TW201911068A - Virtual private network service provisioning system that supports diverse end-to-end network isolation - Google Patents
Virtual private network service provisioning system that supports diverse end-to-end network isolation Download PDFInfo
- Publication number
- TW201911068A TW201911068A TW106126451A TW106126451A TW201911068A TW 201911068 A TW201911068 A TW 201911068A TW 106126451 A TW106126451 A TW 106126451A TW 106126451 A TW106126451 A TW 106126451A TW 201911068 A TW201911068 A TW 201911068A
- Authority
- TW
- Taiwan
- Prior art keywords
- virtual
- network
- traffic
- virtual private
- private network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/25—Routing or path finding in a switch fabric
- H04L49/252—Store and forward routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/35—Switches specially adapted for specific applications
- H04L49/354—Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明是有關於虛擬私人網路,且特別係關於一種可以支援多樣性架構之虛擬私人網路服務供裝系統。The present invention relates to a virtual private network, and more particularly to a virtual private network service provisioning system capable of supporting a diverse architecture.
虛擬私人網路(Virtual Private Network,VPN)主要是在公眾網際網路(Internet)上使用穿隧(Tunneling)技術與加解密等安全技術,以建立一個私人且安全的網路。相較於傳統私有網路,虛擬私人網路不需使用專屬線路,利用通信協定技術即可以Internet的便宜價格,享有專線的安全性。虛擬私人網路也較傳統私有網路具備較佳的擴充彈性與靈活應用,擴點便利且容易依需求增加連線頻寬,不需調整既有架構,即可使用既有連線技術,因此虛擬私人網路具有設備投資成本較低且管理維護更簡便的好處。Virtual private network (Virtual Private Network, VPN) mainly uses tunneling technology and encryption and decryption security technologies on the public Internet to establish a private and secure network. Compared with traditional private networks, virtual private networks do not require dedicated lines. Using communication protocol technology can enjoy the cheap price of the Internet and enjoy the security of dedicated lines. The virtual private network also has better expansion flexibility and flexible applications than traditional private networks. The expansion point is convenient and it is easy to increase the connection bandwidth as required. You can use the existing connection technology without adjusting the existing architecture. Virtual private networks have the advantages of lower equipment investment costs and easier management and maintenance.
雖然現行的虛擬私人網路已可透過網際網路安全協定(IP Security,IPSec)、多重協定標籤交換技術(Multiprotocol Label Switching,MPLS)、通用路由封裝技術(Generic Routing Encapsulation,GRE)與動態多點虛擬私人網路(Dynamic Multipoint VPN,DMVPN)等多種技術來達到點對點或點對多點的虛擬私人網路連線建立,但目前虛擬私人網路僅著重於Internet上架構企業專用私人網路來達到企業內部網路(Intranet)、上下游廠商或關係企業連網(Extranet)、不分國界遠端存取(Remote Access)的解決方案。Although existing virtual private networks can already use IP Security (IPSec), Multiprotocol Label Switching (MPLS), Generic Routing Encapsulation (GRE) and dynamic multipoint Virtual private network (Dynamic Multipoint VPN, DMVPN) and other technologies to achieve the establishment of point-to-point or point-to-multipoint virtual private network connection, but currently the virtual private network focuses only on the Internet to build a corporate private network to achieve Intranet, upstream and downstream manufacturers or affiliated enterprise extranet, and remote access regardless of national borders.
2017年2月15日公開之中國專利第CN106411735號「一種路由配置方法及裝置」,此專利所提供之路由配置方法及裝置應用於軟體定義網路(Software-Defined Networking,SDN)中的控制器,所提出之方法通過控制器配置租戶VPN實例的路由目標(Router Target,RT)屬性和外網VPN實例的路由策略,以使閘道設備根據路由策略對來自不同外網設備的路由設置RT屬性,並將路由的RT屬性與租戶VPN實例的RT屬性進行匹配,匹配成功後將路由添加到租戶的VPN實例中,指引租戶流量向外網轉發,通過其發明可實現閘道設備上路由的動態更新。Chinese Patent No. CN106411735 "A routing configuration method and device" published on February 15, 2017. The routing configuration method and device provided by this patent is applied to a controller in Software-Defined Networking (SDN) The proposed method configures the Router Target (RT) attribute of the tenant VPN instance and the routing policy of the external VPN instance through the controller, so that the gateway device sets the RT attribute to the routes from different external network devices according to the routing policy. And match the RT attribute of the route with the RT attribute of the tenant VPN instance. After successful matching, the route is added to the tenant's VPN instance to direct the tenant traffic to the external network. The invention can realize the dynamic routing on the gateway device. Update.
然而,現行虛擬私人網路尚未深入以下問題進行探討:第一、虛擬私人網路已被廣泛地應用在廣域網路(Wide Area Network, WAN),如何將虛擬私人網路自WAN端延伸至企業內區域網路(Local Area Network,LAN)與資料中心(Datacenter),以達到多點對多點的端對端網路隔離。第二、所有用戶的訊務混合在同一電路,如何將不同類型的訊務彼此隔離。第三、以時間管理為基礎之動態彈性供裝存取管控機制。由此可知,現有技術在實際運用上仍有上述問題亟待解決。However, the current virtual private networks have not been discussed in depth. First, virtual private networks have been widely used in Wide Area Networks (WANs). How can virtual private networks be extended from the WAN side to the enterprise? Local area network (LAN) and data center (Datacenter) to achieve multi-point to multi-point end-to-end network isolation. Second, all users' traffic is mixed in the same circuit, and how to isolate different types of traffic from each other. Third, a dynamic and flexible supply management system based on time management. Therefore, it can be known that the above-mentioned problems still need to be solved urgently in actual application of the existing technology.
