated AAA device 100 determines that a congestion state has occurred if the “free bandwidth” is smaller than a predetermined threshold. For example, the integrated AAA device 100 determines that a congestion state has occurred if the “utilization rate” is higher than a predetermined threshold. Further, for example, when the “number of packets per unit time” is larger than a predetermined threshold and the “packet size” is smaller than the predetermined threshold, the integrated AAA device 100 has a load of routing processing, for example. Since it becomes high, it is determined that a congestion state has occurred. Further, for example, if the “packet discard rate” is larger than a predetermined threshold, the integrated AAA device 100 determines that a congestion state has occurred. For example, if the “Queue length” is longer than a predetermined threshold, the integrated AAA device 100 determines that a congestion state has occurred. In addition, when using these methods described above, the integrated AAA device 100 stores in advance the threshold corresponding to each method in the condition storage unit 121. Similarly, for example, the integrated AAA device 100 uses “bandwidth in use”, “empty bandwidth”, “ Bandwidth utilization rate ”,“ packet transfer amount ”,“ packet discard rate ”,“ Queue length ”, and the like may be acquired from the traffic separation and integration apparatus. In this case, the integrated AAA device 100 stores threshold values corresponding to these methods in the condition storage unit 121 in advance.

  Further, for example, the integrated AAA device 100 communicates periodically (or at an appropriate timing) with the traffic separation and integration device, and for example, transmits and receives measurement packets between the traffic separation and integration devices. For example, the integrated AAA device 100 transmits a measurement packet to one of the traffic separation and integration devices (for example, inserts it into the traffic of “Priority Class”), and receives the measurement packet from the other traffic separation and integration device. To do. Then, the integrated AAA device 100 compares the interval at the time of transmission of the measurement packet with the interval at the time of reception, estimates the empty bandwidth from the fluctuation, actually measures the delay time, etc. Information for determining whether or not has occurred may be acquired. In this case, the integrated AAA device 100 stores in advance in the condition storage unit 121 a threshold value corresponding to an increase in an empty band or a delay time.

  Further, for example, the integrated AAA device 100 communicates with the traffic separation / integration device periodically (or at an appropriate timing). For example, a user packet that is a target of processing in one traffic separation / integration device is transmitted. When arriving at the other traffic demultiplexing / integrating apparatus, the user packet transmission interval between the two traffic demultiplexing / integrating apparatuses is compared with the reception interval, and the empty band is estimated from the fluctuation, or the delay time Information for determining whether a congestion state has occurred may be acquired by actually measuring the elongation. In this case, the integrated AAA device 100 stores in advance in the condition storage unit 121 a threshold value corresponding to an increase in an empty band or a delay time.

  In the first embodiment, the integrated AAA device 100 voluntarily acquires information from the collective virtual router, so-called pull-type monitoring is assumed. However, the disclosed technique is not limited to this, for example, collective The virtual router stores a threshold value of “CPU usage rate of 70%”, and determines whether or not the aggregate virtual router exceeds the threshold value of “CPU usage rate of 70%” at intervals of 1 second, for example. In this case, so-called push type monitoring in which the collective virtual router notifies the integrated AAA device 100 may be used.

  In the first embodiment, an example in which traffic is discarded at the I / F on the entry side of the collective virtual router has been described. However, the disclosed technique is not limited to this. For example, the traffic may be discarded by a traffic separation / integration device or an address translation device. In the first embodiment, the example of discarding the traffic of “Best Effort Class” has been described. However, the present invention is not limited to this, and the traffic to be discarded and the traffic to be discarded even if a congestion state occurs. The integrated AAA device may store in advance information for identifying traffic that is not to be transmitted, and control for instructing discarding may be performed based on this information.

[Traffic Control Processing Procedure According to Embodiment 1]
FIG. 12 is a flowchart illustrating the traffic control processing procedure according to the first embodiment. As illustrated in FIG. 12, in the integrated AAA device 100, the traffic monitoring unit 131 communicates periodically (or at an appropriate timing) with the collective virtual router, and the CPUs collected by the collective virtual router By receiving the usage rate from the collective virtual router, the traffic is monitored (step S101).

  When the traffic monitoring unit 131 receives the CPU usage rate from the collective virtual router, the traffic monitoring unit 131 refers to the condition storage unit 121 and determines whether or not the received CPU usage rate exceeds the threshold value of “CPU usage rate 70%”. By determining, a congestion state is determined (step S102).

  If it is determined that the threshold value is not exceeded (No at Step S103), the traffic monitoring unit 131 returns to the process at Step S101. On the other hand, when it is determined that the threshold value is exceeded (Yes at Step S103), in the integrated AAA device 100, the traffic control unit 132 is the path on the virtual router “VRF2” side and the I / F on the entry side of the collective virtual router. Then, the instruction information for instructing to discard the traffic of “Best Effort Class” is transmitted to, for example, “aggregate virtual router 1” (step S104).

[Effect of Example 1]
As described above, in the first embodiment, the integrated AAA device 100 controls the traffic of the inter-VPN communication system including the collective virtual router, the VPN termination device, and the traffic separation and integration device. Specifically, the traffic monitoring unit 131 monitors at least one of the collective virtual router and the traffic separation and integration device, thereby obtaining at least one of the traffic information and the resource information from the device. It is determined whether or not the acquired information meets a predetermined condition. In addition, when the traffic control unit 132 determines that the information satisfies the condition, the traffic control unit 132 sends instruction information for controlling traffic on the route to at least one of the aggregate virtual router and the traffic separation and integration device. To send.

For example, the traffic monitoring unit 13 1 judges whether the congestion has occurred by the acquired information to determine whether conditions are true, the traffic control unit 132, it is determined that the congestion condition occurs In this case, instruction information for instructing to discard the traffic on a low-priority traffic path among a plurality of paths is transmitted to at least one of the aggregate virtual router and the traffic separation and integration apparatus. .

  For this reason, according to the first embodiment, traffic can be appropriately controlled. As a result, it is possible to control such that congestion is reduced and, for example, high priority traffic is relieved.

[Traffic Control by Integrated AAA Device According to Second Embodiment]
In the integrated AAA device according to the second embodiment, when a plurality of routes separated for each traffic type are formed between VPNs, a high load state is generated from the device by monitoring the devices on the route. Information for determining whether or not the information has been acquired is determined, and it is determined whether or not the acquired information satisfies a predetermined condition. When the integrated AAA device determines that the acquired information satisfies the condition, the integrated AAA device transmits instruction information for controlling traffic on the route to the device that forms the route.

  As information for determining whether or not a high load state has occurred, for example, there is information relating to traffic and information relating to resources. Specific examples include, for example, “CPU usage rate of aggregate virtual router”, “Band in use measured by I / F of aggregate virtual router”, “Measured by I / F of aggregate virtual router” "Available bandwidth", "Availability of bandwidth measured at I / F of aggregate virtual router (ratio of bandwidth in use to bandwidth allocated to I / F)", "I / F of aggregate virtual router Packet transfer amount (number of packets per unit time and packet size) ”,“ memory usage rate of aggregate virtual router ”, and the like.

  In this regard, in the following, an example in which the integrated AAA device acquires “CPU usage rate of the collective virtual router” as information for determining whether or not a high load state has occurred will be described. The integrated AAA device according to the second embodiment acquires the “CPU usage rate of the collective virtual router” as information for determining whether or not a high load state has occurred, and the acquired information exceeds a predetermined threshold. Thus, it is determined whether or not a high load state has occurred. In addition, when the integrated AAA device determines that a high load condition has occurred, the integrated AAA device provides instruction information for instructing to allocate traffic on the route in which the high load condition has occurred to another route to the device that forms the route. Send.

  FIG. 13 is a diagram for explaining traffic control according to the second embodiment. As illustrated in FIG. 13, in the second embodiment, a path of the virtual router “VRF1” and a virtual router “VRF2” are separated between the VPN1 and the VPN2, for example, as a plurality of paths separated according to the type of application. ”And the route of the virtual router“ VRF3 ”are formed. Each route is formed in a different collective virtual router.

  As illustrated in FIG. 13, the integrated AAA device acquires information for determining whether or not a high load state has occurred, for example, from an aggregate virtual router, and the acquired information exceeds a predetermined threshold value. To determine whether or not a high load condition has occurred. When the integrated AAA device determines that a high load state has occurred, the integrated AAA device transfers traffic on the route in which the high load state has occurred, for example, traffic on the route of the virtual router “VRF2” to another route, for example, virtual Instruction information for instructing assignment to the route of the router “VRF1” is transmitted to, for example, the traffic separation and integration apparatus.

  FIG. 14 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the second embodiment. As illustrated in FIG. 14, the integrated AAA device 100 according to the second embodiment is different from the integrated AAA device 100 according to the first embodiment in that the storage unit 120 includes a traffic separation information storage unit 123.

  The condition storage unit 121 according to the second embodiment stores a condition for determining whether or not a high load state has occurred. For example, the condition storage unit 121 stores a threshold value of “CPU usage rate 70%” as a condition for determining whether or not a high load state has occurred.

  The control information storage unit 122 according to the second embodiment stores various types of information used for control by the integrated AAA device 100 as in the first embodiment. FIG. 15 is a diagram for explaining the control information. For example, as illustrated in FIG. 15A, the control information storage unit 122 stores identification information and addresses for the collective virtual router to be monitored. In addition, as illustrated in FIG. 15A, the control information storage unit 122 stores information acquisition triggers, determination conditions, control when conditions are applicable, control when conditions are not applicable, and the like. 15 illustrates the control information related to one collective virtual router, but is not limited thereto. The control information storage unit 122 may control information related to each of the three collective virtual routers illustrated in FIG. Remember. Further, the control information storage unit 122 stores identification information and an address for the traffic separation and integration device as illustrated in FIG.

  Note that these pieces of control information are only examples. For example, information acquisition triggers and judgment conditions, control when conditions are met, control when conditions are not met may differ depending on the device to be monitored, and the same type of device (for example, between aggregate virtual routers, etc.) ) May be the same.

  For example, in the example of FIG. 15, the collective virtual router monitored by the integrated AAA device 100 is “aggregate virtual router 1” (for example, the leftmost collective virtual router illustrated in FIG. 13 corresponds). When communicating with the collective virtual router, “IP address 1” is used. Further, the control information storage unit 122 stores, for example, “1 second interval” as an information acquisition trigger, that is, a monitoring timing. In addition, the control information storage unit 122 stores “conditions stored in the condition storage unit 121” as determination conditions. That is, as described above, the threshold value “CPU usage rate 70%” indicates the determination condition.

  Further, the control information storage unit 122, as the control content when the condition is met, “instruction information for instructing the application allocated to the virtual router corresponding to the condition to be allocated to another virtual router,“ “To be transmitted to the traffic separating and integrating devices 1 and 2” ”is stored. In the second embodiment, control is not performed when the condition is not met. However, as described later, for example, it may be determined that the threshold is not exceeded while monitoring is continued. In such a case, as illustrated in FIG. 15, for example, the control information storage unit 122 “provides instruction information for instructing to restore the route assignment to the“ traffic separation and integration devices 1 and 2 ”. "Sending" may be stored.

  The traffic separation information storage unit 123 stores separation information indicating what policy the traffic is separated in the traffic separation and integration apparatus. The traffic separation information storage unit 123 stores the separation information acquired from the traffic separation / integration device, for example, by the integrated AAA device 100 periodically communicating with the traffic separation / integration device. The separation information stored in the traffic separation information storage unit 123 is used for processing by the traffic control unit 132.

  FIG. 16 is a diagram for explaining the separation information. For example, as illustrated in FIG. 16, the traffic separation information storage unit 123 stores information for identifying an application assigned to the route for each route. For example, in FIG. 16, applications “AP1” and “AP2” are assigned to the route of the virtual router “VRF1”, and applications “AP3” and “AP4” are assigned to the route of the virtual router “VRF2”. It shows that applications “AP5” and “AP6” are assigned to the route of the virtual router “VRF3”.

  The traffic monitoring unit 131 according to the second embodiment acquires information for determining whether or not a high load state has occurred for each route, and the acquired information exceeds a predetermined threshold value so that the high load state is detected. Determine whether it occurred. If the traffic monitoring unit 131 determines that a high load state has occurred, the traffic monitoring unit 131 notifies the traffic control unit 132 of the fact.

  The traffic control unit 132 according to the second embodiment instructs the traffic monitoring unit 131 to assign the traffic on the route in which the high load state occurs to another route when the traffic monitoring unit 131 determines that the high load state has occurred. Is transmitted to the device forming the path.

  For example, when the traffic control unit 132 receives a notification from the traffic monitoring unit 131 that the threshold of the virtual router “VRF2” is determined to exceed the threshold, the traffic control unit 132 refers to the control information storage unit 122 and sets the control content when the condition is met. Get stored information. Then, the traffic control unit 132 refers to the traffic separation information storage unit 123 and transfers at least one of the applications “AP3” and “AP4” assigned to the virtual router “VRF2” to the other virtual router “ It is determined to assign to the route of “VRF1” or the route of “VRF3”. Here, for example, two methods can be considered as to which of the routes of the other virtual router “VRF1” or “VRF3” is assigned. First, since the integrated AAA device 100 receives the CPU usage rate from each of the aggregate virtual routers, for example, a route formed in the aggregate virtual router in the state where the load is the lowest (state where the CPU usage rate is low). This is a method of dynamically selecting and assigning. The other is a method in which an allocation rule is determined in advance and stored in a storage unit, and the traffic control unit 132 selects and allocates a route according to this rule.

  Then, for example, the traffic control unit 132 instructs to assign the application “AP3” assigned to the virtual router “VRF2” to the virtual router “VRF1” determined to have the lowest load. Is transmitted to, for example, “traffic separation and integration devices 1 and 2”. At this time, the traffic control unit 132 refers to the control information storage unit 122, performs communication with the “traffic separation and integration device 1” using, for example, “IP address T-1”, and transmits instruction information. . By allocating traffic on a route with high load to other routes, load distribution can be realized. For example, even when the number of users increases, the inter-VPN connection service is highly scalable. Can be provided.

  In the second embodiment, the example of acquiring the “CPU usage rate of the collective virtual router” as information for determining whether or not a high load state has occurred has been described, but the disclosed technique is limited to this. It is not a thing. As described above, for example, as information for determining whether or not a high load state has occurred, “band in use measured by the I / F of the collective virtual router”, “I / F of the collective virtual router” "Available bandwidth measured at the I / F", "Availability of bandwidth measured at the I / F of the aggregate virtual router (ratio of bandwidth in use to the bandwidth allocated to the I / F)" Packet transfer amount (number of packets per unit time and packet size) ”,“ memory usage rate of aggregate virtual router ”, and the like may be used.

