JP5542098B2 - Route control apparatus, route control program, route control method, and route control system - Google Patents

Description

  Embodiments described herein relate generally to a route control device, a route control program, a route control method, and a route control system.

  In recent years, services have emerged that provide a virtual collaborative space by connecting multiple locations. In particular, there is a high demand for an on-demand service, that is, a service for connecting bases in a timely manner upon request. Here, the “base” is an isolated network domain whose reachability is limited by a VPN (Virtual Private Network) or geographical conditions. In addition, “inter-base connection” means that information for transferring a packet transmitted from a terminal at a base to a terminal at a base is set in each device on the route between the bases. It is interconnecting so that communication is possible. The “collaborative space” is a network domain generated by inter-base connection, and is a network domain having the interconnected range as a new reachable range.

JP 2011-055305 A

Takaaki Koyama, Shuichi Karasawa, Kazuhiro Kishi, Shintaro Mizuno, Soetsu Iwamura, “Proposal of VPN Connection Management System”, IEICE Technical Report IN 2009-48 (2009-09), P.A. 53-58 Takaaki Koyama, Shuichi Karasawa, Yoshinao Kikuchi, Kazuhiro Kishi, Sotetsu Iwamura, “New Architecture for a VPN On-demand Interconnection System”, APSITT (Asia-Pacific Symposium on Information and Telecommunication Technologies) 2010

  In a service that provides such a collaborative space, it is desired to appropriately control route assignment.

  The present invention has been made in view of the above, and an object of the present invention is to provide a route control device, a route control program, a route control method, and a route control system that can appropriately control route assignment. .

  The route control device according to the embodiment is a route control device that controls assignment of a route to a communication system that connects bases via a wide area network. In the communication system, an address that identifies the first terminal in the first base in the first base is a transmission source address, and an address that identifies the second terminal in the second base in the first base is a destination address. For packets sent from one site, after converting the IP address so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal in the wide area network is the destination address In addition, the IP address is converted so that the address identifying the first terminal in the second site is the source address, and the address identifying the second terminal in the second site is the destination address. To be transferred. In addition, a first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is connected to the first site. When different addresses are assigned to the first route and the second route as addresses to be identified in the packet, the packet transmitted from the first base passes through the second route according to the address. It reaches the base. The path control device includes a storage unit, a determination unit, and an allocation control unit. The storage unit stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base. The determination unit determines whether or not the state of the first route meets a predetermined condition. An allocation control unit that determines that the condition is met by the determination unit and allocates traffic on the first route to the second route, an address associated with a name that identifies the second terminal; By setting an instruction to change from the address for the route to the address for the second route in the name resolution device that responds to the name resolution request using the name and responding to the address associated with the name, Control assignments.

  The route control program according to the embodiment causes a computer to function as the route control device.

  The route control method according to the embodiment is a route control method that is executed by a route control device that controls assignment of a route to a communication system that connects bases via a wide area network. In the communication system, an address that identifies the first terminal in the first base in the first base is a transmission source address, and an address that identifies the second terminal in the second base in the first base is a destination address. For packets sent from one site, after converting the IP address so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal in the wide area network is the destination address In addition, the IP address is converted so that the address identifying the first terminal in the second site is the source address, and the address identifying the second terminal in the second site is the destination address. To be transferred. In addition, a first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is connected to the first site. When different addresses are assigned to the first route and the second route as addresses to be identified in the packet, the packet transmitted from the first base passes through the second route according to the address. It reaches the base. The route control device includes a storage unit that stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base. The path control device determines whether or not the state of the first path meets a predetermined condition, and determines that the condition is met by the determination process, and traffic on the first path When the address is assigned to the second route, an instruction to change the address associated with the name identifying the second terminal from the address for the first route to the address for the second route is used. An assignment control step of controlling the assignment of the route by setting an address associated with the name in response to the request in the name resolution device that responds.

  The route control system according to the embodiment is a route control system including a route control device that controls assignment of a route to a communication system that connects bases via a wide area network. In the communication system, an address that identifies the first terminal in the first base in the first base is a transmission source address, and an address that identifies the second terminal in the second base in the first base is a destination address. For packets sent from one site, after converting the IP address so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal in the wide area network is the destination address And an address conversion device that converts the IP address so that the address identifying the first terminal in the second base is a source address and the address identifying the second terminal in the second base is a destination address. . In addition, a first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is connected to the first site. When different addresses are assigned to the first route and the second route as addresses to be identified in the packet, the packet transmitted from the first base passes through the second route according to the address. It reaches the base. The path control device includes a storage unit, a determination unit, and an allocation control unit. The storage unit stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base. The determination unit determines whether or not the state of the first route meets a predetermined condition. An allocation control unit that determines that the condition is met by the determination unit and allocates traffic on the first route to the second route, an address associated with a name that identifies the second terminal; By setting an instruction to change from the address for the route to the address for the second route in the name resolution device that responds to the name resolution request using the name and responding to the address associated with the name, Control assignments. The name resolution device includes a name storage unit, a change unit, and a name resolution unit. The name storage unit stores a name that identifies the second terminal and an address that identifies the second terminal within the first base in association with each other. The changing unit changes an address associated with the name according to the instruction transmitted by the allocation control unit. When the name resolution unit receives a name resolution request using a name, the name resolution unit refers to the name storage unit using the name and responds with an address associated with the name.

  According to one aspect of the route control device, the route control program, the route control method, and the route control system according to the embodiment, there is an effect that it is possible to appropriately control route assignment.

FIG. 1 is a diagram for explaining the outline of the inter-VPN communication system according to the first embodiment. FIG. 2 is a diagram for explaining address conversion in the first embodiment. FIG. 3 is a diagram for explaining the DNS change method according to the first embodiment. FIG. 4 is a diagram for explaining the DNS change method according to the first embodiment. FIG. 5 is a diagram for explaining the DNS change method according to the first embodiment. FIG. 6 is a diagram for explaining the DNS change method according to the first embodiment. FIG. 7 is a diagram for explaining a DNS change method according to the first embodiment. FIG. 8 is a diagram for explaining the DNS change method according to the first embodiment. FIG. 9 is a diagram for explaining a setting information change method according to the first embodiment. FIG. 10 is a diagram for explaining path switching (before switching) in the second embodiment. FIG. 11 is a diagram for explaining the relationship between traffic and routes in the second embodiment. FIG. 12 is a diagram for explaining DNS registration information before a route change in the second embodiment. FIG. 13 is a diagram for explaining path switching (after switching) in the second embodiment. FIG. 14 is a diagram for explaining the relationship between traffic and routes in the second embodiment. FIG. 15 is a diagram for explaining DNS registration information after a route change in the second embodiment. FIG. 16 is a block diagram illustrating a configuration of an inter-VPN connection management system according to the second embodiment. FIG. 17 is a block diagram illustrating a configuration of a DNS apparatus according to the second embodiment. FIG. 18 is a flowchart illustrating a processing procedure according to the second embodiment. FIG. 19 is a diagram for explaining a third modification of the second embodiment. FIG. 20 is a diagram for explaining a third modification of the second embodiment. FIG. 21 is a diagram for explaining a third modification of the second embodiment. FIG. 22 is a diagram for explaining path switching in the third embodiment. FIG. 23 is a diagram for explaining DNS registration information before a route change in the third embodiment. FIG. 24 is a diagram for explaining DNS registration information after a route change in the third embodiment. FIG. 25 is a diagram for explaining a change of the routing table in the third embodiment. FIG. 26 is a diagram for explaining resource borrowing (before resource borrowing) in the fourth embodiment. FIG. 27 is a diagram for explaining resource borrowing (after resource borrowing) in the fourth embodiment.

  Hereinafter, embodiments of a route control device, a route control program, a route control method, and a route control system will be described. In addition, this invention is not limited by the following embodiment.

(First embodiment)
First, the outline of the inter-VPN communication system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline of the inter-VPN communication system according to the first embodiment. In the first embodiment, an inter-VPN connection will be described as an example of inter-base connection. Inter-VPN connection refers to connecting LANs (Local Area Networks) connected to a VPN service provided by a telecommunications carrier or the like.

In FIG. 1, LAN _i and LAN _j (i and j are positive integer values independent of each other, i ≠ j) are connected between VPNs, and a terminal in LAN _i and a terminal in LAN _j are cooperated. An example in which a working space is provided is shown. As shown in FIG. 1, a collaborative space (VCS (Virtual Collaboration Space)) is realized by setting a virtual router (VRF (Virtual Routing and Forwarding)) in a collective virtual router installed in a wide area network. The Here, the collective virtual router is a router as a physical casing. The virtual router is a logical router that functions independently of each other by dividing the resources of the collective virtual router by the virtualization technology. The collective virtual router transfers packets between LAN _i and LAN _{j in} accordance with the path information set in the virtual router. In FIG. 1, a virtual router VRF _m and a virtual router VRF _n (m and n are mutually independent positive integer values, m ≠ n) are set in the collective virtual router, and packets related to one cooperating space are transferred. As routes, a route via VRF _m and a route via VRF _n are formed.

  As shown in FIG. 1, the VPN termination device is a router or a switch installed at the boundary between the VPN and the wide area network, and accommodates the VPN and terminates the accommodated VPN on the wide area network side. The address translation device translates an IP (Internet Protocol) address included in the packet received from the VPN termination device, and transmits the packet after the address translation to the collective virtual router. The address translation device translates the IP address included in the packet received from the collective virtual router, and transmits the packet after address translation to the VPN termination device. The address conversion by the address conversion device will be described in detail later.

  Next, address conversion in the first embodiment will be described with reference to FIG. FIG. 2 is a diagram for explaining address conversion in the first embodiment. As described above, the inter-VPN communication system according to the first embodiment includes the address translation device, and the address translation device performs address translation of the IP address included in the packet. Here, in the first embodiment, an RFC (Request For Comments) 2663 technology (Twice-NAT (Network Address Translation)) published by the IETF (Internet Engineering Task Force) is used as an address translation technology.

  Specifically, the address translation apparatus according to the first embodiment translates both the source IP address and the destination IP address included in the packet. Hereinafter, an IP address for identifying a terminal in each LAN belonging to a certain connection between VPNs in the LAN is referred to as an “in-base address”. In addition, an IP address that identifies a terminal in each LAN belonging to a certain connection between VPNs by a collective virtual router is referred to as a “first virtualized IP address”. In addition, an IP address that identifies a terminal in the LAN of the connection destination base in the LAN of the local base is referred to as a “secondary virtualized IP address”.

For example, when the terminal α in the LAN _i and the server A (Server A) in the LAN _j communicate with each other, the address conversion device installed on the LAN _i side uses the {source address, Destination address} = {intra-base address of terminal α, second virtualization address of server A}, {source address, destination address} = {first virtualization address of terminal α, first virtualization address of server A }. In addition, the address translation apparatus installed on the LAN _i side, for the packet received from the wide area network side, {source address, destination address} = {first virtualization address of server A, first virtualization address of terminal α } Is converted into {source address, destination address} = {second virtual address of server A, base station address of terminal α}. The same applies to the address translation device installed on the LAN _j side.

Hereinafter, the address conversion described above will be described using a conversion operator. “A _i ” is an in-base address that identifies the terminal α in the LAN _i , and “a _j ” is an in-base address that identifies the server A in the LAN _j . More precisely, the base address of server A is “a _j (A)”, the base address of server B is “a _j (B)”, and the base address of server C is “a _j (C)”. However, for convenience of explanation, it is set as “a _j ”. Also, (1-1) is a conversion operator that indicates address conversion from LAN _i to VRF _m . Further, (1-2) is a conversion operator that indicates address conversion from VRF _m to LAN _j .