有鑑於此,本發明之目的在於提出一種支援多樣性端對端網路隔離之虛擬私人網路(VPN)服務供裝系統,運用網路功能虛擬化與軟體定義網路彈性調度網路配置,將現行虛擬私人網路自廣域網路延伸至企業內區域網路與資料中心。In view of this, the object of the present invention is to propose a virtual private network (VPN) service provisioning system that supports diverse end-to-end network isolation, and utilizes network function virtualization and software-defined network to flexibly schedule network configurations. Extend your existing virtual private network from your WAN to your corporate LAN and data center.
本發明提供端對端高安全性網路隔離服務供裝,根據不同訊務類型進行訊務導流,解決現行企業區域網路內所有訊務混合在同一條電路傳輸以及共用路由表之安全性問題,避免企業單一系統被駭,影響企業內其他系統的風險。本發明提出基於時間管理政策與非法使用阻擋之網路存取管控機制,進一步提升企業虛擬私人網路方案之安全性並減少虛擬私人網路之建置與維運成本。The invention provides end-to-end high-security network isolation services for installation, and conducts traffic diversion according to different traffic types, solving the security of all traffic in the current enterprise area network mixed in the same circuit for transmission and shared routing tables. Problems to avoid the risk of a single system being compromised and affecting other systems within the enterprise. The invention proposes a network access management and control mechanism based on time management policies and illegal use blocking, which further improves the security of the enterprise virtual private network solution and reduces the cost of establishing and maintaining the virtual private network.
達成上述發明目的之一種支援多樣性端對端網路架構隔離之VPN服務供裝系統,係由以下架構構成:包括於伺服器的虛擬化管理平台、虛擬網路控制模組、虛擬路由器及網路控制器、以及實體交換器或虛擬交換器。虛擬路由器基於網路功能虛擬化技術代理訊務處理。網路控制器基於軟體定義網路技術動態調配虛擬路由器的運作,並建立虛擬私人網路及區域網路與虛擬區域網路(virtual local access network,Vlan)標籤(Tag)的對應關係。虛擬化管理平台配置虛擬路由器的硬體及網路資源。實體交換器或虛擬交換器接收來自網路控制器的指令,注入實體交換器或該虛擬交換器的流程條目資訊(Flow Entries)以進行訊務轉發決策。虛擬路由器依據此對應關係,將來自不同區域網路的不同訊務經由實體交換器或虛擬交換器導流至對應虛擬私人網路。A VPN service provisioning system that supports the diversity of end-to-end network architecture isolation to achieve the above-mentioned object of the invention is composed of the following architectures: a virtualization management platform on the server, a virtual network control module, a virtual router and a network Controllers, and physical or virtual switches. The virtual router is based on network function virtualization technology to proxy traffic processing. The network controller dynamically configures the operation of the virtual router based on the software-defined network technology, and establishes the correspondence between the virtual private network and the local area network and the virtual local access network (Vlan) tags. The virtualization management platform configures the hardware and network resources of the virtual router. The physical switch or the virtual switch receives a command from the network controller, and injects the flow entry information (Flow Entries) of the physical switch or the virtual switch to make a traffic forwarding decision. The virtual router diverts different traffic from different local area networks to the corresponding virtual private network through a physical switch or a virtual switch according to this correspondence.
藉此,透過虛擬化管理平台可依照不同類型訊務佈建多台虛擬路由器,建立端對端之虛擬網路隔離,進而達到不同類型訊務隔離之功效。另外,網路控制器管控實體或虛擬交換器與決定訊務轉發政策,亦提供以時間為基礎之動態彈性供裝調度機制,提供更有效與安全的網路存取管控。最後,實體或虛擬交換器進行訊務封包轉發,並針對訊務目的網際網路協定(Internet Protocol,IP)位址與虛擬區域網路標籤決定訊務轉發路由,以達成端對端虛擬網路安全隔離之設計,亦同時精簡虛擬私人網路之建置與維運成本。In this way, through the virtualization management platform, multiple virtual routers can be deployed according to different types of traffic to establish end-to-end virtual network isolation, thereby achieving the effect of different types of traffic isolation. In addition, the network controller controls the physical or virtual switch and determines the message forwarding policy. It also provides a time-based dynamic and flexible supply scheduling mechanism to provide more efficient and secure network access management. Finally, the physical or virtual switch performs message packet forwarding, and determines the message forwarding route based on the Internet Protocol (IP) address and virtual local area network tag of the message destination to achieve the end-to-end virtual network. The design of security isolation also simplifies the construction and maintenance costs of the virtual private network.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above features and advantages of the present invention more comprehensible, embodiments are hereinafter described in detail with reference to the accompanying drawings.
本發明為一種支援多樣性端對端網路隔離之VPN服務供裝系統,本發明提出一種符合成本效益,且基於網路功能虛擬化與軟體定義網路的彈性供裝訊務導引,支援多架構之端對端網路安全隔離,提高企業區域網路、廣域網路與資料中心間虛擬私人網路端對端安全性,同時降低虛擬私人網路之建置維運成本。The present invention is a VPN service installation system supporting diversified end-to-end network isolation. The present invention proposes a cost-effective, flexible network installation guidance based on network function virtualization and software-defined network, and supports Multi-architecture end-to-end network security isolation, improving end-to-end security of the virtual private network between the corporate LAN, WAN and data center, while reducing the cost of building and maintaining the virtual private network.
