JP7100967B2 - Network control devices, communication systems, network control methods, and programs - Google Patents

Description

The present invention relates to a network control technique in a network such as SD-WAN.

Currently, companies use SaaS (Software as a Service) represented by Office365 (registered trademark) for the purpose of reducing management man-hours and costs related to information systems, and improving productivity by improving the work environment regardless of devices. Is expanding rapidly. However, when SaaS is used, application processing that has been performed on a local terminal is performed via a network such as the Internet, so that the responsiveness is often deteriorated. Especially for office applications, the usage time is long and there is a lot of work content, so the dissatisfaction is likely to become apparent. This decrease in responsiveness is remarkable in regions where the line quality is relatively low, such as Asia and the Middle East, and as a result, there is a concern that the productivity improvement expected with the introduction of SaaS will not be obtained.

In the conventional corporate network, the terminals of the bases access SaaS on the Internet from the centralized bases such as the head office and data centers via firewalls and proxies, so they take a detour route and the delay becomes large. There was a problem that it cost a lot to secure the communication capacity for the Internet through the detour route. Direct Internet access (local breakout), etc., in which only SaaS communication is performed directly from the base via the Internet using SD-WAN products that identify and route the application to be used in order to omit communication on such detour routes. The number of companies that use the Internet is increasing.

When communicating directly to the Internet in this way, it is possible to eliminate the communication delay due to the detour route, but this time the local ISP will be used, so there will be an extra delay increase due to the influence of route fluctuations on the Internet. New problems such as the inability to avoid the occurrence of packet loss will occur.

Japanese Unexamined Patent Publication No. 2007-329549

As an existing technology to improve SaaS access from the base via the Internet, for example, the communication from the base to SaaS is connected to the managed network provided by the telecommunications carrier instead of the Internet, and WAN speedup is performed inside the managed network. There is technology. There is also a technique of installing a relay device on the Internet to control the connection route to SaaS to some extent.

However, regarding the technology that connects to the managed network provided by the telecommunications carrier instead of the Internet and speeds up the WAN inside the managed network, even if the WAN speed is speeded up inside the managed network, the route to SaaS is internally. If the control is not optimized, extra communication delay will occur in the end. In addition, if the managed network is not its own equipment, flexible route control and equipment expansion cannot be performed. Further, even if the communication is optimized inside the managed network, it is not necessarily optimized by End-End.

In addition, regarding the technique of installing a relay device on the Internet to control the connection route to SaaS to some extent, since the relay point is basically limited to one place, the route control is less flexible and the route is the Internet. When passing over, it is affected by route fluctuations and quality deterioration on the route along the way. Since it is difficult to share the relay device with a plurality of users, there is also a problem that if the relay device is used properly according to SaaS, the cost will increase significantly.

The present invention has been made in view of the above points, and by appropriately selecting a communication path for accessing the connection destination device from the terminal, it is possible to realize low cost and high quality access to the connection destination device. The purpose is to do.

According to the disclosed technology, a terminal, a SaaS (Software as a Service) for constructing a VPN between the terminal, a plurality of first gateway devices connected to the terminal via a first access network, and a plurality of first gateway devices. A network control device that executes control for a system including the SaaS and a plurality of second gateway devices connected via a second access network.
The quality of the first section, which is the section of the first access network between the terminal and the plurality of first gateway devices, and the communication business between the plurality of first gateway devices and the plurality of second gateway devices. Quality that collects the quality of the second section, which is the section of the backbone network provided by the person, and the quality of the third section, which is the section of the second access network between the plurality of second gateway devices and the SaaS. Collection department and
A first that constitutes a communication path between the terminal and the SaaS based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collecting unit. A selection unit that selects the gateway device and the second gateway device,
It is provided with a route control unit that executes route control so that communication between the terminal and the SaaS is via the route.
The quality collecting unit collects a plurality of types of qualities for each of the first section, the second section, and the third section, and the selection unit collects the terminal and the terminal for each of the plurality of types of qualities. A plurality of candidate routes for communication with SaaS are ranked, and a route to be used is selected from the plurality of candidate routes based on the ranking and the weight of each quality in the plurality of types of qualities. do
A network control device characterized by this is provided.

According to the disclosed technique, it is possible to realize high-quality access to the connected device at low cost by appropriately selecting a communication path for accessing the connected device from the terminal.

It is a block diagram of the system in 1st Embodiment. It is a figure for demonstrating the quality measurement section. It is a figure which shows the Internet breakout from POP. It is a block diagram of a VPN terminal. It is a block diagram of a gateway. It is a hardware block diagram of the apparatus. It is a flowchart for demonstrating the operation example of the system in 1st Embodiment. It is a figure which shows the example of the quality data collected and stored by the End-End quality collecting unit 101. It is a figure which shows the example of the connection destination IP address for each SaaS. It is a figure which shows the routing table of VPN terminal A. It is a figure which shows the routing table of VPN gateway C. It is a figure which shows the routing table of VPN gateway F. It is a figure which shows the weighting table. It is a block diagram of the system in 2nd Embodiment. It is a figure which shows the routing table of VPN gateway C. It is a block diagram of another example of the system in 2nd Embodiment. It is a flowchart for demonstrating the operation example of the system in 2nd Embodiment. It is a figure which shows the table for controlling an additional function. It is a block diagram of the system in 3rd Embodiment.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The embodiments described below are merely examples, and the embodiments to which the present invention is applied are not limited to the following embodiments.