When address conversion is expressed using these conversion operators, as shown in FIG. 2, the first virtualization address for identifying the terminal α under LAN _i and the server A under LAN _{j by} a route via VRF _m is The in-base address “a _i ” and the in-base address “a _j ” are respectively converted into IP addresses once by the address conversion device, and expressed as (1-3).

On the other hand, the first virtualization address for identifying the terminal α under LAN _i and the server A under LAN _{j by} the route via VRF _n is the in-base address “a _i ” and the in-base address “a _j ”, respectively. The IP address converted once by the address translation device is expressed as (1-4).

Further, in FIG. 2, the second virtualization address for identifying the server A in the connection destination base LAN _j in the local base LAN _i is expressed as (1-5) in the case of the route via the VRF _m , and VRF _n In the case of the route via, it is expressed as (1-6).

Similarly, the second virtualization address for identifying the terminal α in the LAN _i at the connection destination site in the local site LAN _j is expressed as (1-7) in the case of the route via the VRF _m, via the VRF _n . The route is expressed as (1-8).

For this reason, for example, when the address translation of a packet transmitted from the terminal α under the LAN _i to the server A under the LAN _j is expressed using a translation operator, in the case of a route via the VRF _m , ( In the case of a route via VRF _n , it is expressed as (1-10). Note that {source address, destination address}.

  Now, the inter-VPN connection is managed by the inter-VPN connection management system 100 as shown in FIG. The inter-VPN connection management system 100 receives an inter-VPN connection request from, for example, a VPN administrator. This inter-VPN connection request includes information necessary for establishing an inter-VPN connection. Note that the users of the inter-VPN connection management system 100 include operators such as a telecommunications carrier and managers such as an information system section in a company.

  Then, the inter-VPN connection management system 100 determines an IP address used for this inter-VPN connection in order to construct an inter-VPN connection on demand, and uses the determined IP address to convert address translation information, routing information, Various information such as DNS registration information used for name resolution is generated.

Specifically, the inter-VPN connection management system 100 determines a first virtualization address and a second virtualization address necessary for this inter-VPN connection. Here, the second virtualization address for identifying the terminal in the LAN of the connection destination base in the local LAN is different for each route. For this reason, the inter-VPN connection management system 100 includes, for example, formulas (1-11), (1-12), (1-13), (1-14), (1-15), ( The second virtualization address is determined so that the expression 1-16) holds.

Further, the inter-VPN connection management system 100 determines the first virtualization address so that, for example, the expressions (1-17) and (1-18) are established.

  As described above, the VPN connection management system 100 uses the “address translation technology based on Twice-NAT” and the “virtual router technology” to make the IP address space independent, thereby resolving IP address conflicts. Simplify assignments. Specifically, first, the IP address space is separated in the vertical direction between each LAN and the virtual router set in the wide area network by “address translation technology by Twice-NAT”. In addition, the “virtual router technology” separates the IP address space in the horizontal direction between virtual routers set in the wide area network. The inter-VPN connection management system 100 combines the two to make the IP address space independent in each LAN and in each virtual router, thereby simplifying IP address assignment while resolving IP address conflicts. It has become.

  Further, the inter-VPN connection management system 100 generates address conversion information for converting the IP address by the address conversion device. Further, the inter-VPN connection management system 100 generates routing information for transferring a packet by the collective virtual router or the VPN terminating device. Further, the inter-VPN connection management system 100 generates DNS registration information for name resolution by a DNS (Domain Name System) device 200. DNS registration information is described in the A record format or the like. As will be described later, the inter-VPN connection management system 100 stores and manages a correspondence relationship between a path, a name, and a second virtualization address, thereby generating different DNS registration information for each path.

  Then, the inter-VPN connection management system 100 sets the address translation information in the address translation device, sets the routing information in the collective virtual router and the VPN termination device, and sets the DNS registration information in the DNS device 200 by, for example, the service start time. Set other necessary information for each device. Thus, an inter-VPN connection is established in the inter-VPN communication system.

  Thus, the inter-VPN connection management system 100 accepts the inter-VPN connection request, establishes the inter-VPN connection, and starts the service. Now, the inter-VPN connection management system 100 according to the first embodiment controls the allocation of routes according to the state of the network and resources during service operation. Hereinafter, this point will be described.

  First, in the first embodiment, each LAN can be assigned to multiple virtual routers. In other words, in the first embodiment, LANs can be connected by a plurality of paths that pass through different virtual routers.

  Under such an assumption, the inter-VPN connection management system 100 determines the flow rate of traffic flowing on the route and the resource usage of the device installed on the route from the device collecting these information. It is determined whether or not the acquired information meets a predetermined condition. When the inter-VPN connection management system 100 determines that the acquired information satisfies the condition, it changes the route assignment. In the following, traffic is used to mean “information flowing through the network”, and resource is used to mean “resource for operating a computer”.

  Here, in the first embodiment, in the method of changing the route assignment, a different IP address (second virtualization address) is issued for each route, and the DNS registration information is changed, so that the terminal in the LAN can be changed. A method for changing the allocation of a route to be used (hereinafter referred to as DNS change method) and a method for changing the allocation of a route to be used by a terminal in the LAN by changing setting information of a device on the route (hereinafter referred to as setting information). Change method).

(DNS change method)
First, the DNS change method will be described. FIG. 3 is a diagram for explaining the DNS change method according to the first embodiment. As shown in FIG. 3, in the DNS change method, it is assumed that a different IP address (second virtualization address) is assigned for each route. For example, the IP address identifying the terminal within LAN _j of the destination locations in the LAN _i of own base, in the case of route via VRF _m is expressed as (2-1), in the case of route via VRF _n It is expressed as (2-2).

For example, a terminal in LAN _i makes an inquiry requesting name resolution to a DNS device in order to communicate with a terminal in LAN _j (for example, the name “userB1@vcs.vpnj.example.co.jp”) When a query requesting resolution is made), the DNS device 200 responds with the correspondence relationship (2-3) as DNS registration information until time T. Then, since the terminal in LAN _i performs communication using the IP address of the correspondence (2-3), that is, the IP address expressed as (2-1), as a result, the route via VRF _m is used. Communication. That is, the packet transmitted from the terminal in LAN _i reaches the terminal in LAN _j while the IP address is converted as represented by (2-4). Note that {source address, destination address}.

Here, the inter-VPN connection management system 100 determines whether the state of the network or the resource satisfies a predetermined condition by acquiring information such as a traffic flow rate or a resource usage amount. Assume that it is determined that a predetermined condition is met. Then, the inter-VPN connection management system 100 instructs the DNS apparatus 200 to change the DNS registration information in order to change the route assignment. For example, when the inter-VPN connection management system 100 detects that the route via VRF _m is in a high load state, it changes the route assignment from the route via VRF _m to the route via VRF _n for at least some traffic. Therefore, the DNS apparatus 200 is instructed to change the DNS registration information.

Then, for example, a terminal in LAN _i makes an inquiry for requesting name resolution to a DNS device in order to communicate with a terminal in LAN _j (for example, “userB1@vcs.vpnj.example.co.jp”). After the time T, the DNS device responds with the correspondence (2-5) as DNS registration information. Then, since the terminal in LAN _i performs communication using the IP address of the correspondence (2-5), that is, the IP address expressed as (2-2), as a result, the route via VRF _n is used. Communication. That is, the packet transmitted from the terminal in LAN _i reaches the terminal in LAN _j while the IP address is converted as represented by (2-6). In addition, {source address, destination address} is indicated.

As described above, the route for communication between the terminal in LAN _i and the terminal in LAN _j is changed from the route via VRF _m to the route via VRF _n by changing the DNS registration information. In this case, the setting information set in each VPN terminating device and the collective virtual router may be set in advance so that both the route via VRF _m and the route via VRF _n can be used. Alternatively, route setting information via VRF _n may be set when the state of the network or resource meets a predetermined condition. Note that the route is not changed for packets whose name resolution has already been completed by the DNS device 200 and communication has started. For this reason, a slight time lag may occur until the route is actually changed after the state of the network or resource meets the predetermined condition.

  In the first embodiment, as described above, Twice-NAT is used for address conversion. This Twice-NAT is effective for avoiding IP address conflicts, but it seems that using IPv6 is sufficient for the purpose of avoiding IP address conflicts only. However, as described above, it is possible to pay out a plurality of IP addresses (second virtual addresses) for one real address (intra-base address) because Twice-NAT is used. Therefore, it can be said that route allocation control by the DNS change method is possible.

The DNS change method will be described with a specific example. 4-8 is a figure for demonstrating the DNS change system in 1st Embodiment. For example, with regard to the connection between VPNs of LAN _i and LAN _j , for example, four services of a mail service, a web service, a video distribution service, and a real-time collaboration service are used by an application from a user who uses the connection between VPNs The server names that provide each service are “mail@vcs1.vpnj.example.com”, “www@vcs1.vpnj.example.com”, “movie@vcs1.vpnj.example.com”, “collabo” @ vcs1.vpnj.example.com ”, and it is assumed that the IP address of each server, the mail service, and the Web service are shared.

Based on such an application, for example, the inter-VPN connection management system 100, between LAN _i and LAN _j , as shown in FIG. 4, the route via VRF _l , the route via VRF _m , and VRF _n Build a route via. Further, a route via VRF ₁ is assigned to the traffic of the mail service and the Web service, a route via VRF _m is assigned to the traffic of the moving image distribution service, and a route via VRF _n is assigned to the traffic of the real-time collaboration service. The inter-VPN connection management system 100 manages such route allocation. In FIG. 4 and FIG. 5, “T-NAT” is an address translation device.

In the first embodiment, the DNS registration information registered in the DNS device is information in which a name and an IP address are associated with each other. For example, as shown in FIG. 5, DNS registration information is information in which the name of a server that provides a mail service is associated with an IP address that is identified by a terminal in LAN _i . When receiving a name resolution request using a name, the DNS device refers to DNS registration information using the received name and responds with an address associated with the name.

Here, for example, when a high load state, a failure state, or a state requiring resource borrowing occurs on a certain route, the inter-VPN connection management system 100 transfers traffic on the route on which such a state has occurred to another route. Assign to. For example, the inter-VPN connection management system 100 changes a route for allocating mail service and Web service traffic from a route via VRF _l to a route via a new VRF _p . In this case, the inter-VPN connection management system 100 changes the IP address associated with the name from the IP address for the route via VRF _l to the IP for the route via VRF _p as shown in FIG. Instruction information to be changed to an address (for example, DNS registration information after change) is transmitted.

Further, for example, as shown in FIG. 7, the inter-VPN connection management system 100 changes the route for assigning mail service traffic from the route via VRF _l to the route via VRF _p , and assigns traffic for the video distribution service. The route is changed from the route via VRF _m to the route via VRF _p . In this case, the inter-VPN connection management system 100 assigns the IP address associated with the name of the server that provides the mail service to the DNS device from the IP address for the route via the VRF ₁ as shown in FIG. _The instruction information for instructing to register the DNS registration information after the change to the IP address for the route via _p , and the IP address associated with the name of the server that provides the video distribution service are set as the IP for the route via VRF _m Instruction information for instructing to register the DNS registration information after changing from the address to the IP address for the route via VRF _p is transmitted.