傳統虛擬私人網路架構如圖1所示,區域網路18包含用戶設備A 14、用戶設備B 15、用戶設備C 16與用戶設備D 17,不同用戶設備分別產生不同類型訊務,這些用戶設備彼此間透過第二層交換器13相互連線,且區域網路18內的用戶設備透過閘道器Z 12所屬的實體路由器11,經由虛擬私人網路19連線到企業其他分支站點的用戶設備,即這些用戶設備皆透過虛擬私人網路連線至企業遠端站點。在此架構下,不同類型訊務的系統在同一區域網路內彼此可互通、所有訊務混合於同一電路傳輸並共用同一路由器的路由表,勢必會存在安全性議題。若其中一類型的主機或系統被駭,可能發生因企業網路未作端對端安全隔離而造成其他系統被駭,進而攻擊企業重要資訊系統。The traditional virtual private network architecture is shown in Figure 1. The local network 18 includes user equipment A 14, user equipment B 15, user equipment C 16, and user equipment D 17. Different user equipments generate different types of traffic. These user equipments They are connected to each other through the second-layer switch 13 and the user equipments in the local area network 18 are connected to the users in other branch sites of the enterprise through the virtual private network 19 through the physical router 11 to which the gateway Z 12 belongs. Devices, that is, these user devices are connected to the corporate remote site through a virtual private network. Under this architecture, systems of different types of traffic can communicate with each other in the same local area network. All traffic is mixed in the same circuit to transmit and share the routing table of the same router. Security issues are bound to exist. If one type of host or system is hacked, other systems may be hacked due to the end-to-end security isolation of the corporate network, which may attack important information systems of the enterprise.
圖2為依據本發明一實施例所提出之支援多樣性端對端隔離之虛擬私人網路服務供裝系統架構圖。此虛擬私人網路服務供裝系統包括伺服器27、實體或虛擬交換器26、第二層交換器13與用戶設備28(例如,手機、桌上型電腦、筆記型電腦等)。FIG. 2 is a structural diagram of a virtual private network service provisioning system supporting diversified end-to-end isolation according to an embodiment of the present invention. The virtual private network service installation system includes a server 27, a physical or virtual switch 26, a second layer switch 13 and a user device 28 (for example, a mobile phone, a desktop computer, a notebook computer, etc.).
此實體的伺服器27包括虛擬路由器21、網路控制器22、時間管理模組23、虛擬網路控制模組24、虛擬化管理平台25,伺服器27可透過諸如中央處理單元(CPU)、微處理器(Microprocessor)、數位信號處理器(DSP)、可程式化控制器等類似者執行該些虛擬元件、平台及軟體模組。The server 27 of this entity includes a virtual router 21, a network controller 22, a time management module 23, a virtual network control module 24, and a virtualization management platform 25. The server 27 can be accessed through, for example, a central processing unit (CPU), Microprocessors, digital signal processors (DSPs), programmable controllers and the like execute these virtual components, platforms and software modules.
虛擬路由器21為開源的網路作業系統,且被安裝於實體伺服器(即,伺服器27)或虛擬機。在本發明實施例中可於單一伺服器27供裝多台虛擬機,於各虛擬機配置虛擬路由器21。虛擬路由器21之功能主要可於一般x86平台上基於網路功能虛擬化技術代理訊務處理,以提供路由功能、網路位址轉換、防火牆和虛擬私人網路功能等實體路由器的網路功能。The virtual router 21 is an open source network operating system, and is installed on a physical server (ie, the server 27) or a virtual machine. In the embodiment of the present invention, multiple virtual machines may be installed on a single server 27, and a virtual router 21 may be configured on each virtual machine. The functions of the virtual router 21 can be used to proxy traffic processing based on network function virtualization technology on general x86 platforms to provide the network functions of physical routers such as routing functions, network address translation, firewalls, and virtual private network functions.
網路控制器22係支援多種開源或商用控制器的網路控制器,在本發明實施例中,網路控制器22能被安裝於實體伺服器(即,伺服器27)或虛擬機。網路控制器22之功能主要係透過多種通訊協定管理網路實體或虛擬交換器26,同時具備終端設備(例如,用戶設備28)與群組管理、網路拓樸管理、網路存取策略管理、訊務內容管控、訊務量統計與日誌管理等功能,基於軟體定義網路技術動態調配虛擬路由器21的運作,並建立多個虛擬私人網路及多個區域網路與多個虛擬區域網路(virtual local access network,Vlan)標籤(Tag)的對應關係。此對應關係是每一虛擬私人網路及每一區域網路具有對應虛擬區域網路標籤。The network controller 22 is a network controller supporting multiple open source or commercial controllers. In the embodiment of the present invention, the network controller 22 can be installed on a physical server (ie, the server 27) or a virtual machine. The function of the network controller 22 is mainly to manage the network entity or virtual switch 26 through multiple communication protocols, and it also has terminal equipment (such as user equipment 28) and group management, network topology management, and network access strategy. Management, content management and control, traffic statistics and log management functions, dynamically deploy the operation of the virtual router 21 based on software-defined network technology, and establish multiple virtual private networks, multiple local networks and multiple virtual areas Correspondence between a network (virtual local access network, VLAN) tag. The corresponding relationship is that each virtual private network and each local network have a corresponding virtual local network label.