Hereinafter, the first to third embodiments will be described. In the following description, the configuration of the first embodiment is the basic configuration, and the configurations according to the second to third embodiments are added to the configurations of the embodiments described above. However, the first to third embodiments may be carried out independently.

In the embodiment of the present invention, SaaS is taken up and described as an example of the connection destination device of the terminal, but the present invention can be applied even when the connection destination device is not SaaS.

(First Embodiment)
<System configuration>
FIG. 1 shows the system configuration in the first embodiment. As shown in FIG. 1, the system in the first embodiment includes a VPN terminal A, a SaaS gateway C, a SaaS gateway E, and a NW (network) control device 100. The VPN terminal A is connected to the access network 20, and the SaaS-B is connected to the SaaS connection network 30.

Further, the VPN gateway C and the SaaS gateway E are connected to the POP (Point Of Presence) inter-network 10. In the system, the VPN terminal A, the VPN gateway C, the SaaS gateway E, the access network 20, the SaaS connection network 30, and the POP-to-POP network 10 constitute an SD-WAN NW infrastructure. In addition, "VPN gateway" and "SasaS gateway" may be generically referred to as "gateway" or "gateway device". In FIG. 1, the IP addresses assigned to the VPN terminals A and SaaS are shown. For example, the IP address of the VPN terminal A is A. A. A. A / A.

Although FIG. 1 shows only one VPN gateway that can communicate with the VPN terminal A, in reality, one or a plurality of VPN gateways that can communicate with the VPN terminal A are provided. Similarly, one or more SaaS gateways capable of communicating with SaaS-B are provided. These one or more VPN gateways and one or more SaaS gateways are connected to the inter-POP network 10. In addition, one or more VPN terminals are provided. Also, there is one or more SaaS.

The substance of SaaS is an application server having an IP address, which may be referred to as a connection destination device.

It is assumed that each VPN terminal is installed at each end user's base as a device for terminating the VPN. Each VPN terminal is, for example, an SD-WAN router and may be referred to as a CPE. In the present embodiment, the VPN method constructed between the VPN terminal and SaaS is not limited to a specific method, but for example, a VPN using IPsec, DTLS, DMVPN, or the like can be used. However, VPN is not limited to them.

The VPN gateway and SaaS gateway are devices such as an SD-WAN router that accommodates VPNs of a plurality of users, and are mainly installed in a telecommunications carrier's station building (may be referred to as POP (Point Of Presence)). I assume that. However, the installation location of the VPN gateway and SaaS gateway is not limited to this. The VPN gateway may be set at a PaaS (Cloud operator), a Hub base of a company, or the like.

Each VPN terminal and each SaaS is connected to the gateway via an access network. In the example of FIG. 1, the VPN terminal A is connected to the VPN gateway C via the access network 20, and the SaaS-B is connected to the SaaS gateway E via the SaaS connection network 30 (example of the access network).

The access network is not limited to a specific network, but is, for example, Internet, LTE, MPLS, and the like. Further, the access network is not limited to one, and may be a hybrid network composed of a plurality of types of networks.

All VPN gateways and SaaS gateways in this embodiment are interconnected by the POP-to-POP network 10. The inter-POP network 10 is a backbone network provided by a carrier (communication carrier), and is a high-quality network in which communication quality and bandwidth are compensated, such as an Internet backbone network and an MPLS network. However, it is not limited to these. The POP-to-POP network 10 may be referred to as an Underlay backbone network.

The NW control device 100 can communicate with each gateway, each VPN terminal, etc. by a control network or the like.

As shown in FIG. 1, the NW control device 100 includes an End-End quality collection unit 101, a gateway automatic selection unit 102, and a VPN route control unit 103.

The End-End quality collecting unit 101 is a functional unit that collects the quality of the line between the VPN terminal and the SaaS in End-End. This functional unit mainly collects delay data as the total value of three sections, but the quality of collection is not limited to delay data. Data such as packet loss and bandwidth (throughput) may be collected and used as an index.

As shown in FIG. 2, the above-mentioned three sections are the following sections 1 to 3.

Section 1: Section of the access network 20 between the VPN terminal A and the VPN gateway C Section 2: Section of the POP-to-POP network 10 between the VPN gateway C and the SaaS gateway E Section 3: The section of the SaaS gateway E and the connection destination Section of SaaS Connection Network 30 between SaaS-B The above example is based on the configuration of FIG. 2, but more generally, section 1 includes a VSS terminal and one or more VPN gateways. Section 2 is the section of the inter-POP network 10 between one or more GBP gateways and one or more SaaS gateways, and section 3 is the section of one or more networks. It is a section of the network between the SaaS gateway and the SaaS to be connected.