  When the DNS apparatus 200 receives the instruction information from the inter-VPN connection management system 100, the DNS apparatus 200 updates and registers the DNS registration information according to the instruction information. When the DNS device receives a name resolution request using a name, the DNS device refers to the DNS registration information after the change and responds with the changed IP address associated with the name.

  Consider the above points anew. The DNS device 200 is associated with a name and an IP address (second virtualization address). Normally, when the IP address is changed, the device corresponding to the changed IP address is the destination. In this regard, in the first embodiment, the destination device is not changed, and only the route between them is changed. Further, this route change is realized only by changing the IP address in the association between the name and the IP address in the DNS device 200. That is, even when a user terminal makes a name resolution request to the DNS device 200 with the same name, a response with a different IP address may be received. In the first embodiment, the destination device is the same even in such a case, and the route to the destination device is changed.

(Setting information change method)
Next, the setting information change method will be described. FIG. 9 is a diagram for explaining a setting information change method according to the first embodiment. As shown in FIG. 9, in the setting information change method, it is assumed that a different IP address is not issued for each route, and that the same IP address is used even when the route is different. That is, in the setting information change method, the route assignment is changed by changing the setting information set in the device on the route.

  For example, as shown in FIG. 9, when two physically different aggregate virtual routers 1 and 2 are assumed, VRFm is set in the collective virtual router 1 until time T, and the collective virtual router Assume that address translation is performed by an address translation device corresponding to 1.

Here, the inter-VPN connection management system 100 determines whether the state of the network or the resource satisfies a predetermined condition by acquiring information such as a traffic flow rate or a resource usage amount. Assume that it is determined that a predetermined condition is met. Then, the inter-VPN connection management system 100 instructs the device on the route to change the setting information in order to change the route assignment. For example, VPN connections management system 100 detects that via VRF _m is in a high load state, in order to change the assignment of the path route via VRF _m 'from route via VRF _m, route via VRF _m The setting information is instructed to the upper apparatus and the apparatus on the route via VRF _m ′.

For example, the inter-VPN connection management system 100 sets the same setting information as the setting information set for the device on the path via VRF _m for the device on the path via VRF _m ′. For example, VPN connections management system 100 for a set virtual router 2 on the route via VRF _m ', the set route on the same setting information that has been set to the set virtual router 1 via the VRF _m Set the information. Further, for example, VPN connections management system 100, with respect to the path on the address translator via VRF _m ', the path on the address translator address conversion information identical to that has been set for the via VRF _m Set address translation information. Further, for example, the inter-VPN connection management system 100 changes the route information (routing table) of the VPN termination device and the collective virtual router. Thus, a change of setting and route information for setting information and address translation information is performed, for example, the packet transmitted from the terminal in the LAN _i, the route via VRF _m 'rather than route via VRF _m And reaches a terminal in LAN _j using a route via VRF _m ′. In this case, as shown in FIG. 9, the response up to time T by the DNS device and the response after time T are the same.

  Since the setting information change method can use the name resolution result by the DNS device as it is, the time until the route is actually changed after the state of the network or resource meets a predetermined condition is short, and the route assignment This is effective when quick changes are required.

  In the above description, a change from a route using the collective virtual router 1 to a route using the collective virtual router 2, that is, a change to a route using a physically different collective virtual router has been described. It is not limited to this. For example, in the case of a failure of one physical I / F in the collective virtual router 1, the route may be changed to a path using another physical I / F in the same collective virtual router 1.

  As described above, according to the first embodiment, in the case of the DNS change method, the route allocation is performed by changing the DNS registration information when the traffic flow rate or the resource usage amount meets a predetermined condition. In the configuration information change method, the route allocation is changed by changing the device configuration information on the route when the traffic flow or resource usage meets the specified conditions. Can be appropriately controlled.

(Second Embodiment)
Next, the second embodiment will be described. In the second embodiment, first, as an initial state, load sharing is realized by assigning traffic of the same connection between VPNs to a plurality of routes. In the second embodiment, the inter-VPN connection management system 100 acquires the traffic flow rate and the resource usage from the device that collects the information, and whether the acquired information meets a predetermined condition. By determining whether or not, a route in a high load state is determined. When the inter-VPN connection management system 100 determines that the acquired information satisfies the condition, it changes the route assignment so that the high load state is resolved. In the second embodiment, the inter-VPN connection management system 100 describes a method of dynamically searching and determining a route to be a new allocation destination, but the embodiment is not limited to this. A route previously determined as a new assignment destination may be statically determined.

First, an initial state in the second embodiment will be described. FIG. 10 is a diagram for explaining path switching (before switching) in the second embodiment. As shown in FIG. 10, in the second embodiment, an inter-VPN connection between LAN ₁ and LAN ₂ is assumed as an example. In addition, a user A1 terminal, a user A2 terminal, and a user A3 terminal are installed in LAN ₁ , and a user B1 terminal and a user B2 terminal are installed in LAN ₂ , and a collaborative space is formed between these five terminals. Assuming that

FIG. 11 is a diagram for explaining the relationship between traffic and routes in the second embodiment. As shown in FIGS. 10 and 11, between the terminal of the terminal and userB1 of UserA1, and, between the terminal of the terminal and userB2 of UserA1 communicates with route via VRF _1. Further, between the terminals of the terminal and userB1 of UserA2, and, between the terminal and userB2 terminals UserA2, communication is performed using route via VRF _2. Further, between the terminals of the terminal and userB1 of UserA3, and, between the terminal and userB2 terminals UserA3, communication is performed using route via VRF _3. That is, one cooperative space is formed by the route via VRF _1, the route via VRF ₂ , and the route via VRF ₃ . In the second embodiment, the collective virtual router in which VRF ₁ is set, the collective virtual router in which VRF ₂ is set, and the collective virtual router in which VRF ₃ is set are all physically different.

FIG. 12 is a diagram for explaining DNS registration information before a route change in the second embodiment. As shown in FIG. 12, the terminal of user A1 under LAN ₁ requests name resolution of “userB1@vcs1.vpn2.example.co.jp” when communicating with the terminal of user B1 under LAN _2. An inquiry is made to the DNS device. Since the DNS device 200 stores the correspondence relationship (3-1) as the DNS registration information, the DNS device 200 responds to the terminal of userA1 with the IP address of the correspondence relationship (3-1). The IP address of this correspondence (3-1) is an IP address for performing communication using a route via VRF ₁ . terminal userA1 Since communicates with terminal userB1 using the IP address, as a result, the communicating with the terminal userB1 using route via VRF _1.

Similarly, as shown in FIG. 12, when the terminal of user A1 under LAN ₁ communicates with the terminal of user B2 under LAN ₂ , the name resolution “userB2@vcs1.vpn2.example.co.jp” An inquiry is made to the DNS device. Since the DNS device 200 stores the correspondence relationship (3-2) as the DNS registration information, the DNS device 200 responds to the terminal of userA1 with the IP address of the correspondence relationship (3-2). The IP address of this correspondence (3-2) is an IP address for performing communication using a route via VRF ₁ . terminal userA1 Since communicates with terminal userB2 using the IP address, as a result, the communicating with the terminal userB2 using route via VRF _1. The other DNS registration information is the same as shown in FIG.

That is, the traffic by the terminal of userA1 assigned route via VRF _1, the traffic by the terminal of userA2 assigned route via VRF _2, the traffic by the terminal of userA3 is assigned path via the VRF _3. The same is true for name resolution when a terminal under LAN ₂ communicates with a terminal under LAN ₁ . As described above, in the second embodiment, a plurality of routes are assigned to traffic of the same connection between VPNs as an initial state.

The embodiment is not limited to this, and the DNS device 200 responds to the name resolution request by using the IP address for the route via VRF ₁ , the IP address for the route via VRF ₂ , and the route via VRF _3. A plurality of routes may be assigned to the traffic of the same connection between VPNs by responding in order with the IP addresses for use. In this case, the name used by the userA1 terminal, the name used by the userA2 terminal, and the name used by the userA3 terminal are all the same, and the DNS apparatus 200 associates one name with three IP addresses. What is necessary is just to memorize | store registration information.

  Under such a configuration, the inter-VPN connection management system 100 according to the second embodiment acquires information used to determine whether or not a high load state has occurred from the aggregate virtual router. Here, information used for determining whether or not a high load state has occurred includes, for example, “CPU (Central Processing Unit) usage rate of aggregate virtual router”, “utilization measured by I / F of aggregate virtual router” Medium bandwidth ”,“ Available bandwidth measured at I / F of aggregate virtual router ”,“ Usage rate of bandwidth measured at I / F of aggregate virtual router (for bandwidth allocated to I / F) Percentage of bandwidth in use) ”,“ Transfer amount of packets measured by aggregate virtual router I / F (number of packets per unit time and packet size) ”,“ Memory usage rate of aggregate virtual router ”, etc. It is. For example, the inter-VPN connection management system 100 according to the second embodiment uses, as information used for determining whether or not a high load state has occurred, “the amount of packets transferred measured by the I / F of the aggregate virtual router” Is obtained from the collective virtual router.

  Next, the inter-VPN connection management system 100 determines whether or not the acquired information meets a predetermined condition. For example, the inter-VPN connection management system determines whether or not a threshold of “transfer amount 70 Mbps” is exceeded. For example, when the packet size is small, the load may be high even with the same number of packets. Therefore, the packet transfer amount threshold may be set according to the number of packets and the packet size. .

When the inter-VPN connection management system 100 determines that the acquired information satisfies a predetermined condition, the DNS connection management system 100 determines whether to change the route assignment so as to eliminate the high load state. Instruct to change registration information. For example, it is assumed that the traffic between the terminal of userA1 and the terminal of userB1 increases, and the total of the traffic between the terminal of userA1 and the terminal of userB2 exceeds the threshold “transfer amount 70 Mbps”. The inter-VPN connection management system 100 acquires the packet transfer amount from the collective virtual router 1 in which VRF ₁ is set, and determines that the threshold “transfer amount 70 Mbps” has been exceeded. Then, for example, the inter-VPN connection management system 100 transfers a part of the traffic to which the route via the VRF ₁ is allocated (traffic between the userA1 terminal and the userB2 terminal) to the route with the smallest packet transfer amount (traffic). For example, the DNS apparatus 200 is instructed to change the DNS registration information so as to be assigned to the route via the VRF ₃ .

FIG. 13 is a diagram for explaining route switching (after switching) in the second embodiment, and FIG. 14 is a diagram for explaining the relationship between traffic and routes in the second embodiment. . As shown in FIGS. 13 and 14, the route allocated to the traffic between the terminal of user A1 and the terminal of user B2 is changed from the route via VRF ₁ to the route via VRF ₃ , and the terminals of user A1 and user B2 During this period, communication is performed using a route via VRF ₃ .

FIG. 15 is a diagram for explaining DNS registration information after a route change in the second embodiment. As illustrated in FIG. 15, the DNS device 200 changes the IP address associated with “userB2@vcs1.vpn2.example.co.jp” to (3-3) under the instruction from the inter-VPN connection management system 100. The DNS registration information is changed to the correspondence (3-4).

  As described above, according to the second embodiment, the correspondence relationship between the name, the second virtual address, and the path (VRF) is dynamically changed, and the result of the change is transmitted to the terminal (user) through the response of the DNS device 200. It is possible to dynamically distribute the load by changing the route to which the traffic is allocated.