  For example, if the “band in use” measured at a certain I / F is larger than a predetermined threshold, the integrated AAA device 100 determines that a high load state has occurred in the path corresponding to this I / F. . Further, for example, if the “free bandwidth” measured at a certain I / F is smaller than a predetermined threshold, the integrated AAA device 100 determines that a high load state has occurred in the path corresponding to this I / F. . Further, for example, if the “utilization rate” measured at a certain I / F is higher than a predetermined threshold, the integrated AAA device 100 determines that a high load state has occurred in the path corresponding to this I / F. . Further, for example, the integrated AAA device 100 has a case where the “number of packets per unit time” measured at a certain I / F is larger than a predetermined threshold and the “packet size” is smaller than the predetermined threshold. For example, since the load of routing processing increases, it is determined that a high load state has occurred in the route corresponding to the I / F. Further, for example, if the “memory usage rate” of a certain aggregate virtual router is higher than a predetermined threshold, the integrated AAA device 100 determines that a high load state has occurred in the path corresponding to this aggregate virtual router. In addition, when using these methods described above, the integrated AAA device 100 stores in advance the threshold corresponding to each method in the condition storage unit 121. Similarly, for example, the integrated AAA device 100 uses “bandwidth in use”, “empty bandwidth” collected by the traffic separation and integration device as information for determining whether or not a high load state has occurred. “Bandwidth utilization rate”, “packet transfer amount”, and the like may be acquired from the traffic separation and integration apparatus. In this case, the integrated AAA device 100 stores threshold values corresponding to these methods in the condition storage unit 121 in advance.

  In the second embodiment, it is assumed that the integrated AAA device 100 voluntarily acquires information from the collective virtual router, so-called pull-type monitoring. However, the disclosed technology is not limited to this. The virtual router stores a threshold value of “CPU usage rate of 70%”, and determines whether or not the aggregate virtual router exceeds the threshold value of “CPU usage rate of 70%” at intervals of 1 second, for example. In this case, so-called push type monitoring in which the collective virtual router notifies the integrated AAA device 100 may be used.

  In the second embodiment, the integrated AAA device 100 monitors the collective virtual router and dynamically changes the route assignment. However, the disclosed technique is not limited to this. For example, load distribution may be realized by distributing packets flowing from the VPN side to the traffic separation and integration device one by one to a plurality of routes. According to such a method, the usage rates of the plurality of paths (the usage rates of the respective aggregate virtual routers) are equally distributed and the load is distributed.

  In the second embodiment, the integrated AAA device 100 monitors the collective virtual router, determines that a high load state has occurred in a certain route, and changes the route assignment. Is not limited to this. For example, when new traffic is generated, such as when a new application is used in connection between VPNs or when a new terminal is connected, the integrated AAA device 100 provides information (for example, “ Collect virtual router CPU usage ”), compare the load between routes using the acquired information, and assign newly generated traffic to the route with the lowest load. The load may be controlled so as not to be biased.

  That is, for example, the condition storage unit 121 stores a condition for determining whether or not new traffic has occurred. For example, the condition storage unit 121 receives “a notification that an application has been added from a collective virtual router” or “a notification that a terminal has been added from a VPN termination device” Remember that. When the traffic monitoring unit 131 receives the notification from the collective virtual router or the VPN terminating device, the traffic monitoring unit 131 refers to the condition storage unit 121 and determines whether the notification satisfies the condition stored in the condition storage unit 121. By determining, it is determined whether or not new traffic has occurred. Then, the traffic control unit 132 acquires the “CPU usage rate of the aggregate virtual router” for each route from each of the aggregate virtual routers, compares the height of the load between the routes, and determines the route with the lowest load. That is, the traffic control unit 132 identifies the route with the lowest load as the route in the low load state based on the comparison result. Subsequently, the traffic control unit 132 integrates the traffic separation / consolidation instruction information for instructing the newly identified traffic to be assigned to the route identified as the low load state route, that is, the route determined to have the lowest load. Send to the device.

  Furthermore, when the integrated AAA device continues monitoring, when it is determined that the load of the original aggregate virtual router does not exceed the threshold even if the traffic whose route assignment has been changed is returned to the original route, Instruction information for instructing to restore the route assignment to the original may be transmitted to the corresponding device. In this case, for example, as illustrated in FIG. 15, the traffic control unit 132 may perform control according to “control when the condition is not met” stored in the control information storage unit 122. For example, in the above example, in order to determine whether or not to change the route assignment, it is determined whether or not the threshold of “CPU usage rate 70%” is exceeded. A second threshold value “CPU usage rate 50%” is stored separately from “CPU usage rate 70%”, and this second threshold value “CPU” is used to determine whether or not it is possible to return to the original path. It may be determined whether the usage rate is less than 50%. However, the traffic whose route assignment has been changed may be operated as it is without returning to the original route. That is, for example, once the route assignment is changed, the traffic control unit 132 starts monitoring with the state after the assignment as an initial state, and when the route after the assignment exceeds a threshold of, for example, “CPU usage rate 70%” Alternatively, the control may be such that the route assignment is changed again. In addition, although the example which specifies the path | route with the lowest load as the allocation destination of the newly generated traffic was demonstrated, the technique of indication is not restricted to this. New traffic allocation destinations are determined not only to the route identified as having the lowest load, but, for example, among N routes, M routes are determined to be in a low load state in order of load, and this route is determined. One or more routes among the low-load state routes may be assigned to newly generated traffic. At this time, the condition storage unit 121 stores condition information such as a threshold value for determining the lower M.

  Further, for example, a method of determining a route to which an application is fixedly fixed by policy-based routing and statically distributing the load is conceivable. For example, the application is classified according to a specific application, a ToS value, or the like, and is routed on a policy basis in the traffic separation and integration apparatus.

  In the second embodiment, the integrated AAA device 100 monitors each of the plurality of aggregate virtual routers, and the CPU usage rate acquired from a certain aggregate virtual router exceeds a predetermined threshold (for example, “CPU usage rate 70%”). Thus, although an example in which it is determined that a high load state has occurred in the route corresponding to the aggregate virtual router has been described, the disclosed technique is not limited thereto. By determining the load bias between the collective virtual routers based on the information obtained from each of the multiple collective virtual routers, the load corresponding to a certain collective virtual router is biased in the direction of higher load (that is, the high load state is It may be determined.

  For example, it is assumed that four collective virtual routers form four paths each. The condition storage unit 121 stores, for example, a threshold value of a distributed value of “CPU usage rate of the aggregate virtual router” as a condition for determining whether or not the load is biased. The traffic monitoring unit 131 communicates with each of the four collective virtual routers periodically (or at an appropriate timing), and the CPU usage rate collected by each of the collective virtual routers is used as the collective virtual router. Receive from each. For example, the traffic monitoring unit 131 acquires “100%”, “50%”, “50%”, and “0%”.

  Next, the traffic monitoring unit 131 uses the acquired information to obtain a variance value of the “CPU usage rate of the aggregate virtual router” and compares it with the threshold value of the variance value stored in the condition storage unit 121. Then, it is determined whether or not there is a load imbalance between the aggregate virtual routers. Here, when it is determined that the calculated variance value exceeds the threshold value and the load is biased, the traffic control unit 132 continues to use the four CPUs acquired by the traffic monitoring unit 131. By comparing the rates, a route corresponding to the aggregate virtual router showing the highest CPU usage rate and a route corresponding to the aggregate virtual router showing the lowest CPU usage rate are specified. Then, the traffic control unit 132 provides the instruction information for instructing to allocate part or all of the traffic flowing through the route determined to have the highest load to the route determined to have the lowest load. Sent to the separate integration device. This assignment can be performed in any unit such as a user unit, an application unit, or a QoS class unit. For example, when 10 users use the route corresponding to the collective virtual router with the CPU usage rate “100%”, the traffic of the 5 users is used for the collective virtual with the CPU usage rate “0%”. What is necessary is just to allocate to the path | route corresponding to a router. At this time, assuming that the CPU usage rate of each of the 10 users is equal, the CPU usage rates of the four collective virtual routers are 50%, thereby suppressing the load bias. Further, for example, the load bias may be suppressed by appropriately allocating a part or all of the traffic flowing through the route with the highest load to one or more other routes. Note that the distribution at the time of allocating traffic is not limited to the above example, and can be arbitrarily changed according to the load bias or the operation mode.

[Traffic Control Processing Procedure According to Second Embodiment]
FIG. 17 is a flowchart illustrating a traffic control processing procedure according to the second embodiment. As illustrated in FIG. 17, in the integrated AAA device 100, the traffic monitoring unit 131 periodically communicates with the aggregate virtual router (or at an appropriate timing), and the CPUs collected by the aggregate virtual router By receiving the usage rate from the collective virtual router, the traffic is monitored (step S201).

  When the traffic monitoring unit 131 receives the CPU usage rate from the collective virtual router, the traffic monitoring unit 131 refers to the condition storage unit 121 and determines whether or not the received CPU usage rate exceeds the threshold value of “CPU usage rate 70%”. By determining, a high load state is determined (step S202).

  If it is determined that the threshold value is not exceeded (No at Step S203), the traffic monitoring unit 131 returns to the process at Step S201. On the other hand, when it is determined that the threshold value is exceeded (Yes in step S203), in the integrated AAA device 100, for example, the traffic control unit 132 changes the application “AP3” assigned to the virtual router “VRF2” to the virtual router “VRF2”. Instruction information for instructing allocation to “VRF1” is transmitted to the traffic separation and integration apparatus (step S204).

[Effect of Example 2]
As described above, in the second embodiment, the traffic monitoring unit 131 determines whether or not a high load state has occurred by determining whether or not the information acquired for each route from the collective virtual router satisfies the condition. When the traffic control unit 132 determines that a high load state has occurred, the traffic control unit 132 instructs at least the traffic separation and integration device to instruct the traffic on the route in which the high load state has occurred to be assigned to another route. To send.

  Alternatively, in the second embodiment, the traffic monitoring unit 131 determines whether new traffic to be controlled has occurred in the inter-VPN communication system by determining whether or not the acquired information satisfies a condition. When it is determined that new traffic has occurred, the traffic control unit 132 compares the load state between routes using information acquired for each route from the aggregate virtual router, and the low load state based on the comparison result And the instruction information for instructing the newly generated traffic to be assigned to the specified route is transmitted to at least the traffic separation and integration apparatus.

  For this reason, according to the second embodiment, traffic can be appropriately controlled. That is, load distribution can be realized by assigning traffic on a route in a high load state to another route. Alternatively, load distribution can be realized so as to prevent the load from being biased between routes by assigning newly generated traffic to the route with the lowest load. For example, even when the number of users increases, the inter-VPN connection service can be provided with high scalability.

[Traffic Control by Integrated AAA Device According to Embodiment 3]
In the integrated AAA device according to the third embodiment, when a plurality of routes separated for each traffic type are formed between the VPNs, whether a failure state has occurred from the device by monitoring the devices on the route. The information for determining whether or not is acquired, and it is determined whether or not the acquired information meets a predetermined condition. When the integrated AAA device determines that the acquired information satisfies the condition, the integrated AAA device transmits instruction information for controlling traffic on the route to the device that forms the route.

  Information for determining whether or not a failure state has occurred includes, for example, information related to traffic and information related to resources. Specific examples include, for example, “Receiving status of life / death confirmation packet”, “Traffic amount observed at I / F of each device forming path”, “Dynamic routing set in aggregate virtual router” Disappearance of information ”.

  In this regard, hereinafter, an explanation will be given using an example in which the integrated AAA device acquires the “status of receipt of life / death confirmation packet” as information for determining whether or not a failure state has occurred. The integrated AAA device according to the third embodiment acquires the “life / life confirmation packet reception status” as information for determining whether or not a failure state has occurred, and satisfies the determination condition that the life / death confirmation packet cannot be received normally. By determining whether or not this is the case, it is determined whether or not a failure state has occurred. In addition, when the integrated AAA device determines that a failure state has occurred, the integrated AAA device transmits instruction information for instructing the traffic on the route in which the failure state has occurred to be allocated to the backup route to the device that forms the route. To do.

  FIG. 18 is a diagram for explaining traffic control according to the third embodiment. As illustrated in FIG. 18, in the third embodiment, the path of the virtual router “VRF1” is configured as a plurality of paths between the VPN1 and the VPN2 by a policy such as separation according to the type of application, A route for the virtual router “VRF2” and a route for the virtual router “VRF3” are formed. Each route is formed in a different collective virtual router. Here, the route of the virtual router “VRF3” is a backup (back up) route. That is, the collective virtual router in which the virtual router “VRF3” is set is in a state where the physical connection is completed.

  As illustrated in FIG. 18, the integrated AAA device acquires information for determining whether or not a failure state has occurred from, for example, a collective virtual router or a traffic separation and integration device, and the acquired information is predetermined. It is detected that a failure state has occurred by determining whether or not the condition is met. Further, when the integrated AAA device detects that a failure state has occurred, the integrated AAA device converts the traffic on the route in which the failure state has occurred, for example, the traffic on the virtual router “VRF2” into the backup route, for example, the virtual router. Instruction information for instructing allocation to the route of “VRF3” is transmitted to, for example, the traffic separation and integration device and the address translation device.

  FIG. 19 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the third embodiment. As illustrated in FIG. 19, the integrated AAA device 100 according to the third embodiment is different from the integrated AAA device 100 according to the first embodiment in that the storage unit 120 includes a setting information storage unit 124.

  The condition storage unit 121 according to the third embodiment stores a condition for determining whether or not a failure state has occurred. For example, the condition storage unit 121 stores “a life / death confirmation packet cannot be received normally” as a condition for determining whether or not a failure has occurred.

  The control information storage unit 122 according to the third embodiment stores various types of information used for control by the integrated AAA device 100 as in the first embodiment. 20 and 21 are diagrams for explaining the control information. For example, as illustrated in FIG. 20A, the control information storage unit 122 stores addresses for the traffic separation and integration device and the collective virtual router to be monitored. Here, as will be described later, the traffic monitoring unit 131 according to the third embodiment causes the packet for life and death confirmation to flow on the route in the order of the traffic separation and integration device, the collective virtual router, and the traffic separation and integration device for each route. Then, whether the route is active or not, that is, a failure state (whether a failure has occurred in the route due to a failure in any device on the route) is monitored. For this reason, as illustrated in FIG. 20A, the control information storage unit 122 according to the third embodiment stores addresses in the order in which packets for life and death confirmation are flown for each path.

  In addition, as illustrated in FIG. 20B, the control information storage unit 122 stores information acquisition triggers, determination conditions, control when conditions are met, control when conditions are not met, and the like. In addition, the control information storage unit 122 stores identification information and addresses of each device, as illustrated in FIG. Note that these pieces of control information are only examples. For example, information acquisition triggers and determination conditions, control when conditions are met, control when conditions are not met, and the like may differ depending on the device to be monitored.

  For example, in the example of FIG. 20B, the control information storage unit 122 stores, for example, “1 second interval” as an information acquisition trigger, that is, a monitoring timing. In addition, the control information storage unit 122 stores “conditions stored in the condition storage unit 121” as determination conditions. That is, as described above, the determination condition is that “life and death confirmation packet cannot be received normally”.