In addition, the End-End quality collection unit 101 collects quality data for the route connecting to SaaS via the Internet directly from each gateway (breakout) without using any of the sections 1 to 3. That is, quality data for the route K and the route L shown in FIG. 3 are also collected. If the Internet breakout is not allowed, or if the Internet breakout is performed regardless of the quality, the quality data for the route K and the route L may not be collected.

The gateway automatic selection unit 102 is a functional unit that determines which VPN gateway and which SaaS gateway to use when a specific VPN terminal connects to the SaaS of the connection destination. The End-End quality collection unit 101 constantly (eg, periodically) collects quality data for each of the above sections 1 to 3 for each SaaS to be connected and for each candidate route, and the gateway automatic selection unit 102 receives the quality data. Based on the collected quality data, the process of selecting the optimum route from the candidate routes is performed.

As an example, the gateway automatic selection unit 102 analyzes the delay data and selects the route having the smallest total value of the quality values of the three sections for each connection destination of SaaS.

The VPN route control unit 103 controls the transit gateway so that the communication between the VPN terminal and SaaS is passed in the order of the VPN gateway selected by the gateway automatic selection unit 102, the POP inter-network 10, the SaaS gateway, and the SaaS. Specifically, the VPN route control unit 103 executes route control by inputting a routing table to the target device. As an exception, if the quality of the route connecting to SaaS via the Internet directly from each gateway (breakout) without using any of sections 1 to 3 is improved by connecting via the route. , You can also select a connection that breaks out to the Internet.

FIG. 4 is a functional configuration diagram of the VPN terminal 200 used as each VPN terminal in the present embodiment. As shown in FIG. 4, the VPN terminal 200 has a communication unit 210, a route determination unit 220, and a data storage unit 230. The communication unit 210 has a function of transmitting the input packet toward the route determined by the route determination unit 220. The route determination unit 220 has a function of determining a packet transmission route based on a packet destination IP address, a routing table, or the like. The data storage unit 230 receives and stores the routing table from the NW control device 100.

FIG. 5 is a functional configuration diagram of the gateway 300 used as each gateway in the present embodiment. As shown in FIG. 5, the gateway 300 has a communication unit 310, a route determination unit 320, and a data storage unit 330. The communication unit 310 has a function of transmitting the input packet toward the route determined by the route determination unit 320. The route determination unit 320 has a function of determining a packet transmission route based on a packet destination IP address, a routing table, or the like. The data storage unit 330 receives and stores the routing table from the NW control device 100.

Each of the above-mentioned devices (NW control device 100, VPN terminal 200, gateway 300) executes a program in which the processing contents described in the present embodiment (the same applies to the second to third embodiments) are described in the computer. It is feasible by letting it. That is, the function of the device can be realized by executing a program corresponding to the processing performed by the device using hardware resources such as a CPU and a memory built in the computer. The above program can be recorded on a computer-readable recording medium (portable memory, etc.), stored, and distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.

FIG. 6 is a diagram showing a hardware configuration example of the above device. The device of FIG. 6 includes a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, and the like, which are connected to each other by a bus BS, respectively. The above-mentioned devices (NW control device 100, VPN terminal 200, gateway 300) may not be provided with the display device 1006 and the input device 1007.

The program that realizes the processing in the apparatus is provided by, for example, a recording medium 1001 such as a CD-ROM or a memory card. When the recording medium 1001 storing the program is set in the drive device 1000, the program is installed in the auxiliary storage device 1002 from the recording medium 1001 via the drive device 1000. However, the program does not necessarily have to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores the installed program and also stores necessary files, data, and the like.

The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when the program is instructed to start. The CPU 1004 realizes the function related to the device according to the program stored in the memory device 1003. The interface device 1005 is used as an interface for connecting to a network. The display device 1006 displays a GUI (Graphical User Interface) or the like by a program. The input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, and the like, and is used for inputting various operation instructions.

<System operation>
Hereinafter, an operation example of the system according to the present embodiment shown in FIG. 1 will be described according to the procedure of the flowchart of FIG.

As shown in FIG. 7, first, the End-End quality collecting unit 101 of the NW control device 100 collects quality (S101). Subsequently, the gateway automatic selection unit 102 executes route selection (S102), and the VPN route control unit 103 executes route control (S103). Hereinafter, an operation example of each step will be described in detail.

<S101: Quality collection>
As described above, the End-End quality collecting unit 101 sets the quality of each of the sections 1 to 3 shown in FIG. 2 and the quality of each of the routes K and L shown in FIG. 3, for example, at predetermined time intervals. Collect at. The quality collection method is not limited to a specific method, but for example, there is a method of causing the device to measure various qualities by sending a test packet to the device at the end point of the section and acquiring the measurement result from the device. ..