虛擬網路控制模組24可被廣泛地應用在多種虛擬化管理平台25,其功能主要負責虛擬機連接實體網路與虛擬機彼此間連線的建立。時間管理模組23係接收虛擬網路控制模組24的時間管理設定,負責管控各個用戶設備的合法連網時間,於非法連網時間阻擋用戶設備28往來的訊務。虛擬化管理平台25之功能主要提供於一般x86伺服器上針對計算資源、網路資源與儲存資源虛擬化與資源配置管理,以配置虛擬路由器22的硬體及網路資源。The virtual network control module 24 can be widely used in various virtualization management platforms 25, and its function is mainly responsible for establishing the connection between the virtual machine and the physical network and the virtual machine. The time management module 23 receives the time management settings of the virtual network control module 24, and is responsible for controlling the legal network time of each user equipment and blocking the traffic of the user equipment 28 during the illegal network time. The functions of the virtualization management platform 25 are mainly provided on a general x86 server for virtualization and resource allocation management of computing resources, network resources, and storage resources to configure the hardware and network resources of the virtual router 22.
實體交換器或虛擬交換器26(虛擬交換器26可佈建於伺服器27或其他伺服器中、或由虛擬機運作)則是負責接收來自網路控制器22的指令,注入實體或虛擬交換器26的流程條目資訊(Flow Entries)以進行訊務轉發決策。而關於訊務轉發的運作待後續實施例說明。The physical switch or virtual switch 26 (the virtual switch 26 can be deployed in the server 27 or other servers or operated by a virtual machine) is responsible for receiving instructions from the network controller 22 and injecting the physical or virtual switch Flow Entries of the server 26 to make traffic forwarding decisions. The operation of the message forwarding is described in the subsequent embodiments.
為了方便理解本發明實施例的操作流程,以下將舉諸多實施例詳細說明本發明實施例的訊務路由架構。下文中,將搭配圖2中各項元件及模組說明。本發明實施例的各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to facilitate understanding of the operation flow of the embodiments of the present invention, the following describes the traffic routing architecture of the embodiments of the present invention in detail with many embodiments. In the following, description will be given with each component and module in FIG. 2. Each process of the embodiment of the present invention can be adjusted according to the implementation situation, and is not limited to this.
圖3為依據本發明一實施例應用於混合式端對端隔離虛擬私人網路之實施架構圖,旨在保留既有實體路由器11,搭配企業內部虛擬網路設計與不同類型訊務隔離需求彈性供裝不同虛擬路由器(例如,虛擬路由器X 33與虛擬路由器Y 34)。虛擬路由器X 33與虛擬路由器Y 34可被安裝於虛擬機,其功能主要是依據用戶設備(用戶設備A, B, C, D 14, 15, 16, 17)送來的不同訊務Vlan Tag,將不同類型之訊務隔離並導向虛擬私人網路19,以達到端對端的虛擬網路隔離。以上提及之虛擬路由器X 33、虛擬路由器Y 34、網路控制器22、時間管理模組23、虛擬網路控制模組24與虛擬化管理平台25係佈建於單一台伺服器27。FIG. 3 is an implementation architecture diagram applied to a hybrid end-to-end isolated virtual private network according to an embodiment of the present invention, which aims to retain the existing physical router 11 and cooperate with the internal virtual network design of the enterprise to provide flexibility for different types of traffic isolation Provides different virtual routers (for example, virtual router X 33 and virtual router Y 34). The virtual router X 33 and virtual router Y 34 can be installed in the virtual machine. Their functions are mainly based on different traffic Vlan tags sent by user equipment (user equipment A, B, C, D 14, 15, 16, 17). Isolate and direct different types of traffic to the virtual private network 19 to achieve end-to-end virtual network isolation. The virtual router X 33, virtual router Y 34, network controller 22, time management module 23, virtual network control module 24, and virtualization management platform 25 mentioned above are all deployed on a single server 27.
為因應不同系統應用與訊務類別將企業內部網路切割成多個虛擬區域網路(即,區域網路A, B, C 35, 36, 37),使不同類型訊務間彼此隔離。例如,用戶設備A 14屬區域網路A 35,用戶設備B 15與用戶設備C 16屬區域網路B 36,用戶設備D 17屬區域網路C 37。用戶設備之虛擬私人網路連線可彈性配置使用既有實體路由器11或虛擬路由器X, Y 33, 34。第二層交換器13依據用戶設備之訊務內容所屬的區域網路,搭配上不同Vlan Tag(例如,用戶設備A 14的訊務搭配Vlan A,其餘依此類推)並送往實體或虛擬交換器26。實體或虛擬交換器26依據時間管理模組23的設定檢驗訊務資訊(例如,來源IP位址(IP1~IP4)和來源媒體存取控制(Media Access Control,MAC)位址(MAC1~MAC4)),以判斷對應用戶設備於特定時間範圍內可否存取網路。若可存取網路,則實體或虛擬交換器26依據訊務的Vlan Tag將其送往相對應的閘道器Z 12、閘道器X 31與閘道器Y 32。其路由表所記錄的路由機制可由下述範例說明。In order to cut the corporate intranet into multiple virtual local area networks (that is, local area networks A, B, C 35, 36, 37) according to different system applications and traffic types, the different types of traffic are isolated from each other. For example, user equipment A 14 belongs to local network A 35, user equipment B 15 and user equipment C 16 belong to local network B 36, and user equipment D 17 belongs to local network C 37. The user equipment's virtual private network connection can be flexibly configured to use an existing physical router 11 or a virtual router X, Y 33, 34. The second layer switch 13 is matched with different VLAN tags according to the local network to which the user equipment's traffic content belongs (for example, the traffic of user equipment A 14 is matched with Vlan A, and so on) and sent to the physical or virtual exchange.器 26。 26. The physical or virtual switch 26 checks the traffic information (for example, the source IP address (IP1 ~ IP4) and the source Media Access Control (MAC) address (MAC1 ~ MAC4) according to the settings of the time management module 23) ) To determine whether the corresponding user device can access the network within a specific time frame. If the network is accessible, the physical or virtual switch 26 sends it to the corresponding gateway Z 12, gateway X 31 and gateway Y 32 according to the Vlan Tag of the traffic. The routing mechanism recorded in its routing table can be illustrated by the following example.