  In addition, the control information storage unit 122 transmits “(1) the setting information of the virtual router corresponding to the condition to the spare aggregate virtual router, and the virtual router corresponding to the condition as control contents when the condition is satisfied. The address translation information used in the address translation device on the path of (2) is transmitted to the address translation device on the backup path ”and“ (2) on the route of the virtual router corresponding to the condition ”Is sent to the traffic separation and integration apparatus for instructing to allocate the traffic to the backup route”. That is, as will be described later, the traffic control unit 132 performs control according to both (1) and (2) when a condition is met.

  The setting information storage unit 124 stores virtual router setting information and address translation device setting information for each path. The setting information storage unit 124 stores setting information acquired by, for example, periodically communicating with a collective virtual router or an address translation device, and the setting information stored in the setting information storage unit 124 is traffic to be described later. Used for processing by the monitoring unit 131.

  FIG. 22 is a diagram for explaining the setting information. For example, as illustrated in FIG. 22, the setting information storage unit 124 sets, for each path, virtual router setting information set in the aggregate virtual router to form the path, and an address to form the path. The setting information set in the conversion device is stored.

  The traffic monitoring unit 131 according to the third embodiment acquires information for determining whether or not a failure state has occurred, and determines whether or not the acquired information satisfies a predetermined condition. Detect that occurred. When the traffic monitoring unit 131 detects that a failure state has occurred, the traffic monitoring unit 131 notifies the traffic control unit 132 accordingly.

  For example, for each route, the traffic monitoring unit 131 sends a life / death confirmation packet on the route in the order of the traffic separation / integration device, the collective virtual router, and the traffic separation / consolidation device. (Whether or not a failure has occurred in the route due to a failure in any device on the route) is monitored. At this time, the traffic monitoring unit 131 refers to the control information storage unit 122 and performs communication with the traffic separation and integration device using, for example, “IP address T-1”, and information acquisition opportunity “1 second interval” ], A packet for life and death confirmation is sent on the route of “VRF1”. Further, the traffic monitoring unit 131 communicates with the traffic separation and integration device using “IP address T-2”, and receives the life and death confirmation packet sent by itself. In addition, the traffic monitoring unit 131 refers to the condition storage unit 121 and acquires that the “life and death confirmation packet cannot be received normally” is the determination condition. It is determined that there is a failure, and a notification to that effect is sent to the traffic control unit 132. That is, the case where the packet for life / death confirmation sent by itself cannot be received is a case where a failure occurs in any of the devices on the route and the packet cannot be passed. Therefore, the route is determined to be a failure.

  When the traffic monitoring unit 131 determines that a failure state has occurred, the traffic control unit 132 according to the third embodiment provides instruction information for instructing the traffic on the route in which the failure state has occurred to be assigned to the backup route. , To the device that forms the path.

  For example, when the traffic control unit 132 receives a notification from the traffic monitoring unit 131 that it is determined that a failure state has occurred in the route of the virtual router “VRF2”, the traffic control unit 132 refers to the control information storage unit 122 and controls the contents of the control when the condition is met. Get the information stored as. Then, the traffic control unit 132 refers to the setting information storage unit 124 and acquires various setting information stored in association with the virtual router “VRF2”. Then, the traffic control unit 132 transmits “VRF2 setting information” to the spare collective virtual router, reflects it in the setting of the virtual router “VRF3”, and changes the “address translation device setting information” to the virtual router “VRF3”. It is transmitted to the address translator on the route of “VRF3” and reflected in the setting of the address translator. Further, for example, the traffic control unit 132 assigns instruction information for instructing traffic on the virtual router “VRF2” to be allocated to a backup route, for example, the route of the virtual router “VRF3”, for example, the traffic separation and integration device and Sent to the address translation device. Thereafter, for example, the operator may replace the failed device. In addition, after repairing the failed device, it may be installed as a spare device. Note that such switching and traffic detouring can be applied not only at the time of failure, but also at the time of version upgrade or renewal of the apparatus, for example.

  In the third embodiment, an example has been described in which, when a failure state is detected, the collective virtual router or the address translation device is dynamically set. However, the disclosed technique is not limited to this. For example, the various setting information may be set in advance in a spare collective virtual router or address translation device. For example, when the address delivery method (1) described in the first embodiment is applied, the setting of the virtual router “VRF1” and the setting of the virtual router “VRF2” are the same. May have the same setting as the virtual router “VRF1” (or “VRF2”). In addition, when the address delivery method (2) described in the first embodiment is applied, the virtual router “VRF1” and the virtual router “VRF2” are set differently. The same settings as the virtual routers “VRF1” and “VRF2” may be made.

  Further, in the third embodiment, the example in which the threshold value that “a life / death confirmation packet cannot be received normally” is stored as a condition for determining whether or not a failure state has occurred in the route to be monitored has been described. However, this technology is not limited to this. For example, the integrated AAA device 100 acquires the traffic volume of the I / F on the incoming side of the aggregate virtual router and the traffic volume of the I / F on the output side, and the traffic is observed at the I / F on the incoming side. Nevertheless, a method of determining that a failure state has occurred may be used in that traffic is not observed at the output I / F. Further, the traffic amount observed at the I / F of the collective virtual router is not limited, and the traffic amount observed at the I / F of another device on the route may be used. Further, for example, it is assumed that the routing information set in the collective virtual router is dynamic such that it disappears when it is not used for a predetermined time. In such a case, the integrated AAA device 100 collects information that “the routing information set in the collective virtual router has disappeared” from the collective virtual router, thereby causing a failure in the path corresponding to the disappeared routing information. It can be determined that a condition has occurred.

[Traffic Control Processing Procedure According to Third Embodiment]
FIG. 23 is a flowchart illustrating a traffic control processing procedure according to the third embodiment. As illustrated in FIG. 23, in the integrated AAA device 100, the traffic monitoring unit 131 causes a life / death confirmation packet to flow on the route in the order of the traffic separation and integration device, the aggregate virtual router, and the traffic separation and integration device for each route. By monitoring the traffic. (Step S301).

  Then, the traffic monitoring unit 131 refers to the condition storage unit 121 and determines whether or not it has received the life / death confirmation packet that it has sent, thereby detecting a failure state (step S302).

  When the life and death confirmation packet sent by itself is received (No at Step S303), the traffic monitoring unit 131 returns to the process at Step S301. On the other hand, when the life and death confirmation packet sent by itself cannot be received, that is, when a failure state is detected (Yes at Step S303), in the integrated AAA device 100, the traffic control unit 132, for example, on the virtual router “VRF2” Is sent to, for example, the traffic separation and integration device and the address translation device. (Step S304).

[Effect of Example 3]
As described above, in the third embodiment, the traffic monitoring unit 131 acquires information indicating path abnormality by executing life and death confirmation for each path, and the acquired information satisfies a predetermined condition. Instruction information for determining whether or not a failure state has occurred, and instructing the traffic control unit 132 to assign traffic on the route in which the failure state has occurred to a backup route when it is determined that the failure state has occurred Is transmitted to at least the traffic separation and integration apparatus.

  For this reason, according to the third embodiment, it becomes possible to detect a failure state and switch to a backup path, and to control traffic appropriately.

[Traffic Control by Integrated AAA Device According to Embodiment 4]
The integrated AAA device according to the fourth embodiment, when a plurality of routes separated for each traffic type are formed between the VPNs, by monitoring the devices on the route, whether or not it is necessary to borrow resources from the device. Is acquired, and it is determined whether or not the acquired information satisfies a predetermined condition. When the integrated AAA device determines that the acquired information satisfies the condition, the integrated AAA device transmits instruction information for controlling traffic on the route to the device that forms the route.

  As information for determining the necessity of borrowing resources, for example, there are information on traffic and information on resources. Specific examples include, for example, “CPU usage rate for each application server (also referred to as“ service providing device ”)”, “free disk space for each application server”, “memory usage rate for each application server”, and the like. is there. Further, for example, there are “application response time measured by a measurement packet or user packet flowing on a route”.

  In this regard, hereinafter, the integrated AAA device will be described using an example in which “CPU usage rate for each application server” is acquired as information for determining the necessity of resource borrowing. The integrated AAA device according to the fourth embodiment acquires “CPU usage rate for each application server” as information for determining whether or not resource borrowing is necessary, and the acquired information exceeds a predetermined threshold value to obtain a resource. It is determined whether a state requiring borrowing (resource shortage state) has occurred. When the integrated AAA device determines that a resource shortage state has occurred, the integrated AAA device searches for an application server that replaces the application server in which the resource shortage state has occurred, and searches for traffic on the path for the application server in which the resource shortage state has occurred. Instruction information for instructing allocation to the path for the alternative application server is transmitted to the apparatus that forms the path.

  24 and 25 are diagrams for explaining traffic control according to the fourth embodiment. As illustrated in FIG. 24, in the fourth embodiment, a path of the virtual router “VRF1” and a virtual router “VRF2” are separated between the VPN1 and the VPN2, for example, as a plurality of paths separated according to the type of application. ”And a route are formed. Each route is formed in a different aggregate virtual router. Further, an application server (one physical casing) on which two applications “APS (Application Server) 1” and “APS 2” operate is connected to the path of the virtual router “VRF2”. In FIG. 24, “Tokyo APS” indicates an application server as a physical casing, and “APS1” and “APS2” are operating on “Tokyo APS”.

  Incidentally, the route of the virtual router “VRF3” illustrated in FIG. 24 is a route for an alternative application server. Such a route may be constructed in advance or may be constructed on demand at the time of switching to an alternative application server. Since the path construction is performed by the above-described inter-VPN connection management system, for example, in the case of construction on demand, the integrated AAA device searches for an alternative application server and establishes a connection with the alternative application server. What is necessary is just to request (transmission connection request between VPNs) to the connection management system between VPNs so that a path | route may be newly constructed | assembled. In the example of FIG. 24, the route of the virtual router “VRF3” is formed by VPN connection. For example, the virtual routers “VRF1”, “VRF2”, and “VRF3” are provided by the same operator, For example, when only geographical conditions are different, the route for “VRF3” does not pass through the public network, so there is no need to use a VPN connection.

  Now, as illustrated in FIG. 24, the integrated AAA device acquires information for determining whether or not a resource shortage state has occurred, for example, from an application server or an operation system that monitors the information, and the acquired information Determines whether or not a resource shortage has occurred by exceeding a predetermined threshold. Note that the integrated AAA device is connected to an application server, an operation system, and the like via a monitoring network (not shown).

  If the integrated AAA device determines that a resource shortage state has occurred, the integrated AAA device searches for an application server in which the resource shortage state has occurred, for example, an application server that replaces “APS2”, and for the “APS2” in which the resource shortage state has occurred. For example, is transmitted to the traffic separation and integration device and the address translation device, instructing the traffic on the route (the route of the virtual router “VRF2”) to be assigned to the route for the alternative application server.

  Here, as described above, the integrated AAA device acquires information indicating the resource usage for each application server as a physical housing. For this reason, for example, the integrated AAA device acquires information indicating the resource usage for “Tokyo APS” and determines that a resource shortage has occurred in “Tokyo APS”. ”And“ APS2 ”are operating, it is separately determined which application should be assigned to the alternative route. In this regard, in the fourth embodiment, the integrated AAA device selects an application that is “resistant to delay”, for example, instruction information that instructs to allocate only the packet of “APS2” that is resistant to delay to the path for the alternative application server. Is transmitted to the traffic separation and integration device and the address translation device. As described above, the traffic separation and integration device can select only a part of the two applications operating in the same casing and assign them to other routes. It is also because routing is performed.

  Then, as illustrated in FIG. 25, the traffic on the route of the virtual router “VRF2” (traffic on the route for “APS2” in which the resource shortage state occurs) is assigned to the route of the virtual router “VRF3”.

  FIG. 26 is a block diagram illustrating the configuration of the integrated AAA device 100 according to the fourth embodiment. As illustrated in FIG. 26, the integrated AAA device 100 according to the fourth embodiment is different from the integrated AAA device 100 according to the first embodiment in that the storage unit 120 includes an APS information storage unit 125.

  The condition storage unit 121 according to the fourth embodiment stores a condition for determining whether a resource shortage state has occurred. For example, the condition storage unit 121 stores a threshold value of “CPU usage rate 70%” as a condition for determining whether or not a resource shortage state has occurred.

  The control information storage unit 122 according to the fourth embodiment stores various types of information used for control by the integrated AAA device 100 as in the first embodiment. FIG. 27 is a diagram for explaining the control information. For example, as illustrated in FIG. 27A, the control information storage unit 122 stores information acquisition triggers, determination conditions, control when conditions are met, control when conditions are not met, and the like. In addition, as illustrated in FIG. 27B, the control information storage unit 122 monitors each application server, operation system (a specific network device or server is monitored, a CPU usage rate, a free disk space, a memory usage rate, etc. The network management system (NMS) that collects the resource usage of the network and the traffic separation and integration device store identification information and addresses.

  Note that these pieces of control information are only examples. For example, information acquisition triggers and judgment conditions, control when conditions are met, control when conditions are not met may differ depending on the device to be monitored, and the same type of device (for example, between aggregate virtual routers, etc.) ) May be the same.

  For example, referring to the example of FIG. 27, the integrated AAA device 100 monitors the “operation system” (not shown in FIG. 24), and when communicating with this operation system, the “IP address” O-1 ”is used. Further, the control information storage unit 122 stores, for example, “1 minute interval” as an information acquisition trigger, that is, a monitoring timing. In addition, the control information storage unit 122 stores “conditions stored in the condition storage unit 121” as determination conditions. That is, as described above, the threshold value “CPU usage rate 70%” indicates the determination condition.

  In addition, the control information storage unit 122 gives an instruction to search for an application server that replaces the application server that satisfies the condition and to assign traffic to the searched application server route, as the control content when the condition is met. Sending the instruction information to the traffic separation and integration apparatus ”is stored. In the fourth embodiment, control is not performed when the condition is not met. However, as will be described later, for example, the traffic allocated to the path for the application server to be replaced while monitoring is continued as the original path. In some cases, it may be determined that the threshold value is no longer exceeded even if the setting is returned to. In such a case, as illustrated in FIG. 27, for example, the control information storage unit 122 “transmits instruction information for instructing to return the route assignment to the original state”. You may remember.