FIG. 8 shows an example of quality data collected and stored by the End-End quality collecting unit 101. Here, the case where the delay is collected is shown as an example of quality data. The first line of the quality data in FIG. 8 shows the total of the delay in the section between VPN terminal A and VPN gateway C, the delay in the section between VPN gateway C and SaaS gateway E, and the delay in the section between SaaS gateway E and SaaSS-B. It shows that it is 10 ms. The second line shows that the total of the delay in the section between VPN terminal A and VPN gateway D, the delay in the section between VPN gateway D and SaaS gateway F, and the delay in the section between SaaS gateway F and SaaS gateway F is 20 ms. Shows. The third line is the delay related to the route L in FIG. 3, and the total delay of the section of VPN terminal A to VPN gateway C and the delay of the section of VPN gateway C to SaaSB via the Internet 40 is 40 ms. It shows that there is. The fourth line is the delay related to the route K in FIG. 3, and indicates that the delay in the section between the VPN terminals A and SaaSB via the Internet 40 is 60 ms.

Further, although FIG. 8 shows that the total value of the qualities of the three sections is stored, the quality of each section may be stored. More generally, when focusing on a certain terminal (referred to as VPN terminal A) and a certain SaaS (referred to as SaaS-B) as a connection destination, the End-End quality collection unit 101 may be one or more with the VPN terminal A. The quality of section 1 between the VPN gateways and the VPN gateways is collected for each of the one or more VPN gateways, and the POP-to-POP network between the one or more VPN gateways and the one or more SaaS gateways. The quality of section 2 is collected for all combinations of one or more VPN gateways and one or more SaaS gateways, and the quality of section 3 between the one or more SaaS gateways and SaaS-B. Collect for each of the one or more SaaS gateways.

Further, in FIG. 8, the VPN terminal A has an IP address of the connection destination of SaaS-B: B.I. B. B. Only the information when connecting to the B / B is shown. In reality, there may be a plurality of connection destination IP addresses for each of the plurality of SaaS, and the End-End quality collection unit 101 collects and retains quality data for each of the plurality of IP addresses.

That is, when a VPN terminal tries to connect to a specific SaaS, there may be a plurality of connection destination IP addresses, but since quality data is retained for each connection destination IP address, which VPN terminal is used? Even when connecting to the connection destination IP address, the route selection according to the present embodiment can be applied.

Normally, the connection destination IP address varies for each SaaS. Therefore, in the present embodiment, the End-End quality collection unit 101 manually or automatically generates and holds a table of connection destination IP addresses for each SaaS as shown in FIG. In the example of FIG. 9, a and b are shown as SaaS, and the respective FQDN and the IP address for each FQDN are shown.

When automatically creating and holding a table, for example, the End-End quality collection unit 101 periodically reads the information of the connection destination IP address using the RSS feed or API published by the SaaS provider. , Update by reflecting in the table of FIG. As an example, Office365 (registered trademark) publishes IP addresses at the URL "https://support.content.office.net/en-us/static/O365IPAddresses.xml" as public information, so this is regularly posted. It is possible to get it.

Further, in the example of FIG. 8, the delay value is held as quality data, but this is only an example. Packet loss, bandwidth, etc. may be collected and retained for each section. Further, the type of quality to be collected may be different for each section.

The quality collected for a section of the End-End quality collection unit 101 is one-way quality (eg, delay in the direction from the VPN gateway to the SaaS gateway and / or delay in the direction from the SaaS gateway to the VPN gateway). ) Or the quality in both directions (eg, round-trip delay).

<S102: Route selection>
Subsequently, the gateway automatic selection unit 102 determines the optimum transit gateway when the VPN terminal connects to a certain SaaS connection destination IP address based on the quality data collected by the End-End quality collection unit 101. select. For example, as shown in FIG. 1, when the VPN terminal A connects to SaaS-B, information indicating that the VPN terminal A is trying to connect to the connection destination IP address (BBBB / B). Is notified from the VPN terminal A to the NW control device 100. Based on this, the gateway automatic selection unit 102 determines that the quality between the VPN terminal A and the connection destination IP address (BBBB / B) is the best based on the collected and held quality data. Route (that is, VPN gateway and SaaS gateway) is selected.

Here, when the quality data is as shown in FIG. 8, the route having the smallest delay between the VPN terminal A and the SaaS connection destination IP address (BBBB / B) is the VPN. Since the route passes through the gateway C and the SaaS gateway E, the gateway automatic selection unit 102 selects the VPN gateway C and the SaaS gateway E constituting the route as the optimum gateway.

<S103: Route control>
When the gateway is selected by the gateway automatic selection unit 102, the VPN route control unit 103 performs route control in the VPN. The route control is performed by the VPN route control unit 103 setting a routing table for the corresponding device.

FIG. 10 shows an example of a routing table set in the VPN terminal A. According to the routing table shown in FIG. 10, the destination is B. B. B. The B / B packet is forwarded to the VPN gateway C.

FIG. 11 shows an example of a routing table set in the VPN gateway C. According to the routing table shown in FIG. 11, the destination is B. B. B. The B / B packet is forwarded to the SaaS gateway E.