例如,用戶設備A 14送出的Vlan A訊務會經由第二層交換器13與實體或虛擬交換器26被導向閘道器Z 12所在的實體路由器11,實體路由器11將訊務路由回實體或虛擬交換器26後,實體或虛擬交換器26則根據收到訊務的Vlan Tag判斷Vlan A的訊務由Vlan D送往虛擬私人網路19。用戶設備B 15與用戶設備C 16送出的Vlan B訊務經由第二層交換器13與實體或虛擬交換器26被導向閘道器X 31所在的虛擬路由器X 33,虛擬路由器X 33將訊務路由回實體或虛擬交換器26後,實體或虛擬交換器26根據收到訊務的Vlan Tag判斷,將Vlan B的訊務藉由Vlan E送往虛擬私人網路19。用戶設備D 17送出的Vlan C訊務一樣經由第二層交換器13與實體或虛擬交換器26被導向閘道器Y 32所在的虛擬路由器Y 34,虛擬路由器Y 34將訊務路由回實體或虛擬交換器26後,亦根據收到訊務的Vlan Tag判斷,將Vlan C的訊務經由Vlan F送往虛擬私人網路19。For example, Vlan A traffic sent by user equipment A 14 is directed to the physical router 11 where the gateway Z 12 is located via the second layer switch 13 and the physical or virtual switch 26. The physical router 11 routes the traffic back to the physical or After the virtual switch 26, the physical or virtual switch 26 judges that the traffic of Vlan A is sent from Vlan D to the virtual private network 19 according to the Vlan Tag of the received traffic. The Vlan B traffic sent by the user equipment B 15 and the user equipment C 16 is directed to the virtual router X 33 where the gateway X 31 is located via the second layer switch 13 and the physical or virtual switch 26, and the virtual router X 33 sends the traffic After routing back to the physical or virtual switch 26, the physical or virtual switch 26 judges according to the Vlan Tag of the received traffic and sends the traffic of Vlan B to the virtual private network 19 through Vlan E. The Vlan C traffic sent by the user equipment D 17 is directed to the virtual router Y 34 where the gateway Y 32 is located via the second layer switch 13 and the physical or virtual switch 26. The virtual router Y 34 routes the traffic back to the physical or After the virtual switch 26, it also judges according to the Vlan Tag of the received traffic, and sends the traffic of Vlan C to the virtual private network 19 through Vlan F.
同樣地,從虛擬私人網路19欲送往用戶設備A 14的訊務,會經由實體或虛擬交換器26將訊務送往實體路由器11,實體路由器11將訊務路由回實體或虛擬交換器26後,則根據訊務目的IP位址,將訊務經由第二層交換器13送往用戶設備A 14。由虛擬私人網路19欲送往用戶設備B 15或用戶設備C 16的訊務,則是經由實體或虛擬交換器26將訊務導向虛擬路由器X 33,虛擬路由器X 33將訊務路由回實體或虛擬交換器26後,亦根據訊務的目的IP位址,將訊務經由第二層交換器13送往用戶設備B 15或用戶設備C 16。由虛擬私人網路19欲送往用戶設備D 17的訊務則是由虛擬路由器Y 34負責做訊務的路由。以上,透過不同Vlan的訊務使用不同的實體或虛擬路由器與不同路由表的機制,達到路由表實體隔離與端對端虛擬網路隔離。Similarly, the traffic from the virtual private network 19 to the user equipment A 14 will send the traffic to the physical router 11 via the physical or virtual switch 26, and the physical router 11 routes the traffic back to the physical or virtual switch. After 26, according to the destination IP address of the message, the message is sent to the user equipment A 14 through the second-layer switch 13. The traffic sent by the virtual private network 19 to the user equipment B 15 or the user equipment C 16 is directed to the virtual router X 33 via the physical or virtual switch 26, and the virtual router X 33 routes the traffic back to the entity After the virtual switch 26, the traffic is also sent to the user equipment B 15 or the user equipment C 16 via the second layer switch 13 according to the destination IP address of the traffic. The virtual router Y 34 is responsible for routing the traffic from the virtual private network 19 to the user equipment D 17. In the above, through the mechanism that different VLANs use different entities or virtual routers and different routing tables, the routing table is physically separated from the end-to-end virtual network.
圖4為依據本發明一實施例應用於統一式端對端隔離虛擬私人網路之實施架構圖。與圖3不同之處在於,由虛擬路由器Z 41取代圖3的實體路由器11,虛擬路由器Z 41設置相同的閘道器Z 12為用戶設備A 14的閘道器,用戶設備A 14不需更動閘道器IP位址,提供彈性無縫實體轉虛擬路由器之架構,有效減少實體路由器採購維護成本。此架構以虛擬路由器Z 41取代實體路由器11,透過實體或虛擬交換器26檢視訊務封包的虛擬區域網路標籤決定訊務路由路徑。例如,Vlan A的訊務導向虛擬路由器Z 41,Vlan B的訊務導向虛擬路由器X 33,Vlan C的訊務導向虛擬路由器Y 34。需說明的是,不同虛擬路由器可佈建於一台或多台伺服器27中的不同虛擬機上,確保不同訊務各自有獨立路由表,達到端對端隔離之虛擬私人網路服務。FIG. 4 is an implementation architecture diagram of a unified end-to-end isolated virtual private network according to an embodiment of the present invention. The difference from FIG. 3 is that the virtual router Z 41 replaces the physical router 11 of FIG. 3. The virtual router Z 41 is provided with the same gateway Z 12 as the gateway of the user equipment A 14, and the user equipment A 14 does not need to be changed. Gateway IP addresses provide a flexible and seamless physical-to-virtual router architecture, effectively reducing the purchase and maintenance costs of physical routers. In this architecture, the virtual router Z 41 is used to replace the physical router 11, and the virtual area network label of the traffic packet is viewed through the physical or virtual switch 26 to determine the traffic routing path. For example, the traffic of Vlan A is directed to virtual router Z 41, the traffic of Vlan B is directed to virtual router X 33, and the traffic of Vlan C is directed to virtual router Y 34. It should be noted that different virtual routers can be deployed on different virtual machines in one or more servers 27 to ensure that different traffic has independent routing tables to achieve end-to-end isolated virtual private network services.