  Note that, for example, the traffic monitoring unit 131 acquires the CPU usage rate related to the allocation destination application server from the “operation system” at the timing of returning the route allocation to the original. In this case, the traffic control unit 132 may return the route assignment to the original at the timing when it is determined that the “assignment destination application server is not used” based on the acquired CPU usage rate. Alternatively, for example, it is assumed that the traffic monitoring unit 131 continuously acquires the CPU usage rate related to the application server that has fallen into the resource shortage state from the “operation system”. In this case, based on the route allocation at the timing when the traffic control unit 132 determines that “the application server that has fallen into a resource shortage state is not currently in a resource shortage state” based on the acquired CPU usage rate. You may return. For example, in the above example, in order to determine whether or not to change the route assignment, it is determined whether or not the threshold of “CPU usage rate 70%” is exceeded. A second threshold value “CPU usage rate 50%” is stored separately from “CPU usage rate 70%”, and this second threshold value “CPU” is used to determine whether or not it is possible to return to the original path. It may be determined whether the usage rate is less than 50%. However, the traffic whose route assignment has been changed may be operated as it is without returning to the original route. That is, for example, once the route assignment is changed, the traffic control unit 132 starts monitoring with the state after the assignment as an initial state, and when the route after the assignment exceeds a threshold of, for example, “CPU usage rate 70%” Alternatively, the control may be such that the route assignment is changed again.

  The APS information storage unit 125 stores, for each application, a list of application servers that provide the application as a service. In the fourth embodiment, this list includes geographical location information where the application server is installed. The APS information storage unit 125 stores a list of application servers in advance by being input by, for example, an operator of an inter-VPN connection service. The list of application servers stored in the APS information storage unit 125 is used for processing by the traffic control unit 132 described later.

  FIG. 28 is a diagram for explaining a list of application servers. For example, as illustrated in FIG. 28, the APS information storage unit 125 includes, for each application, the name of the application server (including geographical location information) and the I / F information is stored in association with each other. For example, as illustrated in FIG. 28, since “Tokyo APS1” and “Tokyo APS2” are different applications, the APS identification information is different. However, since there is only one physical casing “Tokyo APS”, the connection I / F is the same as “IF1-3” in all cases (although the sub-interface of the physical connection I / F (logical May be different). In the fourth embodiment, it is assumed that “AP2” is more resistant to delay than “AP1”.

  The traffic monitoring unit 131 according to the fourth embodiment acquires information for determining whether or not to borrow resources, and determines whether or not a resource shortage has occurred due to the acquired information exceeding a predetermined threshold. To do. If the traffic monitoring unit 131 determines that a resource shortage state has occurred, the traffic monitoring unit 131 notifies the traffic control unit 132 accordingly.

  When the traffic monitoring unit 131 determines that a resource shortage state has occurred, the traffic control unit 132 according to the fourth embodiment searches for an application server that replaces the application server in which the resource shortage state has occurred, and the resource shortage state has occurred. Instruction information for instructing to allocate the traffic on the route for the application server to the route for the alternative application server is transmitted to the device that forms the route.

  For example, when the traffic control unit 132 receives a notification from the traffic monitoring unit 131 that it is determined that a resource shortage state has occurred in “Tokyo APS”, the traffic control unit 132 refers to the control information storage unit 122 and stores the control content when the condition is met. Get information. Then, the traffic control unit 132 refers to the APS information storage unit 125 and determines that “Tokyo APS1” and “Tokyo APS2” are operating on “Tokyo APS”. In addition, when two or more applications are operating, the traffic control unit 132 determines that the application that is more resistant to delay (for example, the integrated AAA device 100 determines that “AP2” is an application that is resistant to delay. And store only the selected application as a path for an alternative application server.

  That is, the traffic control unit 132 acquires a list of application servers stored in association with “AP2”. Then, the traffic control unit 132 searches for an alternative application server from, for example, geographical position information. For example, the traffic control unit 132 searches for “Nagoya APS2” or “Tohoku APS2” geographically close to “Tokyo APS2” as a candidate for an alternative application server. Then, for example, the traffic control unit 132 acquires and compares information indicating the resource usage amounts of “Nagoya APS2” and “Tohoku APS2”, and replaces the application server with more resources with the alternative application server. Choose as.

  Then, the traffic control unit 132 refers to the APS information storage unit 125 again, the route for the alternative application server (for example, “Tohoku APS2”), and the application server (for example, “Tokyo APS2”) in which the resource shortage occurs. The I / F information of the traffic separation and integration device is acquired for the route for use. For example, the traffic control unit 132 confirms that the route of “Tohoku APS2” is connected to I / F information “I / F1-2”, that is, “second I / F” of “traffic separation and integration device 1”. Get the information shown. Further, for example, the traffic control unit 132 connects the route of “Tokyo APS2” to the I / F information “I / F1-3”, that is, the “third I / F” of the “traffic separation and integration device 1”. Acquire information indicating that. Then, the traffic control unit 132 assigns the traffic on the route for “APS2” (route of the virtual router “VRF2”) in which the resource shortage state occurs to the route for the alternative application server (for example, “Tohoku APS2”). The instruction information to instruct is transmitted to, for example, “traffic separation and integration device 1”. In the “traffic separation / integration apparatus 1”, the traffic that has been policy-routed to the “third I / F” is subsequently policy-routed to the “second I / F”.

  If a route for “Tohoku APS2” has already been established, the traffic control unit 132 may instruct to allocate traffic to the route for “Tohoku APS2” that has already been constructed. If the route for “Tohoku APS2” has not been constructed, the traffic control unit 132 further instructs, for example, instruction information (request to VPN connection management system to construct a route for “Tohoku APS2”). Information). Also, a general VPN may be constructed as a route for “Tohoku APS2”.

  In the fourth embodiment, an example of searching for application servers that are geographically close to each other has been described. However, the disclosed technology is not limited to this. For example, when it is determined that an application that has fallen into a resource shortage state is an application that is resistant to delay (information indicating whether the application is resistant to delay is stored in advance), the traffic control unit 132 may Instead of searching for an alternative application server based on typical location information, for example, it may be performed by giving priority to the performance of the application server or the performance of the aggregate virtual router (high reliability, availability of bandwidth control, etc.) Good. Alternatively, the alternative application server may be determined in advance. In this case, the traffic control unit 132 may search the storage unit for information indicating a predetermined alternative application server.

  In the fourth embodiment, the example in which the threshold value “CPU usage rate 70%” is stored as a condition for determining whether or not a resource shortage state has occurred has been described. However, the disclosed technique is limited to this. It is not a thing. For example, the integrated AAA device 100 may use “disk free capacity for each application server”, “memory usage rate for each application server”, or the like as information for determining whether or not to borrow resources. For example, if the “free disk capacity for each application server” is smaller than a predetermined threshold, the integrated AAA device 100 determines that a resource shortage state has occurred. Further, for example, if the “memory usage rate for each application server” is larger than a predetermined threshold, the integrated AAA device 100 determines that a resource shortage state has occurred. In addition, when using these methods described above, the integrated AAA device 100 stores in advance the threshold corresponding to each method in the condition storage unit 121.

  Further, for example, the integrated AAA device 100 flows the measurement packet on the route, or uses the user packet flowing on the route to measure the response time of the application, for example, so that the measurement value is required for resource borrowing. It is acquired as information for determining NO, and if the measured value is larger than a predetermined threshold, it may be determined that a resource shortage state has occurred. The response time of the application can be measured by, for example, a firewall function provided in the address translation device of FIG. 25 or a probe set in a place where the influence of network delay is small. For example, since the firewall function can analyze a packet, the response time between a request packet and a response packet transmitted / received in a specific application can be measured. In this case, the integrated AAA device 100 stores a threshold corresponding to the response time in the condition storage unit 121 in advance.

  In the fourth embodiment, it is assumed that the integrated AAA device 100 voluntarily acquires information from the application server and the operation system. However, the disclosed technique is not limited to this, for example, The threshold value “CPU usage rate 70%” is stored in the application server or operation system, and whether or not the application server or operation system exceeds the threshold value “CPU usage rate 70%” is determined at intervals of 1 minute, for example. However, so-called push-type monitoring in which the application server or the operation system notifies the integrated AAA device 100 when it is determined that it has been exceeded may be used.

  In the fourth embodiment, the example in which all the traffic on the path for the application server in which the resource shortage state occurs is assigned to the path for the alternative application server has been described. However, the disclosed technology is not limited to this. Absent. For example, there may be a case where the service quality is deteriorated as compared with the case where the original application server is used, such as when the alternative application server is of another provider or is far away. In this case, it may be possible to preferentially guide the traffic from “Best Effort Class” to an alternative application server, or to preferentially guide an application server that is less sensitive to delay time to an application server that is far from the distance. It is done.

  Further, in the fourth embodiment, the example in which all the traffic on the path for the application server in which the resource shortage state occurs is assigned to the path for the “one” alternative application server has been described. It is not limited. For example, the integrated AAA device searches for “plurality” of application servers that substitute for the application server in which the resource shortage state has occurred, and instructs to instruct to allocate traffic to the path for the searched “multiple” alternative application servers May be sent to the device forming the path. For example, the integrated AAA device sends a route to the virtual router “VRF3” when the last 8 bits of the packet source IP address indicate “1” to “128”. , “129” to “255”, the instruction information for instructing to perform the policy routing “route to the route of the virtual router“ VRF4 ”” may be transmitted.

  In the fourth embodiment, the method for determining the resource shortage state has been described. However, the disclosed technique is not limited thereto. For example, the integrated AAA device acquires information indicating the resource usage for each application server, and the acquired information satisfies a predetermined condition (for example, a condition that the CPU usage rate becomes “0”). Determines whether or not a server stop state has occurred. When the integrated AAA device determines that a server stop state has occurred, the integrated AAA device searches for an application server that replaces the application server in which the server stop state has occurred, and searches for traffic on the path for the application server in which the server stop state has occurred. Instruction information for instructing allocation to the path for the alternative application server is transmitted to the apparatus that forms the path.

[Traffic Control Processing Procedure According to Embodiment 4]
FIG. 29 is a flowchart illustrating a traffic control processing procedure according to the fourth embodiment. As illustrated in FIG. 29, in the integrated AAA device 100, the traffic monitoring unit 131 communicates periodically (or at an appropriate timing) with each application server and operation system, and uses resources for each application server. Traffic is monitored by receiving information indicating the amount from each application server or operation system (step S401).

  When the traffic monitoring unit 131 receives information indicating the resource usage for each application server from each application server or operation system, the traffic monitoring unit 131 refers to the condition storage unit 121 and the received information indicating the resource usage is “CPU usage. A resource shortage state is determined by determining whether or not the threshold of “rate 70%” is exceeded (step S402).

  If it is determined that the threshold value is not exceeded (No at Step S403), the traffic monitoring unit 131 returns to the process at Step S401. On the other hand, if it is determined that the threshold value is exceeded (Yes at step S403), in the integrated AAA device 100, the traffic control unit 132 searches for an application server that replaces, for example, “APS2”, and “APS2 ] Is transmitted to, for example, the traffic separation and integration device (step S404). The instruction information instructs to allocate the traffic on the route for the virtual router “VRF2” to the route for the alternative application server.

[Effect of Example 4]
As described above, in the fourth embodiment, the collective virtual router is connected to an application server that provides a service for each traffic type to each VPN terminal belonging to the connection between VPNs. By controlling the packet transfer, the application server is accessed using a route for each traffic type. The traffic monitoring unit 131 acquires information indicating the resource usage for each application server from the application server or the operation system by monitoring the application server or the operation system, and the acquired information satisfies a predetermined condition. To determine whether a predetermined resource shortage has occurred in the application server. When it is determined that a predetermined resource shortage state has occurred, the traffic control unit 132 searches for an application server that replaces the application server in which the resource shortage state has occurred, and the application server in which the resource shortage state has occurred Instruction information for instructing to allocate the traffic on the route to the route for the alternative application server to at least the traffic separation and integration device.

  For this reason, according to the fourth embodiment, it becomes possible to borrow other resources in response to a resource shortage state, and traffic control can be appropriately performed. For example, if there is a shortage of resources in an intercloud environment, it is possible to borrow resources from other places. In addition, if a virtual router to be borrowed is determined in advance based on geographical location information (distance) and quality, traffic can be controlled according to the tolerance to traffic delay and priority, etc. Service levels can be maintained.

  While the first to fourth embodiments have been described so far, the disclosed technology may be implemented in various different forms other than the above-described embodiments.

[Relationship between VPN connection management system and integrated AAA device]
In the above-described embodiment, the “inter-VPN connection management system” and the “integrated AAA device” for establishing the connection between VPNs are devices of different casings, and each is realized as a device having an independent function. Although an example has been described, the disclosed technique is not limited thereto. In other words, the inter-VPN connection management system and the integrated AAA device may be realized as devices in the same casing or as devices having integrated functions. For example, the integrated AAA device may operate as part of an inter-VPN connection management system. In the above-described embodiment, the configuration in which the integrated AAA device of one casing is installed is illustrated, but the disclosed technique is not limited to this. For example, the disclosed technique is similarly applied to a configuration in which an integrated AAA device having a plurality of housings is installed, or a configuration in which a part of the integrated AAA device such as a storage unit is installed in another housing. can do.

[Redundant configuration]
The inter-VPN connection in the above embodiment does not make the path itself redundant. However, in the disclosed technology, the inter-VPN connection can also make the path itself redundant. FIG. 30 is a diagram for explaining a redundant path. For example, the path of the VPN connection may be made redundant as illustrated in FIG. Specifically, in the inter-VPN connection illustrated in FIG. 30, a working collective virtual router (Master (ACT)) and a spare collective virtual router (Backup (SBY)) are installed. For example, VRRP (Virtual Router Both sets of virtual routers are made redundant by a redundancy protocol such as Redundancy Protocol (HSRP) or Hot Standby Routing Protocol (HSRP), so that the route of the virtual router “VRF1” is made redundant. On the other hand, as illustrated in FIG. 30, the path of the virtual router “VRF2” is not made redundant. Note that the address translation device and the traffic separation / integration device existing on the redundant route are also made redundant by VRRP or HSRP and set so as to correspond to switching from the current route to the backup route.

  In such a configuration, the route of the virtual router “VRF1” is a highly reliable route, while the route of the virtual router “VRF2” is a normal reliability route. Therefore, for example, traffic that requires high reliability (for example, backbone applications) is assigned to the route of the virtual router “VRF1”, and traffic that should be normal reliability is assigned to the virtual router “VRF2”. By assigning to routes, a plurality of routes according to the reliability of traffic can be formed. In other words, the virtual routers are classified according to the degree of redundancy, and the traffic separated according to the required degree of reliability is accommodated in the appropriate virtual router corresponding to the required degree of redundancy, so that each traffic can be trusted. You can change the level of sex.

  Note that whether or not the traffic requires high reliability can be distinguished by, for example, the user (defined by the SLA in the contract), the application type, the IP address, the port number, etc. The AAA device may assign a route in advance according to the user, the type of application, the IP address, the port number, etc., and transmit the assignment information to the traffic separation and integration device.

  Moreover, the method demonstrated in each Example of Examples 1-4 can be combined. For example, before the resource shortage state occurs in the application server, a high load state in the collective virtual router or a failure state on the path may occur. In such a case, for example, the path switching described in the second or third embodiment is performed before the path switching described in the fourth embodiment.