FIG. 12 shows an example of a routing table set in the SaaS gateway E. According to the routing table shown in FIG. 12, the destination is B. B. B. The B / B packet is forwarded to SaaS-B.

By setting the routing table shown in FIGS. 10 to 12, the connection destination IP address of SaaS from VPN terminal A: B. B. B. Communication to the B / B is via the VPN gateway C and the SaaS gateway E. In the present embodiment (similar to other embodiments), the description mainly focuses on the traffic transmitted from the VPN terminal A, but the same control is applied to the traffic in the direction received by the VPN terminal A. Is possible.

<S102: Details of route selection>
Hereinafter, an example of the route selection process executed by the gateway automatic selection unit 102 will be described in more detail.

As a criterion for the gateway automatic selection unit 102 to select the optimum route, in the examples so far, the criterion that the quality indicated by the total value of the quality of the three sections is the best is used, but other indicators are combined. It is also possible to make a judgment using the above criteria. For example, a. Delay value, b. Packet loss, and c. It is possible to make a judgment by combining three indexes of bandwidth (throughput). These three are also examples, and other indicators may be added as long as they are indicators that can be automatically and periodically acquired. Hereinafter, an example of selecting a route from a VPN terminal to a SaaS by combining a plurality of indexes will be described.

When there are n POPs that can be controlled by the NW control device 100 in the world, two gateways to be connected to the POP-to-POP network 10 are selected, one is an inlet and the other is an exit. Therefore, _{two n} Cs (= n (n-1)). There are as many routes (candidate routes) as there are combinations of) / 2). A total of n (n-1) / 2 + n + 1 = N, including n routes that access the connection destination directly from the POP via the Internet and one route that accesses the connection destination directly from the VPN terminal via the Internet.
Route exists as a route from the VPN terminal to SaaS. As described above, let this total number be N. Routes are ranked based on the measurement results for each index measured for each of these routes.

This ranking is different for each index. As an example, the case where the above-mentioned indicators a, b, and c are used will be described. When the delay value of a is used as the index, the total value of the three sections of FIG. 2 or the route section via the Internet as described in the previous examples. Is the smallest route. When the packet loss of b is used as an index, the route having the smallest packet loss rate from the VPN terminal to SaaS is considered to be good. When the band c is used as an index, the section with the lowest value is set as the bottleneck section of the route, and the bottleneck band, which is the band of the bottleneck section, is compared between the routes, and this bottleneck band is used. The higher the value, the better. It should be noted that the index value in section 1, the index value in section 2, and the index value in section 3 are each multiplied by a weight, and the index value of each section multiplied by the weight is used to consist of section 1, section 2, and section 3. The index value for one route may be obtained.

As described above, ranking is performed for each index, and relative scores are created as N-1, N-2, ..., 0 in order from the one with the best value. The final judgment score is created by multiplying this relative score by a weighting value that can be set by the user or the telecommunications carrier for each SaaS for each index.

As an example, the final judgment score of the route in which the ranking of the weighting value 10 on the index a is 1st, the ranking of the weighting value 5 on the index b is 3rd, and the ranking of the weighting value 3 on the index c is 5x is 10 ×. (N-1) + 5 x (N-3) + 3 x (N-5) = 18N-30
Will be. The gateway automatic selection unit 102 selects the route having the highest final determination score as the connection route to the corresponding SaaS. Assuming that the index is a variable x that exists, the weight of each index is K _x , and the quality rank of each index is the variable a _x , the generalized final score is

で表される。

It is represented by.

It should be noted that which weight of which index is to be used may be determined in advance for each SaaS (service), and may be held by the gateway automatic selection unit 102 as a table as shown in FIG. The gateway automatic selection unit 102 calculates a determination score using the weight corresponding to SaaS to be route selection.

Communication is optimized by performing communication with the route having the highest ranking determined based on the above-mentioned determination score as the highest priority route. However, routes lower than the first place may also be used to improve fault tolerance.

For example, the VPN route control unit 103 holds information on one or more routes (eg, the second-position route and the third-position route) lower than the first-position route, and an abnormality occurs in the first-position route. In this case, by setting the routing table for the VPN terminal and each gateway so that communication is performed on the 2nd place route (or 3rd place route), high-speed switching can be performed without recalculation for route selection. It will be possible to do. In this way, the quality of communication using the highest priority route is improved, and the fault tolerance is improved by holding the other priority routes.

(Second embodiment)
Next, the second embodiment will be described. The second embodiment is an embodiment in which an additional function providing device such as a device for providing a WAN acceleration function is added to the first embodiment. Hereinafter, the configurations and operations added to the first embodiment will be mainly described.

In the example shown in FIG. 14, the WAN acceleration function G is added between the VPN gateway C and the inter-POP network 10, and the WAN acceleration function H is added between the SaaS gateway E and the inter-POP network 10. The WAN acceleration functions G and H further improve the quality of the POP tube network 10 in the section 2. The WAN acceleration function may be added between all gateways, or may be added only between some gateways.