本發明亦可支援整合式端對端隔離虛擬私人網路之實施架構如圖5所示,以精簡化佈建模式。與圖4不同之處在於,本實施例係將實體或虛擬交換器26收容至伺服器27中。將本發明實施例應用於中小型軟體定義網路之場域,以提供端對端隔離之虛擬私人網路管理方案。傳統的架構上需要額外佈建一台至多台實體或虛擬交換器,這意味著需要花費大量硬體資源與耗費封包傳輸延遲時間。而本發明實施例簡化網路架構,將實體或虛擬交換器26、網路控制器22與虛擬路由器33、34、41佈建於一台伺服器27內,不但保有內部網路不同網段隔離之設計,大幅節降網路元件佈建成本,同時減少原本實體或虛擬交換器26與伺服器27間的頻寬耗用量與網路延遲時間,更增加服務供裝彈性與可攜性。與傳統架構相比,本發明實施例的系統顯著地減少硬體資源的使用也同時降低採購資本支出(CAPEX)和維運營業費用(OPEX)。當網路組態發生改變時,本發明能透過網路控制器動態彈性調度與供裝,更具供裝靈活性。The present invention also supports the implementation architecture of an integrated end-to-end isolated virtual private network as shown in FIG. 5 to simplify the deployment mode. The difference from FIG. 4 is that this embodiment is to house the physical or virtual switch 26 in the server 27. The embodiments of the present invention are applied to the field of small and medium-sized software-defined networks to provide an end-to-end isolated virtual private network management solution. Traditional architectures need to deploy one or more physical or virtual switches, which means that it needs to spend a lot of hardware resources and consume packet transmission delay time. The embodiment of the present invention simplifies the network architecture. The physical or virtual switch 26, the network controller 22, and the virtual routers 33, 34, and 41 are deployed in a server 27, which not only keeps different network segments of the internal network isolated. The design greatly reduces the cost of network component deployment, while reducing the bandwidth consumption and network delay time between the original physical or virtual switch 26 and server 27, and increasing the flexibility and portability of service installation. Compared with the traditional architecture, the system of the embodiment of the present invention significantly reduces the use of hardware resources and also reduces procurement capital expenditures (CAPEX) and maintenance operations expenses (OPEX). When the network configuration is changed, the present invention can dynamically and flexibly schedule and provide installation through a network controller, which provides more installation flexibility.
本發明提出的三種可彈性佈建之端對端網路隔離虛擬私人網路架構,透過圖6的端對端虛擬私有網路隔離示意圖更可以了解企業不同站點間(例如,辦公室1站點連線至辦公室2站點或資料中心的整體端對端虛擬私有網路)隔離實際運作情形。在兩站點間,企業可藉由安全高品質的MPLS VPN實現企業外網互連,亦可藉由平價的Internet寬頻接取電路實現。搭配本發明實施例所提出的單一實體伺服器上運行多重虛擬路由器來實現不同虛擬私人網路有各自獨立路由表,同時運用網路控制器22的快速彈性異動供裝特性,將原本僅著重於廣域網路VPN隔離方法延伸至企業內區域網路與資料中心之間,達成完整的端對端隔離的虛擬私人網路服務供裝系統。 [特點及功效]The three types of flexible and deployable end-to-end network isolation virtual private network architectures can be understood through the end-to-end virtual private network isolation diagram in FIG. 6 (for example, office 1 site). The entire end-to-end virtual private network connected to the Office 2 site or data center) isolates the actual operation. Between the two sites, the enterprise can use the secure and high-quality MPLS VPN to realize the external network interconnection of the enterprise, or it can be realized by the affordable Internet broadband access circuit. With multiple virtual routers running on a single physical server according to the embodiment of the present invention, different virtual private networks have their own independent routing tables. At the same time, the fast and flexible change installation feature of the network controller 22 is used to focus on the original The WAN VPN isolation method extends to the internal network of the enterprise and the data center to achieve a complete end-to-end isolated virtual private network service installation system. [Features and effects]
本發明實施例所提出一種支援多樣性端對端網路隔離的VPN服務供裝系統與傳統習用技術相互比較時,更具備下列優點:When a VPN service provisioning system that supports diversified end-to-end network isolation according to the embodiments of the present invention is compared with conventional techniques, it has the following advantages:
本發明實施例之一種支援多樣性端對端網路隔離的VPN服務供裝系統,提出一種符合成本效益,且基於端對端虛擬私人網路隔離之彈性供裝服務系統,提供企業內部網路、外部網路與資料中心不同訊務類型達到端對端隔離之功效。採用網路使用管理機制,提供企業網路存取時間管理與非法使用阻擋,本發明實施例可彈性因應不同需求而具備多樣性架構,動態調度與彈性供裝,能夠大幅地減少CAPEX和OPEX。An embodiment of the present invention provides a VPN service installation system supporting diverse end-to-end network isolation. A cost-effective and flexible installation service system based on end-to-end virtual private network isolation is provided to provide an enterprise intranet. Different types of traffic in the external network and data center achieve end-to-end isolation. Adopting a network usage management mechanism to provide enterprise network access time management and illegal use blocking. The embodiments of the present invention can flexibly have a diverse architecture according to different needs, dynamic scheduling and flexible provisioning, which can greatly reduce CAPEX and OPEX.