  In the above description, the change to a route using physically different aggregate virtual routers has been described, but the embodiment is not limited thereto. For example, in the case of a high load of one physical I / F in the collective virtual router, the route may be changed to a path using another physical I / F in the same collective virtual router.

  Next, the configuration of the inter-VPN connection management system 100 according to the second embodiment will be described. FIG. 16 is a block diagram showing a configuration of the inter-VPN connection management system 100 according to the second embodiment. As shown in FIG. 16, the inter-VPN connection management system 100 includes a communication unit 110, an input unit 111, an output unit 112, an input / output control I / F (Interface) unit 113, a storage unit 120, and a control unit. 130.

  The communication unit 110 is a general interface for IP communication, for example. The communication unit 110 communicates with an address translation device, an aggregate virtual router, a VPN termination device, a DNS device 200, and the like that are set as address translation information, routing information, DNS registration information, and the like. Note that the inter-VPN connection management system 100 can also communicate with other management terminals, user Web servers, and the like via the communication unit 110, and from other management terminals, user Web servers, and the like. An inter-VPN connection request can also be received.

  The input unit 111 is, for example, a keyboard or a mouse, and receives input of various operations. For example, the input unit 111 receives an input of an inter-VPN connection request using a keyboard or a mouse. The output unit 112 is a display, for example, and outputs information for various operations. For example, the output unit 112 outputs an input screen for an inter-VPN connection request. The input / output control I / F unit 113 controls input / output among the input unit 111, the output unit 112, the storage unit 120, and the control unit 130. Note that the inter-VPN connection management system 100 does not necessarily include the input unit 111 and the output unit 112. For example, the inter-VPN connection management system 100 communicates with other management terminals or web servers for users via the communication unit 110. Information related to input / output may be transmitted and received.

  The storage unit 120 is, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, a hard disk, an optical disk, and the like, and stores various types of information. For example, as illustrated in FIG. 16, the storage unit 120 includes an inter-VPN connection information storage unit 121, a determination condition storage unit 122, a monitoring information storage unit 123, and a route allocation policy storage unit 124. As will be described below, the inter-VPN connection management system 100 stores and manages the relationship between traffic and routes as exemplified in FIG. 11, for example, and the name and IP address as exemplified in FIG. Is stored and managed, and the correspondence relationship of “route-name-second virtualization address” is stored and managed.

  The inter-VPN connection information storage unit 121 stores inter-VPN connection information necessary for establishing an inter-VPN connection. The inter-VPN connection information storage unit 121 stores the inter-VPN connection information in advance, for example, by being input to the user of the inter-VPN connection management system 100. Further, the inter-VPN connection information storage unit 121 stores, for example, information included in the inter-VPN connection request received by the inter-VPN connection request receiving unit 131 described later as inter-VPN connection information. In addition, the inter-VPN connection information storage unit 121 stores, for example, the relationship between the traffic and the route as illustrated in FIG. 11 as the information of the inter-VPN connection established by the route allocation control unit 132 described later, The correspondence between names and IP addresses as illustrated is stored.

  The determination condition storage unit 122 stores determination conditions used for determining the state of the network and resources. The determination condition storage unit 122 stores the determination condition in advance, for example, by being input to the user of the inter-VPN connection management system 100. For example, in the second embodiment, the determination condition storage unit 122 stores a threshold value “transfer amount 70 Mbps” as the determination condition. The determination conditions stored in the determination condition storage unit 122 are used for processing by the determination unit 134 described later.

The monitoring information storage unit 123 stores monitoring information collected by monitoring the network and its resources. The monitoring information storage unit 123 temporarily stores information collected by the network resource monitoring unit 133 described later by being stored by the network resource monitoring unit 133. For example, in the second embodiment, the monitoring information storage unit 123 stores the packet transfer amount of the route via VRF ₁ , the packet transfer amount of the route via VRF ₂ , and the packet transfer amount of the route via VRF ₃ . The monitoring information temporarily stored in the monitoring information storage unit 123 is used for processing by the determination unit 134 described later.

  The route assignment policy storage unit 124 stores a route assignment policy for assigning traffic to a route. The route assignment policy storage unit 124 stores the route assignment policy in advance, for example, by being input to the user of the inter-VPN connection management system 100. For example, in the second embodiment, the route assignment policy storage unit 124 stores a route assignment policy of “searching and assigning a route in a low load state”. The route assignment policy stored in the route assignment policy storage unit 124 is used for processing by the route assignment control unit 132 described later.

  The control unit 130 controls various processes executed in the inter-VPN connection management system 100. Specifically, as illustrated in FIG. 16, the control unit 130 includes an inter-VPN connection request receiving unit 131, a route allocation control unit 132, a network resource monitoring unit 133, and a determination unit 134.

  The inter-VPN connection request accepting unit 131 accepts an inter-VPN connection request. Specifically, for example, a Web server for users is installed on a network such as the Internet, and the inter-VPN connection request receiving unit 131 distributes an input screen for users to the Web server. Here, the user input screen is provided by a telecommunications carrier or the like that provides an inter-VPN connection service in order to receive an inter-VPN connection request from a VPN administrator who performs an inter-VPN connection. . Then, for example, an administrator of each VPN accesses this Web server, and inputs an inter-VPN connection request (for example, desired service start time, service end time, inter-VPN connection identification information, etc.) on the user input screen. To do. The inter-VPN connection request accepting unit 131 accepts the input of the inter-VPN connection request and notifies the route allocation control unit 132 of the accepted inter-VPN connection request.

  The route assignment control unit 132 controls the construction of a route when an inter-VPN connection request is received and the assignment of a route during service operation. Specifically, when receiving the notification of the inter-VPN connection request from the inter-VPN connection request accepting unit 131, the path allocation control unit 132 refers to the inter-VPN connection information storage unit 121 based on the inter-VPN connection request. Then, while acquiring necessary information, a path for connection between VPNs is constructed. On the other hand, when receiving a notification from the determination unit 134 that the state of the network or the resource satisfies a predetermined condition, the route assignment control unit 132 determines the assignment destination route and assigns traffic to the assignment destination route. The IP address included in the DNS registration information is changed. Then, the route allocation control unit 132 transmits instruction information for instructing to set the DNS registration information after the change to the DNS device 200. Note that the route allocation control unit 132 issues an IP address as necessary according to the change in the route assignment, for example, when the assignment destination route is dynamically determined. Routing information can also be set.

  The route allocation control unit 132 includes an address determination unit 132a, an address conversion information generation unit 132b, an address conversion information setting unit 132c, a routing information generation unit 132d, a routing information setting unit 132e, a DNS registration information generation unit 132f, and a DNS registration information setting. Part 132g.

  The address determination unit 132a determines a first virtualization address and a second virtualization address that are used for connection between VPNs. Specifically, the address determination unit 132a determines the first virtualization address and the second virtualization address used for this inter-VPN connection based on the inter-VPN connection request received by the inter-VPN connection request reception unit 131. . The first virtualization address and the second virtualization address determined by the address determination unit 132a are used for processing by the address translation information generation unit 132b, the routing information generation unit 132d, the DNS registration information generation unit 132f, and the like.

  Here, as described above, the address determination unit 132a identifies the terminal in the LAN of the connection destination base in the local LAN when a plurality of routes used for the connection between VPNs are set between the same VPNs. The second virtualization address is determined to be different for each route. That is, the address determination unit 132a determines the second virtualization address so that, for example, the above-described expressions (1-11) and (1-14) are established. In addition, the address determination unit 132a determines the first virtualization address so that, for example, the expressions (1-17) and (1-18) described above are satisfied.

  For example, the address determination unit 132a manages an IP address that is scheduled to be used between the service start time and the service end time, an IP address that is scheduled to be assigned to the interface of each device, and the like. Then, the address determination unit 132a adjusts the IP address so that it does not overlap with these IP addresses, and the second virtualization is performed so that, for example, Expressions (1-11) and (1-14) are satisfied from the entire private address. The address is determined, and the first virtualization address is determined so that, for example, the expressions (1-17) and (1-18) are established.

  The address conversion information generation unit 132b uses the first and second virtualization addresses determined by the address determination unit 132a and the intra-site address stored in the inter-VPN connection information storage unit 121 to generate address conversion information. Generate. The address conversion information generated by the address conversion information generation unit 132b is used for processing by the address conversion information setting unit 132c and the like.

For example, when the terminal α and the terminal β communicate with each other, the address conversion device installed on the LAN _i side under the control of the terminal α is (source address, destination address) = (in-site address of the terminal α, terminal (second virtualization address of β) is converted into (source address, destination address) = (first virtualization address of terminal α, first virtualization address of terminal β). For this reason, the address translation information generation unit 132b uses, as address translation information, address translation information that translates the in-base address of the terminal α and the first virtualized address of the terminal α, and the second virtualized address of the terminal β. Address conversion information for converting the first virtualized address of the terminal β is generated.

On the other hand, the address translation device installed on the LAN _j side under the control of the terminal β has (transmission source address, destination address) = (in-base address of terminal β, second virtualized address of terminal α), (transmission) Original address, destination address) = (first virtualization address of terminal β, first virtualization address of terminal α). For this reason, the address translation information generation unit 132b uses, as the address translation information, address translation information that translates the base address of the terminal β and the first virtualized address of the terminal β, and the second virtualized address of the terminal α. Address conversion information for converting the first virtualized address of the terminal α is generated.

  The address conversion information setting unit 132c sets the address conversion information generated by the address conversion information generation unit 132b in the address conversion device. For example, the address conversion information setting unit 132c acquires an attachment (not shown) stored in the storage unit 120 when it is time to set the address conversion information, and uses the acquired attachment to apply the corresponding address conversion device. Send address translation information to.

  An attachment is, for example, a program for reflecting address translation information on an address translation device, a program for reflecting routing information on a collective virtual router or a VPN termination device, a program for reflecting DNS registration information on a DNS device, etc. It is. In the attachment, a communication protocol used between the VPN connection management system 100 and the address translation device, the collective virtual router, the VPN termination device, and the DNS device is defined. In general, the communication protocol is a proprietary communication protocol defined by the vendor of each device. Also, the attachment may include a method of setting various information by remotely operating each device from the inter-VPN connection management system 100 using telnet, SSH (Secure SHell), or the like. .

  The routing information generation unit 132d generates the routing information using the first and second virtualization addresses determined by the address determination unit 132a and the intra-site address stored in the inter-VPN connection information storage unit 121. . For example, the routing information generation unit 132d assigns an IP address to be set to the interface of each device from among IP addresses reserved in advance. Then, the routing information generation unit 132d generates routing information based on the IP address set for the interface of each device and the first and second virtualization addresses determined by the address determination unit 132a. The routing information generated by the routing information generation unit 132d is used for processing by the routing information setting unit 132e and the like.

  The routing information setting unit 132e sets the routing information generated by the routing information generation unit 132d in the collective virtual router and the VPN termination device. For example, when it is time to set the routing information, the routing information setting unit 132e acquires the attachment (not shown) stored in the storage unit 120, and uses the acquired attachment, the corresponding aggregate virtual router and VPN Send routing information to the terminating device.

  The DNS registration information generation unit 132f generates DNS registration information using the second virtualization address determined by the address determination unit 132a and the name stored in the inter-VPN connection information storage unit 121. Here, the DNS registration information generation unit 132f assigns a different second virtualization address and name for each route so that traffic allocation between the routes set in the same VPN is controlled. Different DNS registration information is generated for each association and route. In other words, the DNS registration information generation unit 132f generates DNS registration information as information that holds the relationship between “route”, “second virtualization address”, and “name”. The DNS registration information generated by the DNS registration information generation unit 132f is used for processing by the DNS registration information setting unit 132g and the like.