As the WAN acceleration functions G and H, for example, a commercially available WAN acceleration device can be used. Further, a customized device having a special WAN acceleration function may be used.

Further, an additional function control unit 104 is added to the NW control device 100. The VPN route control unit 103 executes an operation not found in the first embodiment. The NW control device 100 of FIG. 14 shows only the functional unit appearing in the operation description of the present embodiment.

In order to further speed up the communication of the POP-to-POP network 10 between the VPN gateway C and the SaaS gateway E, the end user sets the necessary speed-up policy via the additional function control unit 104 to the WAN speed-up functions G and H. Set to. The acceleration policy includes, for example, an IP address, cache size, protocol type, etc., but is not limited to these, and all WAN acceleration policies are subject to setting. The additional function control unit 104 can also control the FEC (Forward Error Correction) function, which will be described later, in the same manner as the WAN acceleration function.

After that, the VPN route control unit 103 controls the VPN route so that the traffic via the POP-to-POP network 10 passes through the WAN acceleration functions G and H. FIG. 15 is an example of a routing table set in the VPN gateway C by the VPN route control unit 103. By the route setting of FIG. 15, the traffic from the VPN terminal A to the connection destination IP address (BBBB / B) of SaaS passes through the WAN acceleration function G. The WAN acceleration function for speeding up the section 2 can be applied only to communication between a specific VPN terminal and a specific SaaS, or communication via a gateway to which the WAN speedup function is connected. It can also be applied to the whole. The same applies to the FEC function described later.

Note that FIG. 14 is only an example of the arrangement of the WAN acceleration function. The WAN acceleration function can be placed at any location where speed increase is desired. For example, as shown in FIG. 16, by adding the WAN acceleration functions I and J above the VPN terminal A, it is possible to increase the speed in the section 1 (VPN terminal A to VPN gateway C).

Further, it is an example to have a WAN speed-up function as an additional function. For example, in addition to the WAN acceleration function, or instead of the WAN acceleration function, the FEC function may be applied to each of the sections 1 and 2 in FIG. For example, each WAN acceleration function shown in FIGS. 14 and 16 may be replaced with the FEC function, and the FEC function is added at the same position as each WAN acceleration function shown in FIGS. 14 and 16. You may. As for the FEC function, it is assumed that a commercially available device is used, but a special customized device is also targeted.

Further, the additional functions (here, the WAN acceleration function and the FEC function) can be linked with the above-mentioned indicators (eg, a. Delay value, b. Packet loss, c. Bandwidth (throughput)).

For example, when the additional function control unit 104 refers to the value of the index collected by the End-End quality collection unit 101 and the throughput in the route from a VPN terminal to SaaS becomes lower than a predetermined threshold value. Automatically enable the WAN acceleration function according to the preset policy. Similarly, for example, the FEC function can be automatically enabled when the packet loss in the route exceeds a predetermined threshold value.

FIG. 17 shows a flowchart when the above operation is applied to all additional functions. As described above, the End-End quality collecting unit 101 collects and holds the quality data of each route for each section (S201).

The additional function control unit 104 refers to the quality data collected by the End-End quality collection unit 101 for a certain route to be controlled, and satisfies a predetermined condition (eg, the packet loss exceeds a predetermined threshold value). It is determined whether or not the condition is satisfied (S202).

When the determination result of S202 is Yes (that is, when the condition is satisfied), the additional function control unit 104 turns the additional function in the path from OFF to ON (S203). If it is already ON, the ON state is continued. More specifically, the additional function in the additional function providing device is turned ON.

Further, when the determination result of S202 is No (that is, when the condition is not satisfied), the additional function control unit 104 turns the additional function in the path from ON to OFF (S204). Alternatively, if it is already OFF, the OFF state is continued.

As described above, it is possible to automatically enable or disable the additional function of correcting the index value in conjunction with the numerical value of the index for each route. This makes it possible to automatically use functions that are required only in specific situations. In particular, since the additional function for section 2 can be shared by multiple users, by automatically enabling and disabling the additional function of the network in this way, only the amount of the additional function used for each user is used. It will also be possible to provide a new service model for charging.

Further, a threshold value and a control target additional function may be determined for each SaaS, and the additional function control unit 104 may hold them as a table as shown in FIG. By referring to the table, the additional function control unit 104 can determine an index and its threshold value used for ON / OFF determination for each SaaS, and an additional function to be controlled.

(Third embodiment)
Next, a third embodiment will be described. The third embodiment is an embodiment in which a configuration for speeding up access to SaaS is added to the first embodiment or the second embodiment. Hereinafter, the configurations and operations added to the first embodiment or the second embodiment will be mainly described.

As shown in FIG. 19, under the SaaS gateway E, a closed network 50 for making a closed connection between the SaaS gateway E and the SaaSS-B is connected. The closed network 50 may be additionally connected to the SaaS connection network 30 connected to the SaaS gateway E, or may be connected in place of the SaaS connection network 30. Further, the closed network may be referred to as a Direct Connect network. The closed network 50 is realized by a device related to an existing technique such as an 802.1q VLAN or a transmission device constituting a network such as MPLS.