[Mode of the base]
In the above embodiment, it is assumed that the base is a local area network connected to a VPN service provided by a telecommunications carrier or the like, but the disclosed technology is not limited to this. The base may be one terminal instead of a so-called network. For example, there is a case where a router installed at a base is realized by software in a terminal instead of a physical router. The base may be an in-house network with a plurality of local area networks connected by a VPN service provided by a telecommunications carrier or the like.

  31 to 33 are diagrams for explaining bases as a plurality of local area network groups connected by the VPN service. In FIGS. 31 to 33, two types of dotted lines are used. One is a normal dotted line, and the other is a broken line (a combination of a short line and a long line). The broken lines indicate that a plurality of bases belonging to the same VPN service and a VPN is formed between bases in the same company (for example, C company). On the other hand, the dotted line indicates that the VPNs are connected. For example, connection between a plurality of bases belonging to different VPN services, or connection between VPNs of different companies, even between a plurality of bases belonging to the same VPN service.

  As illustrated in FIG. 31, for example, Company C has a base group belonging to the VPN service 1 and a base belonging to the VPN service 3. On the other hand, Company D has a base belonging to the VPN service 2 and a base belonging to the VPN service 4. The integrated AAA device can appropriately control the traffic for the inter-base connection between the base group of the company C and the base group of the company D belonging to different VPN services.

  Further, as illustrated in FIG. 32, for example, Company C has a group of bases grouped by the VPN service 3. On the other hand, Company D has a group of bases grouped by the VPN service 4. The integrated AAA device can appropriately control the traffic for the inter-base connection between the base group of company C and the base group of company D belonging to different VPN services.

  Further, as illustrated in FIG. 33, for example, Company C and Company D both have base groups grouped by the VPN service 2. The integrated AAA device performs such inter-base connection between the base group of company C belonging to the same VPN service and the base group of company D, in other words, inter-base connection between a plurality of base groups belonging to the same VPN termination device. In addition, traffic can be appropriately controlled.

[Configuration of VPN connection management system]
In the following, an inter-VPN connection management system that manages inter-VPN connections in the above embodiments will be described. However, the inter-VPN connection management system described below is merely an example, and the inter-VPN connection constructed in each of the above embodiments may be constructed by another system. FIG. 34 is a block diagram showing a configuration of the inter-VPN connection management system 200. As illustrated in FIG. 34, the inter-VPN connection management system 200 includes a communication unit 210, an input unit 211, an output unit 212, an input / output control I / F unit 213, a storage unit 220, and a control unit 230. Is provided.

  The communication unit 210 is, for example, a general interface for IP communication, and performs communication between the VPN termination device, the address conversion device, and the collective virtual router that are targets for setting address conversion information and routing information. Note that the inter-VPN connection management system 200 can also communicate with other management terminals, user web servers, and the like via the communication unit 210, and from other management terminals and user web servers. An inter-VPN connection request can also be received.

  The input unit 211 is, for example, a keyboard or a mouse, and receives input of various operations. For example, the input unit 211 receives an input of an inter-VPN connection request using a keyboard or a mouse. The output unit 212 is a display, for example, and outputs information for various operations. For example, the output unit 212 outputs an input screen for an inter-VPN connection request. The input / output control I / F (Interface) unit 213 controls input / output among the input unit 211, the output unit 212, the storage unit 220, and the control unit 230. Note that the inter-VPN connection management system 200 does not necessarily include the input unit 211 and the output unit 212. For example, the inter-VPN connection management system 200 communicates with other management terminals and user Web servers via the communication unit 210 for input and output. Such information may be transmitted and received.

  The storage unit 220 is, for example, a semiconductor memory device such as a RAM, a ROM, or a flash memory, a hard disk, an optical disk, and the like, and stores various types of information. Specifically, as illustrated in FIG. 34, the storage unit 220 includes an inter-VPN connection information storage unit 221, a setting pattern storage unit 222, an inter-VPN connection request storage unit 223, and an address conversion information storage unit 224. A routing information storage unit 225, an attachment storage unit 226, and a device information storage unit 227.

  The inter-VPN connection information storage unit 221 stores inter-VPN connection information. Here, the inter-VPN connection information includes information for identifying a base and information for identifying a VPN terminating device, an address translation device, and a collective virtual router that accommodate the base. The VPN connection information also includes other information necessary for creating address translation information and routing information. The inter-VPN connection information storage unit 221 stores the inter-VPN connection information in advance by being input to the user of the inter-VPN connection management system 200, for example. The inter-VPN connection information stored in the inter-VPN connection information storage unit 221 is used for processing by the virtual router construction unit 232, the translation address determination unit 233, and the routing information generation unit 235, which will be described later. Note that “users” of the inter-VPN connection management system 200 include operators such as telecommunications carriers and managers such as information system departments in the enterprise. That is, in the following, “operator” means a person in charge of the operation of the inter-VPN connection service, and “manager” means a network administrator who manages the internal network of the base on the company side, for example. Used as

  FIG. 35 is a diagram for explaining the inter-VPN connection information storage unit 221. As illustrated in FIG. 35, for example, the inter-VPN connection information storage unit 221 stores the identification information of the collective virtual router and the identification information of the setting pattern of the collective virtual router in association with each other as inter-VPN connection information. For example, the collective virtual router identification information “collective virtual router 1” and the collective virtual router setting pattern identification information “VR-P1” are stored in association with each other. The setting pattern of the collective virtual router identified by “aggregate virtual router 1” indicates that the setting pattern is identified by “VR-P1”.

  Further, the VPN termination device and the collective virtual router are associated in advance, and when the VPN termination device is uniquely identified, the collective virtual router is also uniquely identified. In other words, one aggregate virtual router and a VPN termination device in which one or a plurality of virtual routers are set in this aggregate virtual router have a relationship specified in advance. However, the present invention is not limited to this. For example, a certain VPN termination device can set a virtual router in each of a plurality of aggregate virtual routers). For this reason, for example, the VPN connection information storage unit 221, as illustrated in FIG. 35, identifies identification information (connection destination ID) for identifying a base (or a user of the base) for each piece of identification information of the collective virtual router. (IDentifier) and terminal name), the VPN type used by the site, the identification information of the VPN termination device in which the site is accommodated, the identification information of the setting pattern of the VPN termination device, the identification information of the address translation device, A list of associations with the in-base addresses used in this manner is stored.

  The “connection destination ID” is issued by the operator of the inter-VPN connection management system 200 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 221. Further, the “terminal name” is heard from the user, for example, at the time of contracting the connection service between VPNs, and stored in the connection information storage unit 221 between VPNs.

  The “VPN type” is heard from the user at the time of contracting the connection service between VPNs, for example, and stored in the connection information storage unit 221 between VPNs. The “VPN termination device” is determined by the operator of the inter-VPN connection management system 200 when the inter-VPN connection service is contracted, for example, and stored in the inter-VPN connection information storage unit 221. The “VPN termination device setting pattern” is determined by the operator of the inter-VPN connection management system 200 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 221. The “address translation device” is determined by the operator of the inter-VPN connection management system 200 at the time of contracting the inter-VPN connection service, for example, and stored in the inter-VPN connection information storage unit 221. The “intra-base address” is interviewed by the user, for example, at the time of contract for the inter-VPN connection service, and stored in the inter-VPN connection information storage unit 221.

  For example, the connection destination ID “UserA-Office” and the terminal name “α1 @ vpn1. example. co. jp ”, VPN type“ OpenVPN ”, VPN termination device“ VPN termination device 1 ”, VPN termination device setting pattern“ VPN-P1 ”, address translation device“ address translation device 1 ”, in-site address“ 192.168.1. .10 / 24 ”will be described. First, the base identified by “UserA-Office” (the terminal name of the terminal used for connection between VPNs is “α1@vpn1.example.co.jp”) indicates that “OpenVPN” is used. In addition, the base identified by “UserA-Office” is accommodated in “VPN terminating device 1”, and “VPN-P1” is used for the setting pattern of the VPN terminating device.

  Further, the base identified by “UserA-Office” is accommodated in “address translation device 1”, and the address in the base of “192.168.1.10/24” is used. . In addition, the situation where the address in a base (private address) used in each base overlaps is assumed.

  Returning to FIG. 34, the setting pattern storage unit 222 stores setting patterns of the VPN termination device, the address translation device, and the transfer control device. Specifically, the setting pattern storage unit 222 stores the setting pattern of the VPN termination device in which the setting information to be set in the VPN termination device is standardized according to the type of connection between VPNs. The setting pattern storage unit 222 stores a setting pattern of the collective virtual router in which setting information to be set in the collective virtual router is standardized according to the type of connection between VPNs. The setting pattern storage unit 222 stores a setting pattern of the address translation device.

  The setting pattern storage unit 222 stores the setting pattern in advance, for example, by being input to the operator of the inter-VPN connection management system 200. The setting pattern stored in the setting pattern storage unit 222 is used for processing by the conversion address determination unit 233 and the routing information generation unit 235 described later.

  FIG. 36 is an example of the setting pattern of the collective virtual router. As illustrated in FIG. 36, for example, the setting pattern storage unit 222 classifies the item number for managing each item of the setting pattern as the setting pattern of the collective virtual router and the setting information according to the setting contents. The setting contents, the setting information registration timing, the deletion timing, and the setting contents specifications are stored in association with each other. 36, item numbers 1 to 3 are setting information setting patterns, and item number 4 is an option setting information setting pattern. Note that when the setting information related to the option request is used separately from the general setting information, it is called “option setting information”. Although not shown in FIG. 36, the setting pattern storage unit 222 also stores a predetermined command sentence as the setting pattern of the collective virtual router. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the category “virtual router definition” is a setting pattern for defining a “virtual router” that controls packet transfer in a transmission path (VPN) that is virtually constructed based on a connection request between VPNs. The setting content “virtual router name” is the name of the “virtual router” to be set, and it is specified as a specification that it should be set with “half-width alphanumeric characters”. The setting content “virtual router ID” is the ID of the “virtual router” to be set, and should be set in a format in which “16-bit numeric value” and “32-bit numeric value” are connected by “: (colon)”. Is specified as a specification. The specification is defined by, for example, the manufacturer of the corresponding device and is provided to the user of the device. The above is an example, and the present invention is not limited to this. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the classification “I / F setting” is an interface setting pattern set in the “virtual router”. The setting content “IP address” is the IP address to be set for the interface. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. In addition, the specification “I / F designation” specifies that the interface designation should be set in the format of “I / F type number / number / number”. In addition, it is specified as a specification that the setting content “belonging virtual router” should specify a virtual router name for setting an interface. The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 3 will be described. The setting pattern of the classification “virtual router unit routing setting” is a setting pattern of routing information set in “virtual router”. The setting contents “routing setting” should specify the name of the virtual router that sets the routing information, and the IP address of the routing information is “number. Number. Number. The specification stipulates that numbers should be set in a format in which numbers are separated by periods, such as “numbers”, and that numbers 0 to 255 should be set. The registration timing “immediately before starting the service” indicates that the information of item number 3 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 3 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 4 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “virtual router”. The setting contents “Filtering (ACL (Access Control List) etc.)”, the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, the number should be set to a value of “0-255”, the port number should be set as a number, and the number should be “1-65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 4 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 4 should be deleted from the VPN terminating device immediately after the service ends.

  FIG. 37 is an example of a setting pattern of the VPN termination device. As illustrated in FIG. 37, for example, the setting pattern storage unit 222 includes, as a setting pattern of the VPN termination device, an item number for managing each item of the setting pattern, a classification for classifying the setting information, a setting content, The setting information registration timing, the deletion timing, and the setting content specification are stored in association with each other. Of the setting patterns illustrated in FIG. 37, item number 1 is a setting information setting pattern, and item number 2 is a setting pattern of option setting information. Although not shown in FIG. 37, the setting pattern storage unit 222 also stores a predetermined command sentence as the setting pattern of the VPN termination device. The setting pattern is identified by setting pattern identification information.

  For example, the line of item number 1 will be described. The setting pattern of the classification “VPN user setting” is a setting pattern related to a user at a base housed in the VPN terminating device based on the connection request between VPNs. The setting content “Authentication ID / Password” is the authentication ID and password issued to the user at the site. The specification stipulates that the authentication ID and password should be set using “single-byte alphanumeric characters” of “128 characters or less”. Has been. Other “authentication information” may be used instead of “authentication ID / password”. The registration timing “immediately before starting the service” indicates that the information of item number 1 should be reflected in the VPN terminating device immediately before starting the service. Further, the deletion timing “immediately after the end of service” indicates that the information of item number 1 should be deleted from the VPN terminating device immediately after the service ends.

  For example, the line of item number 2 will be described. The setting pattern of the category “access control” is an access control setting pattern set in the “VPN termination device”. The setting content “Filtering (ACL, etc.)” indicates that the IP address is “Number. Number. Number. “Number” should be set in a format in which numbers are separated by periods, the number should be set to a value of “0-255”, the port number should be set as a number, and the number should be “1-65535” The specification stipulates that the value of " The registration timing “immediately before starting the service” indicates that the information of item number 2 should be reflected in the VPN terminating device immediately before starting the service. The deletion timing “immediately after the end of service” indicates that the information of item number 2 should be deleted from the VPN terminating device immediately after the service ends.

  Although not shown, the setting pattern storage unit 222 similarly stores the setting pattern of the address translation device. For example, the setting pattern storage unit 222 stores setting information registration timing, deletion timing, and setting content specifications in association with each other. For example, the IP address is “Number. Number. Number. The specification defines that numbers should be set in the form of numbers separated by periods, such as “numbers”, and that numbers should be set to values “0 to 255”. In addition, for example, what should be reflected in the address translation device “immediately before the start of service” and what should be deleted from the address translation device “just after the service ends” are defined as specifications. The setting pattern storage unit 222 also stores a predetermined command sentence as a setting pattern for the address translation device.

  The above setting patterns are merely examples, and it is considered that the setting contents, the setting information registration timing, the deletion timing, the setting contents specifications, and the like differ depending on the type of connection between VPNs. That is, for example, if the type of connection between VPNs is “L3VPN”, a set of IP addresses of the connection destination between VPNs and the connection source between VPNs, IPsec operation setting information (authentication method and encryption algorithm), pre-secret Items such as shared keys can also be standardized into setting patterns. For example, if the type of connection between VPNs is “L2VPN”, items such as IDs such as L2 between the connection destination between VPNs and the connection source between VPNs may be standardized in the setting pattern. Thus, the setting pattern is appropriately standardized according to the type of connection between VPNs.

  Returning to FIG. 34, the inter-VPN connection request storage unit 223 stores inter-VPN connection request information. The inter-VPN connection request storage unit 223 stores the inter-VPN connection request information by being stored by the inter-VPN connection request receiving unit 231 described later. The inter-VPN connection request information stored in the inter-VPN connection request storage unit 223 is used for processing by a virtual router construction unit 232, a translation address determination unit 233, and a routing information generation unit 235, which will be described later.