與傳統架構相比,本發明實施例的系統可將虛擬私人網路自傳統的WAN端延伸至企業內LAN端與資料中心,更具端對端隔離的虛擬私人網路安全性。Compared with the traditional architecture, the system of the embodiment of the present invention can extend a virtual private network from a traditional WAN end to an enterprise LAN end and a data center, and has more end-to-end isolated virtual private network security.
本發明實施例的系統可以支援於單一伺服器中彈性部署多個虛擬路由器,並因應不同類型的訊務提供獨立路由表,達成訊務彼此安全隔離之功效。The system of the embodiment of the present invention can support the flexible deployment of multiple virtual routers in a single server, and provide independent routing tables for different types of traffic to achieve the effect of securely isolating traffic from each other.
當網路組態發生改變時,本發明實施例能透過網路控制器動態彈性調度與供裝,本發明的系統比傳統架構更具有可攜性與供裝靈活性。When the network configuration changes, the embodiments of the present invention can dynamically and flexibly dispatch and install via a network controller. The system of the present invention has more portability and installation flexibility than the traditional architecture.
本發明所提出的多樣性端對端網路隔離的VPN服務供裝系統可依照企業網路應用需求,彈性減少實體網路元件的佈建與資源使用,同時也降低了CAPEX與OPEX。The diversified end-to-end network-isolated VPN service provisioning system provided by the present invention can flexibly reduce the deployment of physical network components and resource usage according to the requirements of enterprise network applications, and also reduces CAPEX and OPEX.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed as above with the examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some modifications and retouching without departing from the spirit and scope of the present invention. The protection scope of the present invention shall be determined by the scope of the attached patent application.
1、2‧‧‧辦公室1, 2‧‧‧ office
11‧‧‧實體路由器11‧‧‧physical router
12‧‧‧閘道器Z12‧‧‧Gateway Z
13‧‧‧第二層交換器13‧‧‧Layer 2 Switch
14‧‧‧用戶設備A14‧‧‧User Equipment A
15‧‧‧用戶設備B15‧‧‧User Equipment B
16‧‧‧用戶設備C16‧‧‧User Equipment C
17‧‧‧用戶設備D17‧‧‧User Equipment D
18‧‧‧區域網路18‧‧‧ LAN
19‧‧‧虛擬私人網路19‧‧‧Virtual Private Network
21‧‧‧虛擬路由器21‧‧‧Virtual Router
22‧‧‧網路控制器22‧‧‧Network Controller
23‧‧‧時間管理模組23‧‧‧Time Management Module
24‧‧‧虛擬網路控制模組24‧‧‧Virtual Network Control Module
25‧‧‧虛擬化管理平台25‧‧‧Virtualization Management Platform
26‧‧‧實體或虛擬交換器26‧‧‧ physical or virtual switch
27‧‧‧伺服器27‧‧‧Server
28‧‧‧用戶設備28‧‧‧User Equipment
31‧‧‧閘道器X31‧‧‧Gateway X
32‧‧‧閘道器Y32‧‧‧Gateway Y
33‧‧‧虛擬路由器X33‧‧‧Virtual RouterX
34‧‧‧虛擬路由器Y34‧‧‧Virtual Router Y
35‧‧‧區域網路A35‧‧‧LAN A
36‧‧‧區域網路B36‧‧‧LAN B
37‧‧‧區域網路C37‧‧‧LAN C
41‧‧‧虛擬路由器Z41‧‧‧Virtual Router Z
圖1為傳統虛擬私人網路架構圖; 圖2為依據本發明一實施例說明支援多樣性端對端隔離之虛擬私人網路服務供裝系統架構圖; 圖3為依據本發明一實施例應用於混合式端對端隔離虛擬私人網路之實施架構圖; 圖4為依據本發明一實施例應用於統一式端對端隔離虛擬私人網路之實施架構圖; 圖5為依據本發明一實施例支援整合式端對端隔離虛擬私人網路之實施架構圖; 圖6為依據本發明一實施例之端對端虛擬私有網路隔離示意圖。Figure 1 is a traditional virtual private network architecture diagram; Figure 2 is a diagram illustrating a virtual private network service provisioning system supporting diverse end-to-end isolation according to an embodiment of the present invention; Figure 3 is an application according to an embodiment of the present invention Implementation architecture diagram of a hybrid end-to-end isolated virtual private network; Figure 4 is an implementation architecture diagram of a unified end-to-end isolated virtual private network according to an embodiment of the present invention; Figure 5 is an implementation according to the present invention Figure 6 illustrates the implementation architecture of an integrated end-to-end isolated virtual private network. Figure 6 is a schematic diagram of end-to-end virtual private network isolation according to an embodiment of the present invention.