In the present embodiment, in order to speed up the communication between the VPN terminal A and the SaaS-B, the VPN route control unit 104 causes the communication between the VPN terminal A and the SaaS-B to pass through the POP-to-POP network 10. Control the route. As a result, quality improvement such as high throughput and low delay can be achieved.

(Summary of embodiments, effects, etc.)
As described above, in the present embodiment, the connection to SaaS is made by using a direct connection to the Internet backbone held by the telecommunications carrier and a stable quality Underlay network infrastructure such as a pseudo-dedicated line service by MPLS. Optimize. Specifically, a base (POP) for relaying communication from a user base is established all over the world, and when using SaaS, most of the communication is optimized to be performed between these POPs.

In addition, as an example of optimization means, high-speed processing and communication correction such as FEC are performed as necessary for communication between POPs, and direct connection between various SaaS including Direct connect and POP in Underlay is used. It is also possible.

In addition, route control is performed for each SaaS by dynamically selecting the entrance to the POP and the exit to the SaaS from a plurality of candidates, which are optimal for accessing SaaS from each base.

With the above technology, it is possible to maximize the use of the carrier's UnderlayNW platform and optimize the communication path and communication method for each SaaS, thereby realizing high-reliability and high-quality SaaS access at low cost. be able to.

In this embodiment, at least the following devices, systems, methods, and programs are provided.
(Section 1)
A terminal, a connection destination device to which the terminal is connected, one or more first gateway devices capable of communicating with the terminal, and one or more second gateway devices capable of communicating with the connection destination device. A network control device that performs control over a system
The quality of the first section, which is the section of the network between the terminal and the one or more first gateway devices, and the one or more first gateway devices and the one or more second gateway devices. The quality of the second section, which is a predetermined network section between the two, and the quality of the third section, which is the section of the network between the one or more second gateway devices and the connection destination device, are collected. Quality collection department and
Based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collecting unit, a communication path between the terminal and the connected device is configured. A selection unit for selecting the first gateway device and the second gateway device, and
A network control device including a route control unit that executes route control so that communication between the terminal and the connection destination device goes through the route.
(Section 2)
The first item is characterized in that the quality collecting unit collects one or a plurality of addresses of the connected device and collects the quality of the third section for each of the one or a plurality of addresses. The network control device described.
(Section 3)
The quality collecting unit collects a plurality of types of qualities for each of the first section, the second section, and the third section, and the selection unit collects the terminal and the terminal for each of the plurality of types of qualities. A plurality of candidate routes for communication with the connection destination device are ranked, and the route to be used from the plurality of candidate routes is based on the order and the weight of each quality in the plurality of types of qualities. The network control device according to the first or second paragraph, which comprises selecting.
(Section 4)
In the system, an additional function providing device is provided on the communication path between the terminal and the connection destination device.
Items 1 to 3 are further provided with an additional function control unit that enables or disables the additional function provided by the additional function providing device based on the quality collected by the quality collecting unit. The network control device according to any one of the above.
(Section 5)
The network control device according to any one of items 1 to 4, wherein the predetermined network is a backbone network provided by a telecommunications carrier.
(Section 6)
The network control device according to any one of paragraphs 1 to 5, one or more first gateway devices capable of communicating with the terminal, and one or more capable of communicating with the connection destination device. A communication system including the second gateway device of the above.
(Section 7)
A terminal, a connection destination device to which the terminal is connected, one or more first gateway devices capable of communicating with the terminal, and one or more second gateway devices capable of communicating with the connection destination device. It is a network control method executed by a network control device that controls a system equipped with a gateway.
The quality of the first section, which is the section of the network between the terminal and the one or more first gateway devices, and the one or more first gateway devices and the one or more second gateway devices. The quality of the second section, which is a predetermined network section between the two, and the quality of the third section, which is the section of the network between the one or more second gateway devices and the connection destination device, are collected. Quality collection steps and
Based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collection step, a communication path between the terminal and the connected device is configured. A selection step for selecting the first gateway device and the second gateway device,
A network control method comprising: a route control step for executing route control so that communication between the terminal and the connection destination device goes through the route.
(Section 8)
A program for making a computer function as each part in the network control device according to any one of the items 1 to 5.

Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.