  FIG. 38 is a diagram for explaining the inter-VPN connection request storage unit 223. As illustrated in FIG. 38, for example, the inter-VPN connection request storage unit 223 uses, as the VPN connection request information, a service start time at which the inter-VPN connection service should be started and a service end time at which the inter-VPN connection service should be terminated. And the VCS name of the inter-VPN connection, the virtual router name in which the inter-VPN connection is set, and the identification information (terminal name) identifying the base (or the user of the base) accommodated in the inter-VPN connection Remember.

For example, a service start time “t1”, a service end time “t3”, a VCS name “VCS _α ”, virtual router names “VRF _m ” and “VRF _n ”, and a terminal name “α1 @ vcsα. vpn1. example. co. jp ”and“ β1 @ vcsα. vpn2. example. co. jp ”in association with each other. From time “t1” to “t3”, “α1 @ vcsα. vpn1. example. co. jp "and" β1 @ vcsα. vpn2. example. co. jp ”is connected to the VPN, the VCS name for which the connection between the VPNs is set is“ VCS _α ”, and the virtual router names are“ VRF _m ”and“ VRF _n ”. Indicates. For convenience of explanation, the service start time and service end time are described as “t1”, “t3”, etc., for example, “2009/8/21 13:00” indicates a specific date and time. . In addition, although the terminal name is different from that illustrated in FIG. 35 (“vcsα” is added), a new VCS name is added to the terminal name originally registered in the inter-VPN connection information storage unit 121. Are stored in the inter-VPN connection request storage unit 123.

  Returning to FIG. 34, the address translation information storage unit 224 stores reservation information and address translation information. Here, the address conversion information is conversion information for converting addresses determined by a conversion address determination unit 233, which will be described later, so that the addresses are converted to each other using the address conversion device as a boundary. Here, it is assumed that the conversion address determination unit 233 determines an address according to the above-described IP address delivery method (i).

  The address conversion information storage unit 224 stores reservation information and address conversion information by being stored by a conversion address determination unit 233 described later. The reservation information and address conversion information stored in the address conversion information storage unit 224 are used for processing by the address conversion information setting unit 234.

  FIG. 39 is a diagram for explaining the address conversion information storage unit 224. As illustrated in FIG. 39, for example, the address translation information storage unit 224 stores, as reservation information, a service start time at which an inter-VPN connection service should be started and a service end time at which an inter-VPN connection service should be ended. . The address translation information storage unit 224 stores address translation information in association with reservation information. For example, the address translation information storage unit 224 stores a VCS name, a virtual router name, and an address translation table set in the address translation device in association with each other as address translation information.

For example, the address translation information stored in association with the service start time “t1” and the service end time “t3” is address translation information related to the virtual router identified by the VCS name “VCS _α ”.

  In addition, in the address translation device 1-1 and the address translation device 1-2, the in-base address “192.168.1.10” and the second address “10.1.10.” Are mutually converted. The first address “172.16.2.10” and the second address “10.2.10” are mutually converted. Here, the intra-site address “192.168.1.10” is the intra-base address used at the base, and the first address “172.16.2.10” is the communication partner at the base. This is an address for identifying a terminal under another base.

  In addition, in the address conversion devices 2-1 and 2-2, the first address “172.16.1.10” and the second address “10.1.10. This indicates that the address “192.168.1.10” and the second address “10.2.10” are mutually converted.

In FIG. 39, only the address translation information related to the virtual router identified by the VCS name “VCS _α ” is illustrated, but the address translation information storage unit 224 is another virtual network constructed by the inter-VPN connection management system 200. Address translation information about the router is also stored.

  Although not shown in FIG. 39, the address conversion information storage unit 224 stores the value of the entire private address and an address reserved in advance as an address assigned to the interface of each device.

  That is, as will be described later, the conversion address determination unit 233 determines, among the entire private addresses, an address other than the in-base address, the already reserved address, and the currently used address as a new payout address. Therefore, the address conversion information storage unit 224 stores the value of the entire private address as an initial value, so that the conversion address determination unit 233 refers to the address conversion information storage unit 224 and determines the address for conversion. can do.

  As will be described later, the routing information generation unit 235 assigns an address to be set to the interface of the collective virtual router, an address to be set to the interface of the VPN termination device, and an address to be set to the interface of the address translation device. The determination unit 233 must determine the address for conversion so that these addresses assigned to the interfaces of each device do not overlap. For this reason, the address conversion information storage unit 224 stores an address reserved in advance as an address assigned to the interface of each device, so that the conversion address determination unit 233 refers to the address conversion information storage unit 224. The address for conversion can be determined so as not to overlap with these addresses assigned (or assigned) to the interface of each device.

  Returning to FIG. 34, the routing information storage unit 225 stores reservation information and routing information. The routing information storage unit 225 stores reservation information and routing information by being stored by a virtual router construction unit 232 and a routing information generation unit 235 described later. The reservation information and routing information stored in the routing information storage unit 225 are used for processing by the routing information setting unit 236.

  40 and 41 are diagrams for explaining the routing information storage unit 225. FIG. As illustrated in FIG. 40, for example, the routing information storage unit 225 stores, as reservation information, a service start time at which the inter-VPN connection service should be started and a service end time at which the inter-VPN connection service should be ended. The routing information storage unit 225 stores routing information in association with reservation information. For example, the routing information storage unit 225 stores setting information (including routing information) set in the aggregate virtual router in the form of a setting file, and stores setting information set in the VPN termination device in the form of a setting file. The setting information set in the address translation device is stored in the form of a setting file.

  For example, FIG. 41A illustrates a part of the setting information set in the collective virtual router. Further, for example, FIG. 41B illustrates a part of setting information set in the VPN termination device. For example, FIG. 41C illustrates part of setting information set in the address translation device.

  Returning to FIG. 34, the attachment storage unit 226 stores the attachment for each aggregate virtual router, for each VPN termination device, and for each address translation device. Here, the attachment is reflected in the program for reflecting the address translation information on the address translation device, the program for reflecting the routing information on the VPN terminating device and the collective virtual router, and the address translation device. A program for deleting the address translation information, and a program for deleting the routing information reflected to the VPN terminating device and the aggregate virtual router.

  The attachment includes a communication protocol used between the VPN connection management system 200 and the address translation device, a communication protocol used between the VPN connection management system 200 and the VPN termination device, and an VPN connection management system. A communication protocol used between 200 and the collective virtual router is defined. In general, the communication protocol is a proprietary communication protocol defined by the vendor of the address translation device, the vendor of the VPN termination device, or the vendor of the collective virtual router. The attachment storage unit 226 stores the attachment in advance, for example, by being input to the operator of the inter-VPN connection management system 200. Also, the attachment stored in the attachment storage unit 226 is used for processing by an address conversion information setting unit 234, a routing information setting unit 236, and a deletion unit 237 described later.

  FIG. 42 is a diagram for explaining the attachment storage unit 226. As illustrated in FIG. 42, for example, the attachment storage unit 226 stores the device identification information of the collective virtual router, the VPN termination device, or the address translation device and the attachment in association with each other. For example, in the attachment for reflection, an ID / password for logging in to an address translation device, a VPN termination device or a collective virtual router, a path for storing address translation information and routing information is designated, and an address is specified in the designated path. A command for storing translation information and routing information, an address translation device, a VPN termination device, and a command for restarting the collective virtual router are described. Note that address translation information and routing information may be reflected by storing and restarting, or reflected by storing. The reflection attachment includes a communication protocol used between the VPN connection management system 200 and the address translation device, a communication protocol used between the VPN connection management system 200 and the VPN termination device, and a VPN setting. A communication protocol used between the system and the collective virtual router is defined.

  Further, for example, in the attachment for deletion, the address conversion information and the routing from the path storing the ID / password, the address conversion information and the routing information for logging in to the address conversion device, the VPN termination device and the collective virtual router. A command for deleting information, an address translation device, a VPN termination device, a command for restarting the collective virtual router, and the like are described. The attachment for deletion includes a communication protocol used between the VPN connection management system 200 and the address translation device, a communication protocol used between the VPN connection management system 200 and the VPN termination device, and a VPN setting. A communication protocol used between the system and the collective virtual router is defined.

  Returning to FIG. 34, the device information storage unit 227 stores the pre-configuration information of the VPN termination device preset in the VPN termination device and the pre-configuration information of the collective virtual router preset in the collective virtual router. The device information storage unit 227 stores, in advance, for example, the pre-setting information of the VPN terminating device and the pre-setting information of the collective virtual router by being input to the operator of the inter-VPN connection management system 200. Further, the preset information stored in the device information storage unit 227 is used for processing by the routing information generation unit 235 described later.

  FIG. 43 is a diagram for explaining the pre-configuration information of the collective virtual router. As illustrated in FIG. 43, for example, the device information storage unit 227 stores a host name (or router name) and a password as pre-configuration information of the collective virtual router. “Host name” is the name of the collective virtual router, for example, “jpn100”. The “password” is a password for logging in to the collective virtual router, and is a password such as “root”, for example.

  FIG. 44 is a diagram for explaining the pre-setting information of the VPN terminating device. As illustrated in FIG. 44, for example, the device information storage unit 227 uses, as the VPN termination device pre-configuration information, a host name (or router name), a password, a VPN termination device ID, a VPN type, and an IP address for the collective virtual router. The server mode is stored. Although not shown in FIG. 44, the device information storage unit 227 stores, for example, a server-side standby IP address, a protocol, a port number, and the like as the preset information.

  “Host name” is the name of the VPN termination device, for example, “jpn1”. The “password” is a password for logging in to the VPN terminal device, and is a password such as “root”, for example. The “VPN termination device ID” is an ID for identifying the VPN termination device, for example, “VPN termination device 1”. The “VPN type” is a VPN type, for example, “OpenVPN”.

  The “IP address for the collective virtual router” is an IP address to be transferred when a packet sent from the base is sent to the collective virtual router. A virtual router is constructed in the collective virtual router, and the interface of the collective virtual router It is determined only after an IP address is assigned. For this reason, in FIG. 27, it is left blank in the sense that it has not been assigned yet. The server mode is a routing method selected by the VPN terminating device. For example, when OpenVPN is used, the routing method includes “routing” and “bridge”.

  Returning to FIG. 34, the control unit 130 controls various processes executed in the inter-VPN connection management system 200. Specifically, as illustrated in FIG. 34, the control unit 230 includes an inter-VPN connection request reception unit 231, a virtual router construction unit 232, a translation address determination unit 233, an address translation information setting unit 234, A routing information generation unit 235, a routing information setting unit 236, and a deletion unit 237 are included.

  The inter-VPN connection request accepting unit 231 accepts an inter-VPN connection request. Specifically, for example, a Web server for users is installed on a network such as the Internet, and the inter-VPN connection request receiving unit 231 distributes an input screen for users to the Web server. Here, the user input screen is provided by a telecommunications carrier or the like that provides an inter-VPN connection service in order to receive an inter-VPN connection request from a VPN administrator who performs an inter-VPN connection. . Then, for example, an administrator at each site accesses the Web server and inputs an inter-VPN connection request on the user input screen, whereby the inter-VPN connection request accepting unit 231 accepts the input of the inter-VPN connection request. The received inter-VPN connection request is stored in the inter-VPN connection request storage unit 223. At this time, the inter-VPN connection request receiving unit 231 stores the new terminal name to which the VCS name is added in the inter-VPN connection request storage unit 123.

FIG. 45 is a diagram for explaining an example of an input screen for an inter-VPN connection request. For example, the inter-VPN connection request accepting unit 231 first outputs an input screen illustrated in FIG. The input screen is provided with a frame for receiving an input of a virtual collaborative space (VCS) name “VCS _α ” that is the name of a connection between VPNs and a frame for receiving an input of a password. Note that the VCS name and password are determined offline between “Company A” and “Company B”, which are scheduled to belong to the same collaborative space, for example. Thus, for example, as illustrated in FIG. 45A, when the administrator of “Company A” inputs the VCS name “VCS _α ” and the password, the inter-VPN connection request receiving unit 231 displays “VCS” as the VCS name. _α ”is received, and subsequently, information on“ Company A ”is received. In addition, although the example which receives the input of a virtual collaboration space name as a connection request between VPNs is demonstrated, it is not restricted to this, For example, a virtual collaboration space name is automatically allocated in the connection management system 200 side between VPNs May be.

Further, as illustrated in FIG. 45B, a frame for receiving input of a connection destination ID and a terminal name is provided on the next input screen following the input screen illustrated in FIG. For example, an administrator of “Company A” inputs “UserA-Office” as a connection destination ID and “α1 @ vpn1. example. co. jp ”, the inter-VPN connection request accepting unit 231 selects“ α1@vpn1.jp ”as a terminal on the“ Company A ”side connected by the VCS name“ VCS _α ”. example. co. jp ". For example, when the “More” button is pressed by the administrator, the inter-VPN connection request receiving unit 231 further provides a frame for receiving an input of the terminal name on the input screen.

  In addition, the input screen is provided with a frame for receiving input of the date and time of the reservation time. For example, as illustrated in FIG. 45 (B), when the administrator inputs a reservation time “2009.8.21 13:00” to “2009.8.21 15:00”, an inter-VPN connection request acceptance is received. The unit 231 receives “2009.8.21 13:00” as the inter-VPN connection service start time and “2009.8.21 15:00” as the inter-VPN connection service end time.

Now, in the input screen illustrated in FIG. 45B, for example, when the “OK” button is pressed by the administrator, the inter-VPN connection request accepting unit 231 ends accepting the inter-VPN connection request. Thereafter, the administrator of “Company B” is similarly configured as a terminal connected between the VPNs with the VCS name “VCS _α ” as “β1 @ vpn2. example. co. jp ".

For example, when the administrator of “Company B” inputs the VCS name “VCS _α ” and the password on the input screen, the inter-VPN connection request receiving unit 231 receives “VCS _α ” as the VCS name. Here, for the connection between VPNs identified by the VCS name “VCS _α ”, the administrator of “Company A” has already entered the date and time of the reservation time. The accepting unit 231 may output an input screen in a state in which the date and time of the reservation time are input among the input screens illustrated in FIG. Then, for example, an administrator of “Company B” inputs “UserB-Office” as a connection destination ID and “β1 @ vpn2. example. co. jp ”, the inter-VPN connection request accepting unit 231 selects“ β1 @ vpn2.. ”as a“ company B ”side terminal connected between the VPNs by the VCS name“ VCS _α ”. example. co. jp ". Thus, the inter-VPN connection request identified by the VCS name “VCS _α ” is accepted as the inter-VPN connection request for connecting “terminal α” and “terminal β”.

  In addition, although the method of inputting the connection request | requirement between VPNs on the input screen for users was demonstrated, it is not restricted to this. For example, an operator such as a telecommunications carrier providing an inter-VPN connection service may directly input an inter-VPN connection request on the input screen output to the output unit 212 of the inter-VPN connection management system 200.