  The DNS registration information setting unit 132g sets the DNS registration information generated by the DNS registration information generation unit 132f in the DNS device 200. For example, the DNS registration information setting unit 132g acquires an attachment (not shown) stored in the storage unit 120 when it is time to set the DNS registration information, and uses the acquired attachment, the corresponding DNS device 200. DNS registration information is transmitted. As described above, the DNS device 200 is a device that responds to an IP address in response to a name resolution inquiry. In other words, the DNS device 200 holds DNS registration information in which “second virtualization address” and “name” that are different for each route are associated with each other, thereby “route” and “second virtualization address”. And “name”, and by responding to the query using “name” with the “second virtualization address” assigned to a certain route, Assign a “route”.

  The network resource monitoring unit 133 acquires information used for determining the state of the network and resources by monitoring the network and its resources, and stores the acquired information in the monitoring information storage unit 123. For example, in the second embodiment, the network resource monitoring unit 133 communicates with the collective virtual routers 1 to 3 at intervals of, for example, 1 second, and packets collected for each route by the collective virtual routers 1 to 3. Is transferred as information used to determine whether or not a high load condition has occurred.

  The determination unit 134 determines whether the state of the network or resource satisfies a predetermined condition. For example, in the second embodiment, the determination unit 134 refers to the monitoring information storage unit 123 and uses the transfer amount of packets collected for each route as information used to determine whether a high load state has occurred. get. Further, the determination unit 134 refers to the determination condition storage unit 122 and acquires the threshold value “transfer amount 70 Mbps”. Then, the determination unit 134 determines, for each path, whether or not the packet transfer amount exceeds the threshold “transfer amount 70 Mbps”. If the determination unit 134 determines that a high load state has occurred for a certain route, the determination unit 134 notifies the route assignment control unit 132 to that effect.

  On the other hand, when the determination unit 134 determines that a high load state has occurred, the route allocation control unit 132 issues an instruction to change the DNS registration information so as to change the route allocation so as to eliminate the high load state. It transmits to the apparatus 200.

  For example, the route assignment control unit 132 receives the packet transfer amount for all routes from the determination unit 134 and identifies the route with the smallest packet transfer amount. Then, the route assignment control unit 132 assigns a part of the traffic using the route in which the high load state has occurred to the specified route.

For example, the route allocation control unit 132 determines that the transfer amount of the packet acquired from the collective virtual router 3 is the smallest, and specifies that the route via the VRF _{3 is} the route with the lowest load. Then, the route allocation control unit 132 identifies traffic using the route via VRF ₁ with reference to the table shown in FIG. 11, and part of the traffic (traffic between the userA1 terminal and the userB2 terminal). Is assigned to the route via VRF ₃ .

For example, in the case of the DNS change method, the DNS registration information generation unit 132f instructs to register the DNS registration information after changing from the IP address for the route via VRF ₁ to the IP address for the route via VRF _3. The DNS registration information setting unit 132g transmits the instruction information to the DNS device 200.

  Next, the configuration of the DNS device 200 according to the second embodiment will be described. FIG. 17 is a block diagram illustrating a configuration of a DNS apparatus 200 according to the second embodiment. The communication unit 210, the input unit 211, the output unit 212, and the input / output I / F control unit 213 are the communication unit 110, the input unit 111, the output unit 112, and the input / output control of the inter-VPN connection management system 100, respectively. Since it corresponds to the I / F unit 113, the description is omitted.

The storage unit 220 includes a DNS registration information storage unit 221. The DNS registration information storage unit 221 stores DNS registration information in which names and IP addresses are associated with each other. For example, DNS registration information storage unit 221, as shown in FIG. 12, for each user who uses the terminal in LAN _1, the name for communicating with terminals in LAN _2, the terminals in the LAN ₂ The association with the IP address identified in the LAN ₁ is stored.

The control unit 230 includes a change unit 231 and a name resolution unit 232. When receiving the instruction information transmitted by the inter-VPN connection management system 100, the changing unit 231 changes the DNS registration information according to the instruction information. For example, the instruction information transmitted by the inter-VPN connection management system 100 is instruction information for instructing that “the traffic between the terminal of userA1 and the terminal of userB2 is assigned to the route via VRF ₃ ”, If it is the DNS registration information itself after the address change, the changing unit 231 updates the DNS registration information using newly transmitted DNS registration information (for example, DNS registration information to be registered in association with “userA1”). . Note that the changing unit 231 similarly updates DNS registration information (not shown) to be registered in association with “userB2”. However, it is not essential to change the DNS registration information facing each other as described above. For example, only one-way DNS registration information may be changed. In this case, the route used depends on the direction of the packet.

  When the name resolution unit 232 receives a name resolution request using a name, the name resolution unit 232 refers to the DNS registration information storage unit 221 using this name and responds with an address associated with the name. For example, if the name resolution unit 232 receives a name resolution request using the name “userB2@vcs1.vpn2.example.co.jp” after the DNS registration information is changed, the correspondence relationship (3-4) Returns the IP address. The processing by the name resolution unit 232 can be realized by a known technique.

  FIG. 18 is a flowchart illustrating a processing procedure according to the second embodiment. As shown in FIG. 18, in the inter-VPN connection management system 100, the network resource monitoring unit 133 communicates with the collective virtual router at intervals of, for example, 1 second, and transfers packets collected by the collective virtual router. By receiving the amount from the collective virtual router, the state of the network or resource is monitored (step S101).

  Then, the determination unit 134 refers to the monitoring information storage unit 123 and the determination condition storage unit 122 and determines whether or not the transfer amount of each path exceeds the threshold “transfer amount 70 Mbps”. The state is determined (step S102).

  If it is determined that the threshold value is exceeded, the route allocation control unit 132 transmits instruction information for changing the DNS registration information to the DNS device 200 in order to change the route assignment (step S103).

(Modification 1)
In the second embodiment, the example of acquiring “the amount of packets transferred measured by the I / F of the aggregate virtual router” as information used for determining whether or not a high load state has occurred has been described. The embodiment is not limited to this. As described above, for example, as information for determining whether or not a high load state has occurred, “CPU usage rate of aggregate virtual router”, “band in use measured by aggregate virtual router I / F” "Available bandwidth measured at the I / F of the aggregate virtual router", "Utilization rate of the bandwidth measured at the I / F of the aggregate virtual router (in use for the bandwidth allocated to the I / F) Bandwidth ratio) ”,“ packet discard rate measured at the I / F of the aggregate virtual router ”,“ Queue length measured at the I / F of the aggregate virtual router ”, and the like may be used. A combination of these may also be used.

  For example, the inter-VPN connection management system 100 determines that a high load state has occurred if the “band in use” is greater than a predetermined threshold. For example, the inter-VPN connection management system 100 determines that a high load state has occurred if the “free bandwidth” is smaller than a predetermined threshold. Further, for example, the inter-VPN connection management system 100 determines that a high load state has occurred if the “utilization rate” is higher than a predetermined threshold. Further, for example, the inter-VPN connection management system 100 determines that, for example, when the “number of packets per unit time” is larger than a predetermined threshold and the “packet size” is smaller than the predetermined threshold, Since the load becomes high, it is determined that a high load state has occurred. Further, for example, the inter-VPN connection management system 100 determines that a high load state has occurred if the “packet discard rate” is greater than a predetermined threshold. Further, for example, the inter-VPN connection management system 100 determines that a high load state has occurred if the “Queue length” is longer than a predetermined threshold. In addition, when using these methods mentioned above, the VPN connection management system 100 memorize | stores the threshold value corresponding to each method in the determination condition memory | storage part 122 previously.

(Modification 2)
In the second embodiment, the so-called pull-type monitoring in which the inter-VPN connection management system 100 voluntarily acquires information from the collective virtual router is assumed, but the embodiment is not limited to this. For example, a threshold value “transfer amount 70 Mbps” is stored in the collective virtual router, and it is determined whether the collective virtual router exceeds the threshold value “transfer amount 70 Mbps” at, for example, an interval of 1 second. In this case, so-called push type monitoring in which the collective virtual router notifies the inter-VPN connection management system 100 may be used.

(Modification 3)
In the second embodiment, an example of assigning a route that has already been set (the aggregate virtual router has been activated) has been described. However, the embodiment is not limited thereto. For example, an aggregate virtual router whose power is turned off (an aggregate virtual router whose power is cut off) may be activated, and a route set for the aggregate virtual router may be assigned.

19-21 is a figure for demonstrating the modification 3 of 2nd Embodiment. As shown in FIG. 19, for example, a route via VRF ₁ and a route via VRF ₂ are set in the collective virtual router 1. Further, it is assumed that a high load state has already occurred in any of the routes. In such a case, when the inter-VPN connection management system 100 receives a request for constructing the third route from the user A4 and the user A5, as shown in FIG. 19, physical wiring and fixed setting have already been completed. Then, the collective virtual router 2 whose power is turned off is activated, and VRF ₃ for the _third inter-VPN connection is set in the collective virtual router 2.

  When there are a plurality of collective virtual routers whose power is turned off, the inter-VPN connection management system 100 may determine the order of starting up and the order of turning off the power in advance. Then, the inter-VPN connection management system 100 may activate the corresponding aggregate virtual router and input necessary setting information before the start of the third inter-VPN connection according to a predetermined order.

Further, as a result of acquiring the traffic flow rate and resource usage, the inter-VPN connection management system 100 can aggregate the traffic distributed to a plurality of aggregate virtual routers into some aggregate virtual routers. If it is determined, the traffic may be concentrated on some of the aggregate virtual routers, and the aggregate virtual routers that are no longer needed may be turned off. It is possible to reduce power consumption. For example, the inter-VPN connection management system 100 aggregates the routes via the VRF ₃ set in the collective virtual router 2 to the collective virtual router 1 as shown in FIG. 20, and collects the collective virtual as shown in FIG. A route via VRF ₄ corresponding to the route via VRF ₃ is set in the router 1. Then, the inter-VPN connection management system 100 assigns a newly set route via the VRF ₄ to the traffic between the user A4 terminal and the user A5 terminal.

In this case, as shown in FIG. 21, the inter-VPN connection management system 100 may change the route assignment by changing DNS registration information, for example, as in the second embodiment described above. For example, when the DNS device receives a name resolution request using the name of userA5 from userA4, the DNS device may respond with the changed IP address as shown in (4-1). For example, when the DNS device receives a name resolution request using the name of userA4 from userA5, the DNS device may respond with the changed IP address as shown in (4-2). Note that the inter-VPN connection management system 100 may select the aggregate virtual router in the lowest load state as the aggregate virtual router of the aggregation destination based on the traffic flow and the resource usage acquisition result.

  For example, it is assumed that there are 10 aggregate virtual routers, a route is set for each aggregate virtual router, and traffic flows. As a result of acquiring the traffic flow rate and resource usage, the inter-VPN connection management system 100 analyzes that the traffic decreases within a range that can be processed by seven aggregate virtual routers in a certain time period in 24 hours. . Then, the inter-VPN connection management system 100 performs control so that the traffic is aggregated into seven aggregate virtual routers according to the time zone, and that the three aggregate virtual routers are turned off. Further, the inter-VPN connection management system 100 starts up the three collective virtual routers whose power is turned off again after the time period, and controls to perform the processing with ten units.