10 POP inter-network 20 Access network 30 SaaS connection network 40 Internet 50 Closed network 100 NW control device 101 End-End quality collection unit 102 Gateway automatic selection unit 103 VPN route control unit 104 Additional function control unit 200 VPN terminal 210 Communication unit 220 Route determination unit 230 Data storage unit 300 Gateway 310 Communication unit 320 Direction determination unit 330 Data storage unit B SAaS
G, H, I, J WAN Acceleration function 1000 Drive device 1001 Recording medium 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 Interface device 1006 Display device 1007 Input device BS bus

Claims (7)

A SaaS (Software as a Service) that builds a DSN between a terminal and the terminal, a plurality of first gateway devices connected to the terminal via a first access network, and a SaaS and a second access network. A network control device that performs control over a system including a plurality of second gateway devices connected via a device.
The quality of the first section, which is the section of the first access network between the terminal and the plurality of first gateway devices, and the communication business between the plurality of first gateway devices and the plurality of second gateway devices. Quality that collects the quality of the second section, which is the section of the backbone network provided by the person, and the quality of the third section, which is the section of the second access network between the plurality of second gateway devices and the SaaS. Collection department and
A first that constitutes a communication path between the terminal and the SaaS based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collecting unit. A selection unit that selects the gateway device and the second gateway device,
It is provided with a route control unit that executes route control so that communication between the terminal and the SaaS is via the route.
The quality collecting unit collects a plurality of types of qualities for each of the first section, the second section, and the third section, and the selection unit collects the terminal and the terminal for each of the plurality of types of qualities. A plurality of candidate routes for communication with SaaS are ranked, and a route to be used is selected from the plurality of candidate routes based on the ranking and the weight of each quality in the plurality of types of qualities. do
A network control device characterized by that. A SaaS (Software as a Service) that builds a DSN between a terminal and the terminal, a plurality of first gateway devices connected to the terminal via a first access network, and a SaaS and a second access network. A network control device that performs control over a system including a plurality of second gateway devices connected via a device.
The quality of the first section, which is the section of the first access network between the terminal and the plurality of first gateway devices, and the communication business between the plurality of first gateway devices and the plurality of second gateway devices. Quality that collects the quality of the second section, which is the section of the backbone network provided by the person, and the quality of the third section, which is the section of the second access network between the plurality of second gateway devices and the SaaS. Collection department and
A first that constitutes a communication path between the terminal and the SaaS based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collecting unit. A selection unit that selects the gateway device and the second gateway device,
It is provided with a route control unit that executes route control so that communication between the terminal and the SaaS is via the route.
In the system, an additional function providing device is provided on the communication path between the terminal and the SaaS.
Further, an additional function control unit for enabling or disabling the additional function provided by the additional function providing device based on the quality collected by the quality collecting unit is provided.
A network control device characterized by that. The quality collection unit collects one or a plurality of addresses of the SaaS, and collects the quality of the third section for each of the one or a plurality of addresses, according to claim 1 or 2 . The network control device described. A communication system including the network control device according to any one of claims 1 to 3 , a plurality of first gateway devices capable of communicating with the terminal, and a plurality of second gateway devices capable of communicating with the SaaS. .. A SaaS (Software as a Service) that builds a DSN between a terminal and the terminal, a plurality of first gateway devices connected to the terminal via a first access network, and the SaaS and a second access network. It is a network control method executed by a network control device that controls a system including a plurality of second gateway devices connected via the above.
The quality of the first section, which is the section of the first access network between the terminal and the plurality of first gateway devices, and the communication business between the plurality of first gateway devices and the plurality of second gateway devices. Quality that collects the quality of the second section, which is the section of the backbone network provided by the person, and the quality of the third section, which is the section of the second access network between the plurality of second gateway devices and the SaaS. Collecting steps and
A first that constitutes a communication path between the terminal and the SaaS based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collection step. A selection step to select the gateway device and the second gateway device,
A route control step for executing route control so that communication between the terminal and the SaaS is routed via the route is provided.
In the quality collection step, a plurality of types of qualities are collected for each of the first section, the second section, and the third section, and in the selection step, the terminal and the terminal are collected for each of the plurality of types of qualities. A plurality of candidate routes for communication with SaaS are ranked, and a route to be used is selected from the plurality of candidate routes based on the ranking and the weight of each quality in the plurality of types of qualities. do
A network control method characterized by that. A SaaS (Software as a Service) that builds a DSN between a terminal and the terminal, a plurality of first gateway devices connected to the terminal via a first access network, and the SaaS and a second access network. It is a network control method executed by a network control device that controls a system including a plurality of second gateway devices connected via the above.
The quality of the first section, which is the section of the first access network between the terminal and the plurality of first gateway devices, and the communication business between the plurality of first gateway devices and the plurality of second gateway devices. Quality that collects the quality of the second section, which is the section of the backbone network provided by the person, and the quality of the third section, which is the section of the second access network between the plurality of second gateway devices and the SaaS. Collecting steps and
A first that constitutes a communication path between the terminal and the SaaS based on the quality of the first section, the quality of the second section, and the quality of the third section collected by the quality collection step. A selection step to select the gateway device and the second gateway device,
A route control step for executing route control so that communication between the terminal and the SaaS is routed via the route is provided.
In the system, an additional function providing device is provided on the communication path between the terminal and the SaaS.
Further provided with an additional function control step for enabling or disabling the additional function provided by the additional function providing device based on the quality collected by the quality collection step.
A network control method characterized by that. A program for making a computer function as each part in the network control device according to any one of claims 1 to 3 .

Images