Claims (9)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW106126451A TWI630488B (en) | 2017-08-04 | 2017-08-04 | Vpn service provision system with diversified end-to-end network isolation support |
CN201810201204.XA CN109391533B (en) | 2017-08-04 | 2018-03-12 | Virtual private network service provisioning system supporting diverse end-to-end isolation |
JP2018112571A JP6591621B2 (en) | 2017-08-04 | 2018-06-13 | Virtual private network service implementation system that supports various end-to-end isolation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW106126451A TWI630488B (en) | 2017-08-04 | 2017-08-04 | Vpn service provision system with diversified end-to-end network isolation support |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI630488B TWI630488B (en) | 2018-07-21 |
TW201911068A true TW201911068A (en) | 2019-03-16 |
Family
ID=63640423
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW106126451A TWI630488B (en) | 2017-08-04 | 2017-08-04 | Vpn service provision system with diversified end-to-end network isolation support |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP6591621B2 (en) |
CN (1) | CN109391533B (en) |
TW (1) | TWI630488B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI692956B (en) * | 2019-03-04 | 2020-05-01 | 中華電信股份有限公司 | Ipv6 accessing management system based on software defined network and method thereof |
CN110336758B (en) * | 2019-05-28 | 2022-10-28 | 厦门网宿有限公司 | Data distribution method in virtual router and virtual router |
CN112822149B (en) * | 2020-08-17 | 2022-07-12 | 北京辰信领创信息技术有限公司 | Terminal access control design based on intelligent router physical port, MAC and IP |
CN113395318A (en) * | 2021-03-17 | 2021-09-14 | 河海大学 | SDN-based power grid data center network architecture and configuration method |
CN114070622B (en) * | 2021-11-16 | 2024-02-09 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
CN114143795B (en) * | 2021-12-14 | 2024-01-30 | 天翼物联科技有限公司 | Local area network networking method and system based on 5G network |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8893009B2 (en) * | 2009-01-28 | 2014-11-18 | Headwater Partners I Llc | End user device that secures an association of application to service policy with an application certificate check |
US8239572B1 (en) * | 2010-06-30 | 2012-08-07 | Amazon Technologies, Inc. | Custom routing decisions |
US8935786B2 (en) * | 2012-05-01 | 2015-01-13 | Harris Corporation | Systems and methods for dynamically changing network states |
CN105247826B (en) * | 2013-01-11 | 2018-07-13 | 华为技术有限公司 | The network function of the network equipment virtualizes |
WO2015076904A2 (en) * | 2013-11-04 | 2015-05-28 | Illumio, Inc. | Distributed network security using a logical multi-dimensional label-based policy model |
US9548896B2 (en) * | 2013-12-27 | 2017-01-17 | Big Switch Networks, Inc. | Systems and methods for performing network service insertion |
US9560078B2 (en) * | 2015-02-04 | 2017-01-31 | Intel Corporation | Technologies for scalable security architecture of virtualized networks |
JP2016163180A (en) * | 2015-03-02 | 2016-09-05 | 日本電気株式会社 | Communication system, communication method, and program |
US9756015B2 (en) * | 2015-03-27 | 2017-09-05 | International Business Machines Corporation | Creating network isolation between virtual machines |
-
2017
- 2017-08-04 TW TW106126451A patent/TWI630488B/en active
-
2018
- 2018-03-12 CN CN201810201204.XA patent/CN109391533B/en active Active
- 2018-06-13 JP JP2018112571A patent/JP6591621B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
JP6591621B2 (en) | 2019-10-16 |
JP2019033475A (en) | 2019-02-28 |
CN109391533B (en) | 2021-04-13 |
TWI630488B (en) | 2018-07-21 |
CN109391533A (en) | 2019-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI630488B (en) | Vpn service provision system with diversified end-to-end network isolation support | |
US11646964B2 (en) | System, apparatus and method for providing a virtual network edge and overlay with virtual control plane | |
US20230224246A1 (en) | System, apparatus and method for providing a virtual network edge and overlay with virtual control plane | |
JP7373560B2 (en) | Synergistic DNS security updates | |
US9929964B2 (en) | System, apparatus and method for providing aggregation of connections with a secure and trusted virtual network overlay | |
Lasserre et al. | Framework for data center (DC) network virtualization | |
US8121126B1 (en) | Layer two (L2) network access node having data plane MPLS | |
US8085791B1 (en) | Using layer two control protocol (L2CP) for data plane MPLS within an L2 network access node | |
EP3909208B1 (en) | Software defined access fabric without subnet restriction to a virtual network | |
JP2014532368A (en) | Virtual private network execution method and system based on traffic engineering tunnel | |
CN104144082A (en) | Method for detecting loop in two-layer network and controller | |
Liao et al. | A dynamic VPN architecture for private cloud computing | |
WO2020048348A1 (en) | Data transmission method and system | |
KR20180104377A (en) | Method for inter-cloud virtual networking over packet optical transport network | |
EP3387801A1 (en) | Customer premises lan expansion | |
CA2912643A1 (en) | System, apparatus and method for providing a virtual network edge and overlay with virtual control plane | |
Liyanage et al. | Secure virtual private LAN services: An overview with performance evaluation | |
George et al. | A Brief Overview of VXLAN EVPN | |
US10944665B1 (en) | Auto-discovery and provisioning of IP fabric underlay networks for data centers | |
CN111934925A (en) | Two-layer Ethernet circuit simulation service system based on IP/MPLS public network | |
EP4293978A1 (en) | Hybrid data plane for a containerized router | |
Finlayson et al. | VPN Technologies-a comparison | |
CN101909021A (en) | BGP (Border Gateway Protocol) gateway equipment and method for realizing gateway on-off function by utilizing equipment | |
Long | Design for security configuration of remote management multi-VLAN switch based on VLAN trunking protocol | |
Kleinová et al. | New approach to remote laboratory in regard to topology change and self-repair feature |