  The virtual router construction unit 232 constructs a virtual router in the collective virtual router based on the VPN connection request. Specifically, the virtual router constructing unit 232 determines a virtual router name to be constructed in the collective virtual router based on the inter-VPN connection request accepted by the inter-VPN connection request accepting unit 231. Further, the virtual router construction unit 232 generates virtual router construction information among the setting information set in the collective virtual router, and stores the generated virtual router construction information in the routing information storage unit 225 together with the reservation information. In addition, the virtual router construction unit 232 notifies the translation address determination unit 233 that address translation information should be generated.

  For example, the virtual router construction unit 232 periodically refers to the VPN connection request storage unit 223 (illustrated in FIG. 38), compares the current time with the service start time, and constructs a virtual router. It is determined whether or not. For example, the virtual router construction unit 232 compares the current time with the service start time “t1” to determine whether it is time to construct a virtual router.

Next, when the virtual router construction unit 232 determines that it is time to construct a virtual router, the virtual router construction unit 232 refers to the inter-VPN connection request storage unit 223 and stores the VCS name and terminal name stored in association with the service start time. To get. For example, the virtual router construction unit 232 stores the VCS name “VCS _α ” stored in association with the service start time “t1” and the terminal name “α1 @ vcsα. vpn1. example. co. jp ”and“ β1 @ vcsα. vpn2. example. co. jp ”.

  Then, the virtual router construction unit 232 refers to the inter-VPN connection information storage unit 221 (illustrated in FIG. 35) using the acquired terminal name, and identifies the collective virtual router in which the base identified by the terminal name is accommodated. The identification information of the setting pattern is acquired. For example, the virtual router construction unit 232 identifies the aggregate virtual router “aggregate virtual router 1”, and acquires the setting pattern identification information “VR-P1”.

  Subsequently, the virtual router construction unit 232 refers to the setting pattern storage unit 222 (illustrated in FIG. 36) using the acquired setting pattern identification information, and stores the specification stored in association with the category “virtual router definition”. To get. Here, although not illustrated in FIG. 36, the setting pattern storage unit 222 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information on the collective virtual router for each collective virtual router. . For this reason, the virtual router construction unit 232 also acquires a corresponding predetermined command sentence.

  Then, the virtual router construction unit 232 acquires the service start time and the service end time with reference to the inter-VPN connection request storage unit 223 (illustrated in FIG. 38), and stores the acquired service start time and service end time in the routing information storage Stored in the unit 225 (illustrated in FIG. 40). For example, the virtual router construction unit 232 stores the service start time “t1” and the service end time “t3” in the routing information storage unit 225.

Next, the virtual router construction unit 232 describes the virtual router construction information in a file using the acquired specifications and command statements, and stores the virtual router construction information in the routing information storage unit 225 in association with the service start time and service end time. For example, the virtual router construction unit 232 creates a file in which the virtual router name “VRF _m ” is described as “ip vrf vrfm” using the acquired predetermined command statement. Also, the virtual router construction unit 232 describes the virtual router ID “100: 10” determined according to the specification illustrated in FIG. 36 as “rd 100: 10” using a predetermined command sentence in the created file. Then, the virtual router construction unit 232 stores the created file in the routing information storage unit 225 in association with the service start time “t1” and the service end time “t3” (see FIG. 41A).

  The conversion address determination unit 233 determines an address used for connection between VPNs based on the connection request between VPNs. Specifically, the conversion address determination unit 233 determines an address used for the connection between VPNs based on the connection request between VPNs received by the connection request reception unit 231 between VPNs, and generates address conversion information. Here, the conversion address determination unit 233 determines an address by the IP address issue method (i) described above.

  Further, the inter-VPN connection management system 200 manages the entire private address as an address that can be used for the inter-VPN connection service. That is, in the inter-VPN connection management system 200, as described above, the address conversion information storage unit 224 also stores the value of the entire private address and the address reserved in advance as the address assigned to the interface of each device. Further, the inter-VPN connection management system 200 receives a private address used at each site (“intra-site address in the inter-VPN connection information storage unit 221) by receiving a request from a user in advance. )).

  For this reason, the conversion address determination unit 233 refers to the address conversion information storage unit 224 and searches for an already reserved address on the time axis. Then, when determining the first address, the conversion address determination unit 233 determines that the address within the base, the address that has already been reserved in the same time period, and the interface of each device among the entire private addresses What is necessary is just to determine an address other than the address reserved beforehand as an address allocated to, as a new payout address. Further, when determining the second address, the conversion address determination unit 233 is assigned to the address searched for as the reserved address for the same connection between VPNs and the interface of each device among the entire private addresses. An address other than the previously reserved address may be determined as a new payout address.

  The method is not limited to this method. For example, it is assumed that the inter-VPN connection management system 200 manages private addresses that can be used at each base by receiving an application from the user in advance. In this case, the conversion address determination unit 233 searches for a reserved address on the time axis, and among the private addresses managed as private addresses that can be used at the base, An address other than the address searched as an already reserved address may be determined as a new payout address. In this case, the inter-VPN connection management system 200 separately stores a private address value that can be used at each site. For example, the inter-VPN connection management system 200 stores the value of the private address that can be used at the base in the inter-VPN connection information storage unit 221.

  Also, the conversion address determination unit 233 stores the generated address conversion information in the address conversion information storage unit 224 together with the reservation information. Also, the conversion address determination unit 233 notifies the routing information generation unit 235 that setting information including routing information should be generated.

  The address translation information setting unit 234 sets address translation information in the address translation device. Specifically, the address conversion information setting unit 234 converts the address conversion information so that the first address and the second address determined by the conversion address determination unit 233 are mutually converted using the address conversion device as a boundary. Is set in the address translation device.

  For example, the address translation information setting unit 234 periodically refers to the address translation information storage unit 224 (illustrated in FIG. 39), compares the current time with the service start time, and sets the address translation information. It is determined whether or not there is. For example, the address conversion information setting unit 234 compares the current time with the service start time “t1” and determines whether or not it is time to set the address conversion information.

  Next, when the address conversion information setting unit 234 determines that it is time to set the address conversion information, the address conversion information setting unit 234 refers to the address conversion information storage unit 224 and determines the address conversion information stored in association with the service start time. get. For example, the address conversion information setting unit 234 acquires an address conversion table stored in association with “address converters 1-1, 1-2” and “address converters 2-1, 2-2”.

  Then, the address conversion information setting unit 234 refers to the attachment storage unit 226 (illustrated in FIG. 42), acquires the corresponding attachment, and transmits the address conversion information to the corresponding address conversion device using the acquired attachment. . For example, the address translation information setting unit 234 refers to the attachment storage unit 226 using the “address translation devices 1-1, 1-2” and “address translation devices 2-1, 2-2”, and attaches the attachment “NAT1- 1. exe "," NAT1-2. exe "," NAT2-1. exe "and" NAT2-2. exe ”. Subsequently, the address conversion information setting unit 234 reads the acquired attachment “NAT1-1. exe ”, the address translation information stored in the address translation information storage unit 224 in association with“ address translation device 1-1 ”is transmitted to“ address translation device 1-1 ”.

  The address translation information setting unit 234 is described as starting the address translation information setting at the time of starting the inter-VPN connection service, but is not limited to this. For example, the time required to set the address translation information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the connection service between VPNs. The time obtained by subtracting the predicted time may be used as the time for starting the reflection of the address translation information. For example, when the conversion address determination unit 233 stores the reservation time and the address conversion information in the address conversion information storage unit 224, the conversion address determination unit 233 also stores the time obtained by subtracting the time required for setting the address conversion information, The information setting unit 234 may determine whether it is the time and start setting address conversion information.

  The routing information generator 235 generates routing information based on the inter-VPN connection request and the address translation information. Specifically, the routing information generation unit 235 assigns an address to be set to the interface of each device (aggregate virtual router, VPN termination device, address translation device) from among previously secured addresses. Further, the routing information generation unit 235 generates routing information based on the address conversion information determined by the conversion address determination unit 233. Also, the routing information generation unit 235 stores the generated routing information in the routing information storage unit 225 together with the reservation information. Since the virtual router construction unit 232 has already written the construction information of the virtual router in a file and stored in the routing information storage unit 225, the routing information generation unit 235 stores the routing information (VPN termination device) in this file. (Routing information to (Next Hop)) will be added. In addition, the routing information generation unit 235 describes the routing information to the collective virtual router (Next Hop) in the file of the VPN terminating device and the packet transfer information in the file of the address translation device.

  First, generation of the setting information of the collective virtual router will be described. For example, when receiving the notification that the setting information including the routing information should be generated from the conversion address determination unit 233, the routing information generation unit 235 refers to the address conversion information storage unit 224 (illustrated in FIG. 39), and An address to be set in the conversion device side I / F is determined. For example, the routing information generation unit 235 determines “10.0.10.97” as the I / F on the address translation device 1 side, and “10.0.20.97 as the I / F on the address translation device 2 side. ] Is determined.

  Further, the routing information generation unit 235 refers to the setting pattern storage unit 222 (illustrated in FIG. 36), and stores the specifications stored in association with the classifications “I / F setting” and “routing setting for each virtual router”. To get. Here, although not illustrated in FIG. 36, the setting pattern storage unit 222 also stores, as one of the setting patterns, a predetermined command statement for reflecting the setting information on the collective virtual router for each collective virtual router. . For this reason, the routing information generation unit 235 also acquires a corresponding predetermined command sentence.

  Then, the routing information generation unit 235 reads “Number. Number. Number. The “IP address” is determined in accordance with the “number” specification. Further, for example, the routing information generation unit 235 refers to the setting pattern illustrated in FIG. 36 and determines “designation of I / F” according to the specification of “I / F type number / number / number”.

  For example, the routing information generation unit 235 determines “10.0.10.97 255.255.255.0” as the IP address to be set for the interface connected to the address translation device 1-1, and specifies the I / F. "Gigabit Ethernet (registered trademark) 1/0/0" is determined.

  Next, the routing information generation unit 235 refers to the address translation information storage unit 224 and acquires the virtual router side address stored in association with the address translation device. For example, the routing information generation unit 235 stores the virtual router side addresses “10.10.10” and “10.2.10” stored in association with the address translation device “address translation device 1-1”. ”Is acquired.

  Then, for example, as shown in FIG. 41A, the routing information generation unit 235 determines “10.0.10.97 255.” as an IP address to be set to the interface connected to the address translation device 1-1. “255.255.0” is described as “ip address 10.0.10.97 255.255.255.0” using a predetermined command sentence. Further, for example, the routing information generation unit 235 uses “GigabitEthernet (registered trademark) 1/0/0” determined as the I / F designation by using a predetermined command statement as “interface GigabitEthernet (registered trademark) 1/0”. / 0 ”. In addition, the routing information generation unit 235 describes “ip vrf forwarding vrf1” as a command to make the interface belong to the virtual router “vrf1”. The routing information generation unit 235 also describes the interface connected to the address translation device 2 in the same manner.

Also, the routing information generation unit 235 describes a routing setting command that is so-called routing information. Here, NextHop is an address translation device. For example, the routing information generation unit 235 uses the virtual router name “VRF _m ”, “10.0.1.0 255.255.255.0”, and the IP address “10.0.10.98”. Then, “ip route vrf vrfm 10.0.1.0 255.255.255.0 10.0.10.98” is described using a predetermined command sentence in accordance with the specification illustrated in FIG. The routing information generation unit 235 also describes the interface connected to the address translation device 2 in the same manner.

  Next, generation of setting information of the VPN termination device will be described. The routing information generation unit 235 refers to the inter-VPN connection information storage unit 221 using the connection destination ID received by the inter-VPN connection request reception unit 231, and stores the VPN terminator associated with each connection destination ID. The identification information of the setting pattern is acquired. Then, the routing information generation unit 235 refers to the setting pattern storage unit 222 using each of the identification information of the setting pattern of the VPN termination device, and sets the setting information from the setting patterns of the VPN termination device stored in the setting pattern storage unit 222. A setting pattern of a VPN termination device to be used for generating information is selected. Then, the routing information generation unit 235 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 235 determines an address to be set in the I / F (base side and aggregate virtual router side) of the VPN termination device, and generates routing information using the determined address. For example, the routing information generation unit 235 generates the routing information of “VPN termination device 1” as shown in FIG. The first four lines in FIG. 41B are commands for setting an address in the interface of “VPN termination device 1”. Further, the fifth line of FIG. 41B is a routing setting command for setting NextHop to “address translation device 1”.

  Next, generation of setting information of the address translation device will be described. Although not shown in FIGS. 36 and 37, the setting pattern storage unit 222 also stores the setting pattern of the address translation device. For this reason, for example, the routing information generation unit 235 refers to the inter-VPN connection information storage unit 221 using the connection destination ID received by the inter-VPN connection request reception unit 231 and stores it in association with each connection destination ID. The identification information of the address translation device is acquired. Then, the routing information generation unit 235 refers to the setting pattern storage unit 222 using each of the setting pattern identification information of the address conversion device, and sets the address conversion device setting pattern stored in the setting pattern storage unit 222. A setting pattern of an address translation device to be used for generating information is selected. Then, the routing information generation unit 235 generates setting information using the selected setting pattern.

  For example, the routing information generation unit 235 determines an address to be set in the I / F (base side and aggregate virtual router side) of the address translation device, and generates routing information using the determined address. For example, the routing information generation unit 235 generates the routing information of “address translation device 1” as shown in FIG. The first four lines in FIG. 41C are commands for setting an address in the interface of “address translation device 1”. The fifth line of FIG. 41C is a routing setting command to the “VPN terminating device 1” side, and sets an address before address conversion. The sixth line in FIG. 41C is a routing setting command to the virtual router “vrfm”, and sets an address after address conversion.

  As described above, each piece of setting information is stored in the routing information storage unit 225 in the form of a setting file, for example, as illustrated in FIG. That is, the routing information generation unit 235 stores the generated setting information in the routing information storage unit 225 in the form of a setting file. However, the method is not limited to this, and a method of storing the generated setting information in a database may be used. Alternatively, the generated setting information may be stored in a file format and stored in a database. According to these methods, since the setting information is stored in a database suitable for search and reference, for example, the routing information generation unit 235 refers to the already generated setting information when generating the setting information. However, it is not necessary to execute the file open process each time, and the process becomes efficient.

  The routing information setting unit 236 sets the routing information in the address translation device, the VPN termination device, and the collective virtual router. For example, the routing information setting unit 236 periodically refers to the routing information storage unit 225 (illustrated in FIG. 40), compares the current time with the service start time, and determines whether the setting information should be set. Determine whether. For example, the routing information setting unit 236 compares the current time with the service start time “t1” and determines whether or not it is time to set the setting information.