  As described above, according to the second embodiment, when a high load state occurs, it is possible to appropriately control the route assignment. Further, according to the second embodiment, it is possible to distribute the load by classifying the traffic of the same inter-VPN connection and distributing it to, for example, a plurality of collective virtual routers, thereby improving scalability. Is possible. Further, in the third modification to which this is applied, it is possible to suppress the power consumption by starting and stopping the necessary collective virtual router when necessary.

  The inter-VPN connection management system 100 may grasp the traffic of each IP address by acquiring the traffic flow and resource usage in finer units. In this case, the inter-VPN connection management system 100 can control the granularity of the IP address so that there is no great difference in the traffic flow of each route.

(Third embodiment)
Subsequently, a third embodiment will be described. In the third embodiment, the inter-VPN connection management system 100 acquires the traffic flow rate and resource usage from the device that collects the information, and whether or not the acquired information satisfies a predetermined condition. To determine the path in the failure state. When the inter-VPN connection management system 100 determines that the acquired information satisfies the condition, the VPN connection management system 100 changes the route assignment so that the failure state is resolved. In the third embodiment, the inter-VPN connection management system 100 describes a method for determining a predetermined backup route as a new assignment destination, but the embodiment is not limited to this. A new assignment destination may be dynamically searched and determined.

FIG. 22 is a diagram for explaining path switching in the third embodiment. As shown in FIG. 22, in the third embodiment, an inter-VPN connection between LAN ₁ and LAN ₂ is assumed as an example. In addition, a terminal of user A1, a terminal of user A2, and a terminal of user A3 are installed in LAN ₁ , and a terminal of server B1 and a terminal of server B2 are installed in LAN ₂ , and a collaborative space is formed between these five terminals. Assuming that Note that the terminal of server B1 is a mail server, and the terminal of server B2 is a WWW server.

The terminal of UserA1, terminal UserA2, and a terminal UserA3, the terminal of the terminal and serverB2 of ServerB1, communication is performed using a path and route via VRF ₂ via VRF _1. These pathways, for example, be separated according to the type of application, for example, terminal UserA1, terminal UserA2, and a terminal UserA3, the terminal ServerB1, communicates with the route via VRF _1, userA1 terminal, terminal UserA2, and a terminal UserA3, the terminal ServerB2, communication is performed using route via VRF _2. The route via VRF ₃ is a backup route (for Back Up). That is, the collective virtual router 3 is in a state where physical connection is completed. In the third embodiment, the collective virtual router in which VRF ₁ is set, the collective virtual router in which VRF ₂ is set, and the collective virtual router in which VRF ₃ is set are all physically different.

FIG. 23 is a diagram for explaining DNS registration information before a route change in the third embodiment. As shown in FIG. 23, when the terminal of user A1 under LAN ₁ communicates with the terminal of server B1 under LAN ₂ , it requests name resolution of “mail@vcs1.vpn2.example.co.jp”. An inquiry is made to the DNS device 200. Since the DNS device 200 stores (5-1) name-IP address correspondence as DNS registration information, the DNS device 200 responds to the userA1 terminal with the IP address of correspondence (5-1). The IP address of the correspondence relationship (5-1) is an IP address for performing communication using a route via VRF ₁ . The terminal of user A1 communicates with the terminal of server B1 using this IP address, and as a result, communicates with the terminal of server B1 using the route via VRF ₁ .

Similarly, as shown in FIG. 23, when the terminal of user A1 under LAN ₁ communicates with the terminal of server B2 under LAN ₂ , the name resolution of “www@vcs1.vpn2.example.co.jp” An inquiry is made to the DNS device. Since the DNS device stores the name-IP address correspondence (5-2) as DNS registration information, the DNS device responds to the terminal of userA1 with the IP address of the correspondence (5-2). The IP address of this correspondence (5-2) is an IP address for performing communication using a route via VRF ₂ . terminal userA1 Since communicates with terminal serverB2 using the IP address, as a result, the communicating with the terminal serverB2 using route via VRF _2.

  Under such a configuration, the inter-VPN connection management system 100 according to the third embodiment acquires information used for determining whether or not a failure state has occurred from the collective virtual router. Here, the information used for determining whether or not a failure state has occurred includes, for example, “life status confirmation packet reception status”, “traffic amount observed at the I / F of each device forming the path”, “ Disappearance of dynamic routing information set in the virtual router ”. For example, the inter-VPN connection management system acquires “amount of traffic observed at the I / F of each device forming the path” from the collective virtual router as information used to determine whether or not a failure state has occurred.

  Next, the inter-VPN connection management system 100 determines whether or not the acquired information meets a predetermined condition. For example, the inter-VPN connection management system 100 determines whether or not the condition “packet is not transmitted for 10 seconds” is met.

When it is determined that the acquired information meets a predetermined condition, the inter-VPN connection management system 100 instructs the DNS apparatus to change the DNS registration information in order to change the route assignment. For example, it is assumed that a failure occurs in the collective virtual router 2 and a “packet is not transmitted for 10 seconds” state occurs in the I / F of the route via the VRF ₂ . Then, VPN connection between the management system 100 determines a set virtual router 2, i.e. a fault condition in route via VRF ₂ occurs, the traffic route via VRF _2, route via VRF ₃ is a path for the preliminary First, VRF ₃ setting different from VRF ₂ is input to the collective virtual router 3 for which physical connection and L3 (Layer 3) setting has been completed, and a route via VRF ₃ is constructed. To do. Then, the VPN connection management system 100 instructs the DNS device to change the DNS registration information. For example, the inter-VPN connection management system 100 issues an IP address (second virtualization address) and instructs the DNS apparatus 200 to change DNS registration information so as to change the IP address to the issued IP address. Note that the meaning of “physical connection and L3 (Layer3) setting is complete” means that the virtual router setting for the aggregate virtual router and the one that cannot be set unless this virtual router setting is completed. Indicates that the setting is complete. For example, the setting of the I / F of the collective virtual router, the VPN termination device, and the address translation device, the setting of the routing information, and the like have been completed.

FIG. 24 is a diagram for explaining DNS registration information after a route change in the third embodiment. As shown in FIG. 24, the DNS device 200 changes the IP address associated with “www@vcs1.vpn2.example.co.jp” to (5-3) under the instruction from the inter-VPN connection management system 100, The DNS registration information is changed to the correspondence (5-4).

  As described above, according to the third embodiment, the correspondence relationship between the name, the second virtual address, and the virtual router (VRF) is dynamically changed, and the result of the change is transmitted to the terminal (user) through the response of the DNS device 200. ), It is possible to change the traffic assigned to each route and dynamically distribute the load. Note that, for example, after the path is switched, traffic does not flow to the collective virtual router 2 in which a failure state has occurred. Therefore, the collective virtual router 2 is exchanged, and the exchanged collective virtual router 2 is now operated as a spare. It is also possible to register in the inter-VPN connection management system 100 as described above.

  In the above description, switching to a route using physically different aggregate virtual routers has been described. However, the embodiment is not limited to this. For example, in the case of a failure of one physical I / F in the collective virtual router, the path may be switched to a path using another physical I / F in the same collective virtual router. In the above description, switching of a route triggered by a failure has been described, but the embodiment is not limited thereto. For example, when a collective virtual router is subject to version upgrade or renewal, the route may be temporarily switched so that traffic does not flow.

  Next, the configuration of the inter-VPN connection management system 100 according to the third embodiment will be described. The inter-VPN connection management system 100 according to the third embodiment has the same configuration as the inter-VPN connection management system 100 according to the first embodiment. Hereinafter, differences from the inter-VPN connection management system 100 according to the first embodiment will be described.

  In the third embodiment, the determination condition storage unit 122 stores “no packet is transmitted for 10 seconds” as the determination condition. Further, the monitoring information storage unit 123 stores the traffic volume observed by the I / F collected by the aggregate virtual router of each route. The route assignment policy storage unit 124 stores a route assignment policy of “assigning a route determined in advance as a backup route”.

  In the third embodiment, the network resource monitoring unit 133 communicates with the collective virtual routers 1 to 3 at intervals of, for example, 1 second, and is collected for each route by the collective virtual routers 1 to 3. The amount of traffic observed at the I / F is received as information used to determine whether or not a failure state has occurred. The determination unit 134 refers to the determination condition storage unit 122 and acquires “no packet is transmitted for 10 seconds”. Then, the determination unit 134 refers to the monitoring information storage unit 123 and determines whether or not there is a route “a packet is not transmitted for 10 seconds”. If the determination unit 134 determines that a failure state has occurred for a certain route, the determination unit 134 notifies the route assignment control unit 132 to that effect.

  On the other hand, when the determination unit 134 determines that a failure state has occurred, the route assignment control unit 132 transmits an instruction to change the DNS registration information to the DNS device 200 in order to change the route assignment.

  For example, the route assignment control unit 132 assigns all of the traffic using the route in which the failure state has occurred to a route that has been previously determined for backup. For example, in the case of the DNS change method, the DNS registration information generation unit 132f generates instruction information for instructing registration of the DNS registration information after changing to the IP address of the backup route, and the DNS registration information setting unit 132g transmits this to the DNS device 200.

  For example, the route allocation control unit 132 instructs the DNS device 200 to change the IP address associated with “userB2@vcs1.vpn2.example.co.jp” to the correspondence relationship (5-3) described above. Send. Then, when the DNS device 200 changes the DNS registration information to the above-described correspondence (5-4) and receives a name resolution query after the change, the IP address included in the correspondence (5-4) Respond. Thereafter, for example, the operator may replace the failed device. In addition, after repairing the failed device, it may be installed as a spare device. Note that such switching and traffic detouring can be applied not only at the time of failure, but also at the time of version upgrade or renewal of the apparatus, for example.

  In the third embodiment, the example in which the setting information is dynamically set in the collective virtual router or the address translation device when a failure state is detected has been described. However, the embodiment is not limited thereto. Absent. For example, the various setting information may be set in advance in a spare collective virtual router or address translation device.

  In the third embodiment, an example has been described in which “no packet is transmitted for 10 seconds” is stored as a condition for determining whether or not a failure state has occurred in the route to be monitored. It is not limited to this. For example, the inter-VPN connection management system 100 acquires the traffic volume of the I / F on the incoming side of the collective virtual router and the traffic volume of the I / F on the output side, and traffic is observed at the I / F on the incoming side. However, it may be determined that a failure has occurred because no traffic is observed at the output I / F. Further, the traffic amount observed at the I / F of the collective virtual router is not limited, and the traffic amount observed at the I / F of another device on the route may be used. Further, for example, it is assumed that the routing information set in the collective virtual router is dynamic such that it disappears when it is not used for a predetermined time. In such a case, the inter-VPN connection management system 100 collects information indicating that “the routing information set in the collective virtual router has disappeared” from the collective virtual router, whereby a route corresponding to the disappeared routing information. It can be determined that a fault condition has occurred.

  As described above, according to the third embodiment, when a failure state occurs, it is possible to appropriately control the route assignment.

Although the DNS change method has been described as the third embodiment, the setting information change method can also be applied to the third embodiment. To briefly explain this point, the path allocation control unit 132 is set in the collective virtual router 2 to the collective virtual router 3 that is prepared for backup and for which physical wiring and L3 have been set. The same setting information as VRF ₂ may be set as it is. In addition, the route assignment control unit 132 rewrites the route information (routing table entry) of the VPN terminating device, so that the traffic that has been transmitted to the VRF ₂ is newly set in the collective virtual router _3. To send to.