  Next, when the routing information setting unit 236 determines that it is time to set the setting information, the routing information setting unit 236 refers to the routing information storage unit 225 and acquires the setting information stored in association with the service start time. For example, the routing information setting unit 236 acquires the setting information stored in association with the service start time “t1”.

  Then, the routing information setting unit 236 refers to the attachment storage unit 226 (illustrated in FIG. 42), acquires the corresponding attachment, and uses the acquired attachment, the corresponding aggregate virtual router, VPN termination device, and address translation device. Send configuration information to. For example, the routing information setting unit 236 includes “aggregate virtual router 1”, “VPN termination device 1”, “VPN termination device 2”, “address translation device 1-1”, “address translation device 1-2”, “address”. The attachment storage unit 226 is referred to using the “conversion device 2-1” and the “address conversion device 2-2”, and the attachment “VR1. exe "," VPN1. exe "," VPN2. exe "," NAT1-1. exe "," NAT1-2. exe "," NAT2-1. exe "and" NAT2-2. exe ”. Subsequently, the routing information setting unit 236 acquires the acquired attachment “VR1. exe ”is used to transmit the setting information to“ aggregate virtual router 1 ”. Similarly, the routing information setting unit 236 includes “VPN termination device 1”, “VPN termination device 2”, “address translation device 1-1”, “address translation device 1-2”, and “address translation device 2-1”. , And “address conversion device 2-2”.

  The attachment may include, for example, a method for setting setting information by remotely operating each device from the inter-VPN connection management system 200 using telnet, SSH (Secure SHell), or the like. .

  Further, although the routing information setting unit 236 is described as starting the setting information setting at the time when the inter-VPN connection service is started, the present invention is not limited to this. For example, the time required for setting the setting information is predicted in advance so that the connection between the VPNs is immediately realized at the time when the reservation is accepted as the time for starting the inter-VPN connection service. The time obtained by subtracting the time may be set as the time for starting the setting information setting. For example, when the virtual router construction unit 232 stores the reserved time and the setting information in the routing information storage unit 225, the virtual router construction unit 232 also stores the time obtained by subtracting the time required for setting the setting information, and the routing information setting unit 236 Then, it may be determined whether it is the time, and setting of setting information may be started.

  The deletion unit 237 deletes address translation information and routing information set in the VPN termination device, the address translation device, and the collective virtual router. Specifically, the deletion unit 237 refers to the address translation information storage unit 224 and the routing information storage unit 225 periodically by a timer or polling, and determines whether it is time to end the inter-VPN connection service. . If it is determined that it is the service end time, the attachment storage unit 226 is referred to, and the attachment (for deletion) of the corresponding VPN termination device or aggregate virtual router is acquired. Then, the deletion unit 237 deletes the setting information from the corresponding VPN termination device or the collective virtual router using the corresponding attachment. The deletion unit 237 also deletes reservation information stored in the address conversion information storage unit 224 and the routing information storage unit 225.

[Processing procedure by VPN connection management system]
Next, a processing procedure by the VPN connection management system 200 will be described with reference to FIG. FIG. 46 is a flowchart showing a processing procedure performed by the inter-VPN connection management system 200.

  As illustrated in FIG. 46, when the inter-VPN connection management system 200 determines that it is time to construct a virtual router (Yes in step S1), it constructs a virtual router (step S2). Specifically, the virtual router construction unit 232 constructs a virtual router.

  Next, the VPN connection management system 200 determines a conversion address (step S3). Specifically, the conversion address determination unit 233 determines the conversion address.

  Subsequently, the inter-VPN connection management system 200 generates routing information (step S4). Specifically, the routing information generation unit 235 generates routing information.

  Then, the VPN connection management system 200 sets address translation information and routing information (step S5). Specifically, the address translation information setting unit 234 sets address translation information in the corresponding address translation device, and the routing information setting unit 236 sets routing information in the corresponding aggregate virtual router and VPN termination device.

  If address translation information and routing information settings are completed by the service start time, when a virtual router is constructed, when address translation information is determined, when routing information is generated, when address translation information and Whether to set the routing information is arbitrary. For example, the setting may be completed at a stage much earlier than the service start time, and communication between VPN connections may not be performed due to firewall settings or the like. In this case, when the service start time is reached, the firewall setting is changed, and connection between VPNs becomes possible.

An example of access in the collaborative space will be described with reference to FIG. FIG. 47 is a diagram for explaining an example of access in the collaborative space. FIG. 47 illustrates an example in which a collaborative space “VCS _α ” (virtual router “VRFm” and virtual router “VRFn”) is constructed between terminal α and terminal β. The name of the terminal α in the collaborative space “VCS _α ” (assigned for the collaborative space) is “α1@vcsα.vpni.example.com” based on the rules of the name space in the collaborative space. The base address is “192.168.1.10”.

The name of the terminal β in the collaborative space “VCS _α ” (assigned for the collaborative space) is “β1@vcsα.vpnj.example.com”, and the address in the base is “192” .168.1.10 ". The first address for identifying the terminal β at the base on the terminal α side is “172.16.2.10”, and the first address for identifying the terminal α at the base on the terminal β side is “172”. .16.1.10 ". For this reason, as illustrated in FIG. 47, the correspondence between “α1@vcsα.vpni.example.com” and “172.16.1.10” is registered in the DNS, and “β1@vcsα.vpnj” is registered. .example.com ”and“ 172.16.2.10 ”are registered.

  The second address for identifying the terminal α in the virtual router “VRFm” is “10.1.10.”, And the second address for identifying the terminal β in the virtual router “VRFm” is “10. 0.2.10 ". In the example of FIG. 47, the same address is issued as the second address identified in the virtual router “VRFn”, but the present invention is not limited to this.

Therefore, as illustrated in FIG. 47, the address conversion device on the VPN _i side converts the in-base address “192.168.1.10” and the second address “10.10.1.10”. Address conversion information and address conversion information for converting the first address “172.16.2.10” and the second address “10.2.10” are set. In addition, the address conversion device on the VPN _j side includes address conversion information for converting the in-base address “192.168.1.10” and the second address “10.2.10”, and the first address “ 172.16.1.10 ”and the second address“ 10.1.10. ”Are set.

In addition, routing information is set in each virtual router. As illustrated in FIG. 47, for the packet with the destination address “10.10.10”, the packet is routed to the I / F on the VPN _i side, and the destination address is “10.2.10”. The packet is set to be routed to the VPN _j side I / F.

  Consider a case where, for example, the terminal α transmits a packet to the terminal β under such a configuration. The user of the terminal α knows the terminal name “β1@vcsα.vpnj.example.com” of the user of the terminal β. Therefore, the terminal α makes an inquiry to the DNS using “β1@vcsα.vpnj.example.com”. The DNS refers to the storage unit using “β1@vcsα.vpnj.example.com”, and stores the first address “172.16.com” associated with “β1@vcsα.vpnj.example.com”. 2.10 ”is responded.

  Therefore, the terminal α transmits a packet containing the first address “172.16.2.10” as the packet destination and the intra-site address “192.168.1.10” as the transmission source to the VPN terminating device. To do. When receiving this packet, the traffic separation and integration device performs policy-based routing and sends it to the address translation device.

Then, the address translation device translates the received packet address based on the address translation information. For example, the destination address “172.16.2.10” is converted to “10.2.10.” And the source address “192.168.1.10” is changed to “10.1.10.” Convert. The address translation device then sends the address-converted packet to the collective virtual router. In the collective virtual router, routing based on the destination address is performed. The packet with the destination address “10.2.10” is routed to the I / F on the VPN _j side.

Now, routed packets to the I / F of the VPN _j side reaches the address converting apparatus VPN _j side. Then, the address translation device translates the received packet address based on the address translation information. For example, the destination address “10.2.10” is converted to “192.168.1.10”, and the source address “10.1.10.” Is changed to “172.16.1.10”. Convert. The address translation device then sends the address-converted packet to the VPN termination device. Thus, the packet transmitted from the terminal α reaches the terminal β.

[Others]
In addition, among the processes described in the above embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Each processing function performed in each device may be realized in whole or in any part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The traffic control instruction method described in the above embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via an IP network such as the Internet. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM (Compact Disk Read Only Memory), an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk), etc. It can also be executed by reading from the recording medium.

DESCRIPTION OF SYMBOLS 100 Integrated AAA apparatus 110 Communication part 111 Input part 112 Output part 113 Input / output control I / F part 120 Storage part 121 Condition storage part 122 Control information storage part 130 Control part 131 Traffic monitoring part 132 Traffic control part

Claims (10)

In connection between a plurality of different VPNs, a transfer control device for controlling packet transfer in a wide area network, a termination device for terminating each VPN belonging to the connection between VPNs via the transfer control device, and a packet transmitted from the VPN side For each traffic type in the inter-VPN connection, and for controlling the traffic of the inter- VPN connection system including a traffic control device that transmits to each of a plurality of routes formed for each traffic type with the transfer control device A control instruction device,
Among the transfer control device and the traffic control device, by monitoring at least one device on a route formed for each traffic type in the connection between VPNs , from the device, information on traffic and information on resources, Monitoring means for acquiring at least one and determining whether the acquired information meets a predetermined condition;
When it is determined that the information satisfies the condition, the instruction information for controlling the traffic on the route is indicated by the route for each traffic type in the connection between VPNs of the transfer control device and the traffic control device. And a control means for transmitting to at least one device to be formed . The monitoring means determines whether a congestion state has occurred by determining whether the acquired information meets the condition,
The control means, when it is determined that a congestion state has occurred, the transfer control device, the transfer control device, the instruction information for instructing to discard the traffic on the low-priority traffic route among the plurality of routes The traffic control instruction apparatus according to claim 1, wherein the traffic control instruction apparatus transmits to at least one of the traffic control apparatuses. The monitoring means determines whether or not a high load state has occurred by determining whether or not the information acquired for each path from the transfer control device satisfies the condition,
When it is determined that a high load condition has occurred, the control means transmits at least instruction information for instructing the traffic on the path in which the high load condition has occurred to be assigned to another path to the traffic control apparatus. The traffic control instruction device according to claim 1, wherein: The monitoring means determines whether new traffic to be controlled has occurred in the inter- VPN connection system by determining whether the acquired information satisfies the condition,
When it is determined that new traffic has occurred, the control means compares the load state between the paths using the information acquired for each path from the transfer control device, and identifies the path in the low load state, 2. The traffic control instruction apparatus according to claim 1, wherein instruction information for instructing the newly generated traffic to be assigned to the low load state route is transmitted to at least the traffic control apparatus. The monitoring means acquires information indicating path abnormality by executing life and death confirmation for each path, determines whether a failure state has occurred due to the acquired information satisfying a predetermined condition,
When it is determined that a failure state has occurred, the control means transmits instruction information for instructing that traffic on the route in which the failure state has occurred to be assigned to a backup route to at least the traffic control device. The traffic control instruction device according to claim 1. The transfer control device is connected to a service providing device that provides a service for each traffic type to each VPN terminal belonging to the inter- VPN connection, and the terminal controls packet transfer by the transfer control device. Thus, the service providing apparatus is accessed using a route for each traffic type,
By monitoring the service providing apparatus or a monitoring system that monitors the service providing apparatus, information indicating a resource usage amount for each service providing apparatus is acquired from the service providing apparatus or the monitoring system, and the acquired information is stored in advance. Service monitoring means for determining whether or not a predetermined resource shortage has occurred in the service providing apparatus by satisfying a predetermined condition;
When it is determined that a predetermined resource shortage state has occurred, the control unit searches for a service providing device that replaces the service providing device in which the resource shortage state has occurred, and the service in which the resource shortage state has occurred 2. The traffic according to claim 1, wherein instruction information for instructing that traffic on a route for a providing device is assigned to a route for an alternative service providing device is transmitted to at least the traffic control device. Control instruction device. In connection between a plurality of different VPNs, a transfer control device for controlling packet transfer in a wide area network, a termination device for terminating each VPN belonging to the connection between VPNs via the transfer control device, and a packet transmitted from the VPN side For each traffic type in the inter-VPN connection, and for controlling the traffic of the inter- VPN connection system including a traffic control device that transmits to each of a plurality of routes formed for each traffic type with the transfer control device A control instruction method,
Computer
Among the transfer control device and the traffic control device, by monitoring at least one device on a route formed for each traffic type in the connection between VPNs , from the device, information on traffic and information on resources, A monitoring step of acquiring at least one and determining whether or not the acquired information meets a predetermined condition;
When it is determined that the information satisfies the condition, the instruction information for controlling the traffic on the route is indicated by the route for each traffic type in the connection between VPNs of the transfer control device and the traffic control device. And a control step of transmitting to at least one device to be formed . A traffic control instruction program for causing a computer to function as the traffic control instruction device according to any one of claims 1 to 6 . In connection between a plurality of different VPNs, a transfer control device for controlling packet transfer in a wide area network, a termination device for terminating each VPN belonging to the connection between VPNs via the transfer control device, and a packet transmitted from the VPN side An inter- VPN connection system including a traffic control device that separates traffic for each traffic type in an inter-VPN connection and transmits each of the plurality of routes formed for each traffic type with the transfer control device,
The traffic control instruction device
Among the transfer control device and the traffic control device, by monitoring at least one device on a route formed for each traffic type in the connection between VPNs , from the device, information on traffic and information on resources, Monitoring means for acquiring at least one and determining whether the acquired information meets a predetermined condition;
When it is determined that the information satisfies the condition, the instruction information for controlling the traffic on the route is indicated by the route for each traffic type in the connection between VPNs of the transfer control device and the traffic control device. Control means for transmitting to at least one device to be formed ,
At least one of the transfer control device and the traffic control device is:
A transmission means for transmitting information related to traffic to the traffic control instruction device when requested by the traffic control instruction device;
And a control means for controlling traffic according to the received instruction information when the instruction information is received from the traffic control instruction device. In connection between a plurality of different VPNs, a transfer control device for controlling packet transfer in a wide area network, a termination device for terminating each VPN belonging to the connection between VPNs via the transfer control device, and a packet transmitted from the VPN side For each traffic type in the inter-VPN connection, and for controlling the traffic of the inter- VPN connection system including a traffic control device that transmits to each of a plurality of routes formed for each traffic type with the transfer control device A control instruction method,
A computer as a traffic control instruction device
Among the transfer control device and the traffic control device, by monitoring at least one device on a route formed for each traffic type in the connection between VPNs , from the device, information on traffic and information on resources, A monitoring step of acquiring at least one and determining whether or not the acquired information meets a predetermined condition;
When it is determined that the information satisfies the condition, the instruction information for controlling the traffic on the route is indicated by the route for each traffic type in the connection between VPNs of the transfer control device and the traffic control device. Transmitting to at least one forming device, and
A computer as at least one of the transfer control device and the traffic control device,
A transmission step of transmitting information related to traffic to the traffic control instruction device when requested by the traffic control instruction device;
And a control step of controlling traffic according to the received instruction information when the instruction information is received from the traffic control instruction device.

Images