FIG. 25 is a diagram for explaining a change of the routing table in the third embodiment. For example, when the route via VRF ₂ is changed to the route via VRF ₃ , the interface of the collective virtual router to which packets transmitted from LAN ₁ are to be transferred is from “I / F 21” of collective virtual router 2. The aggregate virtual router 3 is changed to “I / F 31”. For this reason, for example, the entry (6-1) in the routing table is rewritten to (6-2). Note that (6-1) describes that a packet whose destination address is the IP address of a terminal in the LAN ₂ is routed to the I / F 21, and (6-2) is the same IP address. It describes that a packet as a destination address is routed to the I / F 31. Thus, the IP address is not changed, but the interface to which the packet is transferred is changed.

Further, the interface of the collective virtual router to which the packet transmitted from the LAN ₂ is to be transferred is changed from “I / F 22” of the collective virtual router 2 to “I / F 32” of the collective virtual router 3. For this reason, for example, the routing table entry (6-3) is rewritten to (6-4). Note that (6-3) describes that a packet whose destination address is the IP address of a terminal in the LAN ₂ is routed to the I / F 22, and (6-4) is the same IP address. It describes that a packet as a destination address is routed to the I / F 32. Thus, the IP address is not changed, but the interface to which the packet is transferred is changed.

(Fourth embodiment)
Subsequently, a fourth embodiment will be described. In the fourth embodiment, it is assumed that a resource shortage of an application server (APS (Application Server)) occurs in a cloud computing environment. Specifically, the inter-VPN connection management system 100 according to the fourth embodiment is configured to borrow resources from, for example, an operation system (OpS (Operation System)), a network management system (NMS (Network Management System)), or a hypervisor. The information used for determining whether or not it is necessary is acquired. Then, the inter-VPN connection management system 100 determines whether or not the acquired information satisfies a predetermined determination condition. If it is determined that the acquired information corresponds, the application server accessed from each LAN is currently used. In order to switch from the application server in the middle to the alternative application server, the DNS apparatus 200 is instructed to change the DNS registration information.

  Here, the DNS registration information is changed in the same manner as in the previous embodiments. That is, the name of the application server used for the terminal in each LAN to access the application server is the same for the currently used application server and the alternative application server. Therefore, the terminals in each LAN may inquire name resolution to the DNS apparatus 200 using the same name. On the other hand, the IP address associated with the name is different between the currently used application server and the alternative application server. For this reason, the DNS device 200 responds with different IP addresses before and after resource borrowing. Then, when a terminal in each LAN accesses using a new IP address after borrowing resources, it accesses an alternative application server.

FIG. 26 is a diagram for explaining resource borrowing (before resource borrowing) in the fourth embodiment. As shown in FIG. 26, in the fourth embodiment, as an example, an inter-VPN connection is assumed between LAN ₁ and LAN ₂ and a base (Tokyo APS) where an application server is installed. In addition, a terminal of userA1, a terminal of userA2, and a terminal of userA3 are installed in LAN ₁ , and a terminal of userB1 and a terminal of userB2 are installed in LAN ₂ , and between these five terminals and the application server, Assume that a collaborative space is formed.

Further, the userA1 terminal, the userA2 terminal, the userA3 terminal, the userB1 terminal, and the userB2 terminal access the application server using a route via the VRF ₂ . In FIG. 25, “Tokyo APS” indicates an application server as a physical casing, and it is assumed that two applications “APS1” and “APS2” are running on “Tokyo APS”. In the fourth embodiment, the collective virtual router in which VRF ₁ is set, the collective virtual router in which VRF ₂ is set, and the collective virtual router in which VRF ₃ is set are all physically different.

Also, the route via VRF ₃ shown in FIG. 26 is a route for an alternative application server. Such a route may be constructed in advance or may be constructed on demand at the time of switching to an alternative application server. In the example of FIG. 26, the route via VRF ₃ is formed by VPN connection. For example, the route via VRF ₁ , the route via VRF ₂ , and the route via VRF ₃ are provided by the same operator. For example, if the geographical conditions only differ, the route via VRF ₃ does not pass through the public network, so there is no need to use a VPN connection.

  Under such a configuration, the inter-VPN connection management system 100 according to the fourth embodiment acquires information used for determining whether or not to borrow resources from OpS, for example. Here, the information used for determining whether or not the resource is borrowed is, for example, “CPU usage rate for each application server”, “disk free space for each application server”, “memory usage rate for each application server”, and the like. . Further, for example, “application response time measured by a measurement packet or user packet flowing on the route”, and the like. For example, the inter-VPN connection management system 100 acquires “CPU usage rate for each application server” from the OpS as information used to determine whether or not to borrow resources.

  Next, the inter-VPN connection management system 100 determines whether the acquired information meets a predetermined determination condition. For example, the inter-VPN connection management system 100 determines whether or not a threshold value of “CPU usage rate of 70% or more” is exceeded.

  Then, if the inter-VPN connection management system 100 determines that the acquired information meets the predetermined determination condition, the application server accessed from each LAN is replaced with the application server that is currently used. In order to switch to, the DNS apparatus 200 is instructed to change the DNS registration information.

For example, it is assumed that the resource of the application server “Tokyo APS2” is insufficient and a state where the threshold value of “CPU usage rate 70%” is exceeded occurs. Then, the inter-VPN connection management system 100 searches for an application server that replaces the application server in which the resource shortage occurs based on the information of the application server managed by itself, and detects the traffic for the application server in which the resource shortage occurs. Assign to alternate application server route. First, the inter-VPN connection management system 100 inputs setting information for constructing the VRF ₃ to the collective virtual router for which physical connection is completed, and the physical connection is completed. By inputting setting information as an address translation device on the route via VRF ₃ to the address translation device, a route via VRF ₃ is constructed.

The setting information in this case, since the IP address of the application server as a destination is changed, it is impossible in principle that already diverted configuration information for the route via prebuilt VRF _2. For example, the inter-VPN connection management system 100 creates new setting information replaced with the IP address of the alternative application server, and transmits the new setting information to the collective virtual router or the address translation device. Further, the inter-VPN connection management system 100 instructs the DNS apparatus 200 to change the DNS registration information.

  Here, as described above, the inter-VPN connection management system 100 acquires the CPU usage rate for each application server as a physical casing. For this reason, the inter-VPN connection management system 100 acquires the CPU usage rate for, for example, “Tokyo APS” and determines that a resource shortage has occurred in “Tokyo APS”. ”And“ APS2 ”are operating, it is separately determined which application's traffic should be assigned to the alternative route. In this regard, in the fourth embodiment, the inter-VPN connection management system 100 selects an application that is “resistant to delay”, and assigns, for example, only “APS2” packets that are resistant to delay to a path for an alternative application server. That is, the inter-VPN connection management system 100 may instruct the DNS apparatus 200 to change only the “APS2” IP address to the new alternative “APS2” IP address. In this way, it is possible to select only some of the two applications that operate physically in the same casing and assign them to other routes.

FIG. 27 is a diagram for explaining resource borrowing (after resource borrowing) in the fourth embodiment. As shown in FIG. 27, the route for using “APS2” is switched from the route via VRF ₂ to the route via VRF ₃ , and each user's terminal is routed via VRF _{3 to} and from APS 2. Communication is started using.

  As described above, according to the fourth embodiment, the correspondence relationship between the name, the second virtual address, and the virtual router (VRF) is dynamically changed, and the result of the change is transmitted to the terminal (user) through the DNS device response. By transmitting to, it is possible to change the traffic assigned to each route and dynamically lease resources.

  In the above description, switching to a route using physically different aggregate virtual routers has been described. However, the embodiment is not limited to this. For example, the route may be switched to another physical I / F in the same collective virtual router.

  Next, the configuration of the inter-VPN connection management system 100 according to the fourth embodiment will be described. The inter-VPN connection management system 100 according to the fourth embodiment has the same configuration as the inter-VPN connection management system 100 according to the first embodiment. Hereinafter, differences from the inter-VPN connection management system 100 according to the first embodiment will be described.

  In the fourth embodiment, the determination condition storage unit 122 stores a threshold value of “CPU usage rate 70%” as a determination condition. Further, the monitoring information storage unit 123 temporarily stores the CPU usage rate for each application server collected by OpS. The route assignment policy storage unit 124 stores a route assignment policy of “searching for an alternative application server and assigning a route for using this application server for traffic of an application that is resistant to delay”.

  In the fourth embodiment, the network resource monitoring unit 133 communicates with the OpS at intervals of, for example, 30 seconds, and determines whether or not a resource shortage state has occurred for the CPU usage rate for each application server. It is received as information used for. The determination unit 134 refers to the determination condition storage unit 122 and acquires the threshold value “CPU usage rate 70%”. Then, the determination unit 134 refers to the monitoring information storage unit 123 and determines whether there is an application server that exceeds the threshold value “CPU usage rate 70%”. If the determination unit 134 determines that a resource shortage state has occurred for a certain application server, the determination unit 134 notifies the route allocation control unit 132 to that effect.

  On the other hand, when the determination unit 134 determines that a resource shortage state has occurred, the route allocation control unit 132 transmits an instruction to change the DNS registration information to the DNS device 200 in order to change the route allocation. For example, when receiving a notification from the determination unit 134 that the resource shortage state has occurred in “Tokyo APS”, the route allocation control unit 132 receives information on the application server managed by itself. Then, it is determined that “Tokyo APS1” and “Tokyo APS2” are operating. In addition, when two or more applications are operating, the route allocation control unit 132 is more resistant to delay (for example, in the inter-VPN connection management system 100, “APS2” is an application resistant to delay). Is stored as separate information), and a path for an alternative application server is allocated only to the selected application.

  That is, the route allocation control unit 132 searches for an alternative application server from, for example, geographical location information. For example, the route allocation control unit 132 searches for “Nagoya APS2” or “Tohoku APS2” geographically close to “Tokyo APS2” as a candidate for an alternative application server. Then, for example, the route allocation control unit 132 acquires and compares the CPU usage rates of “Nagoya APS2” and “Tohoku APS2”, and selects an application server with more resources as an alternative application server. To do.

  Then, the route assignment control unit 132 transmits an instruction to the DNS device 200 so as to assign the traffic of “Tokyo APS2” to the route for “Tohoku APS2” that has already been constructed. The change of the DNS registration information is the same as in the second embodiment, for example. For example, the inter-VPN connection management system 100 stores and manages a path, an application server name, and an application server IP address (second virtualization address) in association with each other. The instruction information for changing the DNS registration information is transmitted so that the IP address for “Tokyo APS2” is changed to the IP address for “Tohoku APS2”.

  Note that, for example, the network resource monitoring unit 133 acquires the CPU usage rate related to the allocation destination application server from the OpS at the timing of returning the path allocation to the original. In this case, at the timing when the determination unit 134 determines that the “assignment destination application server is not used” based on the acquired CPU usage rate, the route assignment control unit 132 restores the route assignment to the original state. May be. Alternatively, for example, it is assumed that the determination unit 134 continuously acquires the CPU usage rate related to the application server that has fallen into a resource shortage state from OpS. In this case, based on the acquired CPU usage rate, the route allocation control unit 132 starts the route allocation at the timing when it is determined that “the application server that has fallen into a resource shortage state is not currently in a resource shortage state”. You may return to. For example, in the above example, in order to determine whether or not to change the route assignment, it is determined whether or not the threshold of “CPU usage rate 70%” is exceeded. A second threshold value “CPU usage rate 50%” is stored separately from “CPU usage rate 70%”, and this second threshold value “CPU” is used to determine whether or not it is possible to return to the original path. It may be determined whether the usage rate is less than 50%. However, the traffic whose route assignment has been changed may be operated as it is without returning to the original route. That is, for example, once the route assignment is changed, the route assignment control unit 132 starts monitoring with the state after the assignment as an initial state, and has exceeded the threshold value of “CPU usage rate 70%” in the route after the assignment, for example. In such a case, the control may be such that the route assignment is changed again.

  In the fourth embodiment, an example of searching for application servers that are geographically close to each other has been described. However, the embodiment is not limited to this. For example, when it is determined that an application that has fallen into a resource shortage state is an application that is resistant to delay (information on whether or not the application is resistant to delay is stored in advance), the path assignment control unit 132 Rather than searching for an alternative application server based on geographical location information, for example, the application server performance or the performance of the collective virtual router (high or low reliability, availability of bandwidth control, etc.) Also good. Alternatively, the alternative application server may be determined in advance. In this case, the route allocation control unit 132 may search the storage unit for information indicating a predetermined alternative application server.

  In the fourth embodiment, an example in which the threshold value “CPU usage rate 70%” is stored as a condition for determining whether or not a resource shortage state has occurred has been described. However, the embodiment is not limited to this. It is not something that can be done. For example, the inter-VPN connection management system 100 may use “disk free capacity for each application server”, “memory usage rate for each application server”, or the like as information for determining whether or not to borrow resources. For example, if the “disk free capacity for each application server” is smaller than a predetermined threshold, the inter-VPN connection management system 100 determines that a resource shortage state has occurred. Further, for example, the inter-VPN connection management system 100 determines that a resource shortage has occurred if the “memory usage rate for each application server” is greater than a predetermined threshold. In addition, when using these methods mentioned above, the VPN connection management system 100 memorize | stores the threshold value corresponding to each method in the determination condition memory | storage part 122 previously.

  Further, for example, the inter-VPN connection management system 100 flows the measurement packet on the route, or uses the user packet flowing on the route to measure the response time of the application, for example, and borrows the measurement value as a resource. If the measured value is larger than a predetermined threshold, it may be determined that a resource shortage state has occurred. The response time of the application can be measured by, for example, a firewall function provided in the address translation device or a probe set in a place where the influence of network delay is small. For example, since the firewall function can analyze a packet, the response time between a request packet and a response packet transmitted / received in a specific application can be measured. In this case, the inter-VPN connection management system 100 stores a threshold corresponding to the response time in the determination condition storage unit 122 in advance.

  In the fourth embodiment, the so-called pull-type monitoring in which the inter-VPN connection management system 100 spontaneously acquires information from the application server or OpS is assumed. However, the embodiment is not limited to this. For example, a threshold value “CPU usage rate 70%” is stored in the application server or OpS, and whether or not the application server or OpS exceeds the threshold value “CPU usage rate 70%” is determined at, for example, one minute intervals However, so-called push-type monitoring in which the application server or OpS notifies the inter-VPN connection management system 100 when it is determined that it has been exceeded may be used.

  In the fourth embodiment, the example in which all the traffic on the path for the application server in which the resource shortage state occurs is assigned to the path for the alternative application server has been described. However, the embodiment is limited to this. is not. For example, there may be a case where the service quality is deteriorated as compared with the case where the original application server is used, such as when the alternative application server is of another provider or is far away. In this case, it may be possible to preferentially guide the traffic from “Best Effort Class” to an alternative application server, or to preferentially guide an application server that is less sensitive to delay time to an application server that is far from the distance. It is done.

  In the fourth embodiment, the example in which all the traffic on the path for the application server in which the resource shortage state occurs is assigned to the path for the “one” alternative application server has been described. It is not limited to. For example, the inter-VPN connection management system 100 searches for “plurality” of application servers that replace application servers in which a resource shortage state has occurred, and instructs to instruct to allocate a path for the searched “multiple” alternative application servers Information may be transmitted to the DNS device 200. In this case, the DNS device 200 may prepare, for example, two IP addresses and sequentially respond to the two IP addresses in response to the name resolution request.

  In the fourth embodiment, the method for determining the resource shortage state has been described. However, the embodiment is not limited to this. For example, the inter-VPN connection management system acquires information indicating resource usage for each application server, and the acquired information corresponds to a predetermined condition (for example, a condition that the CPU usage rate becomes “0”). It is determined whether or not a server stop state has occurred. Further, when the inter-VPN connection management system 100 determines that the server stop state has occurred, the inter-VPN connection management system 100 searches for an application server that replaces the application server in which the server stop state has occurred, and is on the path for the application server in which the server stop state has occurred. Is sent to the DNS device 200 instructing to allocate the traffic to the route for the alternative application server.

  As described above, according to the fourth embodiment, it is possible to borrow other resources in response to a resource shortage state, and it is possible to appropriately control the route allocation. For example, if there is a shortage of resources in an intercloud environment, it is possible to borrow resources from other places. In addition, if the virtual router to be borrowed is determined in advance based on geographical location information (distance) and quality, route assignment can be controlled according to the tolerance to traffic delay and priority. Can maintain an appropriate service level.

(Fifth embodiment)
Although the first to fourth embodiments have been described so far, the present invention may be implemented in various different forms other than the above-described embodiment.

  For example, the various controls described in the first to fourth embodiments can be realized by appropriately combining them. For example, in the third modification of the second embodiment, the example has been described in which the aggregate virtual router that has been powered down is activated, the route is set to the activated aggregate virtual router, and the route is switched to this route. It is not limited to the case where the resource state becomes a high load state. For example, the present invention can be similarly applied when a network or resource state becomes a failure state.

  In the first embodiment, the DNS change method and the setting information change method have been described. However, these methods can be similarly applied to other embodiments.

  In the first to fourth embodiments, the DNS device has been described as the name resolution device. However, the embodiment is not limited to this. The name resolution device may be any device that responds to an IP address in response to a name resolution inquiry. For example, the name resolution device outputs a Web page that displays the correspondence between the second virtualization address and the name on the Web server, and accepts the access of the authenticated user, for example. Can be answered. Further, for example, the name resolution device may respond to the second virtualization address in response to the name resolution inquiry by e-mail or the like.

  In the first embodiment to the fourth embodiment, at least one piece of information is acquired from the flow rate of traffic flowing on the monitoring target route and the resource usage of the device installed on the monitoring target route. The example in which the predetermined state is determined using this information has been described, but the embodiment is not limited thereto. The timing for switching the route is arbitrary.

[Others]
In addition, among the processes described in the above embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Each processing function performed in each device may be realized in whole or in any part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The route control method described in the above embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via an IP network such as the Internet. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM (Compact Disk Read Only Memory), an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk), etc. It can also be executed by reading from the recording medium.

DESCRIPTION OF SYMBOLS 100 Connection management system between VPNs 110 Communication part 111 Input part 112 Output part 113 Input / output control I / F part 120 Storage part 121 Connection information storage part between VPNs 122 Judgment condition storage part 123 Monitoring information storage part 124 Path allocation policy storage part 130 Control unit 131 Connection request receiving unit between VPNs 132 Route allocation control unit 133 Network resource monitoring unit 134 Determination unit

Claims (5)

A route control device that controls assignment of routes to a communication system that connects bases via a wide area network,
The communication system is:
An address for identifying the first terminal in the first base in the first base is used as a transmission source address, and an address for identifying the second terminal in the second base in the first base is used as a destination address. After the IP address is converted so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal is the destination address in the wide area network, The IP address is converted and transferred to the second base so that the address that identifies the terminal in the second base is the source address and the address that identifies the second terminal in the second base is the destination address. ,
A first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is set within the first site. When different addresses are assigned to the first route and the second route as addresses to be identified, packets transmitted from the first site are routed to the second site via different routes according to the address. To reach,
The route control device
A storage unit that stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base;
A determination unit that determines whether or not the state of the first route corresponds to a predetermined condition;
When the determination unit determines that the condition is satisfied and traffic on the first route is allocated to the second route, an address identified in the first base associated with the name that identifies the second terminal is: By setting an instruction to change the address for the first route from the address for the first route to the address for the second route in a name resolution device that responds to an address associated with the name in response to a name resolution request using a name. A route control device comprising: an assignment control unit that controls route assignment. A monitoring unit that acquires at least one piece of information from a flow rate of traffic flowing on the first route and a resource usage amount of a device installed on the first route from a device that collects the information;
The route control device according to claim 1, wherein the determination unit determines whether the information acquired by the monitoring unit satisfies a predetermined condition.   A route control program that causes a computer to function as the route control device according to claim 1. A route control method executed by a route control device that controls assignment of routes to a communication system that connects bases via a wide area network,
The communication system is:
An address for identifying the first terminal in the first base in the first base is used as a transmission source address, and an address for identifying the second terminal in the second base in the first base is used as a destination address. After the IP address is converted so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal is the destination address in the wide area network, The IP address is converted and transferred to the second base so that the address that identifies the terminal in the second base is the source address and the address that identifies the second terminal in the second base is the destination address. ,
A first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is set within the first site. When different addresses are assigned to the first route and the second route as addresses to be identified, packets transmitted from the first site are routed to the second site via different routes according to the address. To reach,
The route control device includes a storage unit that stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base,
A determination step of determining whether or not the state of the first path corresponds to a predetermined condition;
When it is determined that the condition is satisfied by the determination step and traffic on the first route is allocated to the second route, an address identified in the first base that is associated with a name that identifies the second terminal, By setting an instruction to change the address for the first route from the address for the first route to the address for the second route in a name resolution device that responds to an address associated with the name in response to a name resolution request using a name. And a route control method for controlling route assignment. A route control system including a route control device that controls assignment of a route to a communication system connecting bases via a wide area network,
The communication system is:
An address for identifying the first terminal in the first base in the first base is used as a transmission source address, and an address for identifying the second terminal in the second base in the first base is used as a destination address. After the IP address is converted so that the address identifying the first terminal in the wide area network is the source address and the address identifying the second terminal is the destination address in the wide area network, An address conversion device that converts an IP address so that an address that identifies the terminal in the second base is a source address and an address that identifies the second terminal in the second base is a destination address;
A first route and a second route different from the first route are set as a route connecting the first site and the second site via the wide area network, and the second terminal is set within the first site. When different addresses are assigned to the first route and the second route as addresses to be identified, packets transmitted from the first site are routed to the second site via different routes according to the address. To reach,
The route control device
A storage unit that stores a correspondence relationship between a route, a name that identifies the second terminal, and an address that identifies the second terminal in the first base;
A determination unit that determines whether or not the state of the first route corresponds to a predetermined condition;
When the determination unit determines that the condition is satisfied and traffic on the first route is allocated to the second route, an address identified in the first base associated with the name that identifies the second terminal is: By setting an instruction to change the address for the first route from the address for the first route to the address for the second route in a name resolution device that responds to an address associated with the name in response to a name resolution request using a name. An allocation control unit for controlling the allocation of the route,
The name resolution device
A name storage unit that associates and stores a name that identifies the second terminal and an address that identifies the second terminal within the first base;
A changing unit for changing an address associated with the name according to the instruction transmitted by the allocation control unit;
A path control system comprising: a name resolution unit that receives a name resolution request using a name, refers to the name storage unit using the name, and responds with an address associated with the name .

Images