WO2008092351A1 - Procédé de liaison dynamique de réseau privé virtuel - Google Patents
Procédé de liaison dynamique de réseau privé virtuel Download PDFInfo
- Publication number
- WO2008092351A1 WO2008092351A1 PCT/CN2007/071137 CN2007071137W WO2008092351A1 WO 2008092351 A1 WO2008092351 A1 WO 2008092351A1 CN 2007071137 W CN2007071137 W CN 2007071137W WO 2008092351 A1 WO2008092351 A1 WO 2008092351A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- ipsec
- address
- network
- bgp
- branch
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
Definitions
- the present invention relates to network technologies, and more particularly to a method for implementing dynamic VPN (Virtual Private Network).
- VPN Virtual Private Network
- IP Security IP Security, IP Layer Protocol Security
- IP Layer Protocol Security IP Security, IP Layer Protocol Security
- Traditional IPSec VPNs use a static configuration method to establish an encrypted tunnel by specifying the protected data stream and the address of the peer VPN device to implement access across the Internet between branch offices in different locations.
- IPSec can be used to build an IPSec VPN network with a star or mesh topology based on application requirements.
- the most commonly used IPSec VPN network topology is the star structure topology, which is closely related to the hierarchical management topology of early user organizations.
- As the central node of the IPSec VPN star network each branch office establishes an IPSec tunnel with the central node. The branch office accesses the servers in the LAN of the enterprise headquarters through the IPSec tunnel.
- more and more branches need to access each other, and the access traffic is getting larger and larger.
- the common solution is to allow the data exchanged between the branches to transit through the IPSec VPN device of the central node to meet the mutual access requirements of the branches.
- the data of mutual visits between branches must be decrypted and encrypted before the central node's IPSec VPN device can reach the visited branch.
- Such a processing process itself increases the delay of data packets, and does not satisfactorily meet the service applications of low latency requirements such as VOIP (Voice over Internet Protocol) currently used by enterprises.
- VOIP Voice over Internet Protocol
- the requirements for the IPSec VPN device performance and the egress bandwidth of the central node are also higher and higher.
- Traditional IPSec VPN also has a method to solve the need for mutual access between branches, which is to establish a mesh IPSec VPN topology. Such mutual access between branches does not require forwarding through the central node.
- each branch has An IPSec tunnel needs to be established with other branches and central nodes.
- n (n-1) tunnels need to be configured. This is a fatal problem for deploying large IPSec VPN networks. Therefore, the mesh IPSec VPN topology is only suitable for networks with very few branches.
- ADSL Asymmetric Digital Subscriber Line
- the dynamic IPSec VPN network has the advantage of a static full mesh IPSec VPN network, and there is no complicated shortcoming of static full mesh IPSec VPN configuration management. Simply put, a dynamic IPSec VPN network must have the following characteristics:
- the configuration is simple. You do not need to configure the IPSec remote end on the VPN device. You do not need to know the IP addresses of all remote devices on the IPSec VPN network and protect the data flow.
- Branches can directly perform secure access protected by IPSec tunnels without having to go through IPSec devices in the IPSec VPN network center.
- the deployment is simple.
- the entire IPSec VPN network has good scalability and can automatically adapt to the addition and deletion of remote IPSec devices.
- the IPSec tunnel between branches can be dynamically established on demand, and the tunnel is automatically deleted when the idle time expires.
- the most representative ones are the multi-point general routing encapsulation protocol, the next hop resolution protocol and the dynamic routing protocol combined with IPSec to implement the dynamic IPSec VPN solution.
- the scheme uses the next hop resolution protocol to implement The public device IP address of the peer device is obtained, and the generalized routing encapsulation protocol and the dynamic routing protocol are used to obtain the information of the protected data stream.
- the solution has the characteristics that the above-mentioned dynamic IPSec VPN should have, and can better meet the needs of some customers. However, this solution requires that all IPSec devices access the public network address and cannot support NAT (Network Address Translation) access.
- NAT Network Address Translation
- the technical problem to be solved by the present invention is to provide a virtual private network dynamic connection method for the above-mentioned shortcomings of the prior art, and use a combination of IPSec and BGP protocol (Border Gateway Protocol) to implement a dynamic IPSec VPN network.
- BGP protocol Border Gateway Protocol
- the present invention solves the technical problem, and the technical solution adopted is a virtual private network dynamic connection method, which includes the following steps:
- the IPSec device of the central node and the IPSec device of the branch establish BGP adjacency through the static IPSec tunnel.
- the IPSec device automatically adds a route mapping policy to the BGP neighbors that have established BGP adjacencies, and sets the extended community attribute value of the routing information.
- the IPSec device in the IPSec VPN network advertises the IP address/network segment of the local network to be protected to other IPSec devices through the BGP routing protocol.
- the IPSec device of the central node distributes the IP address/network segment information of the data to be protected by the branch to the IPSec device of other branches through the BGP route reflector function.
- the IPSec device between the branches learns the IP address/network segment information of the data that the other branches need to protect. Then, obtain the peer public network address from the extended community attribute, and then negotiate to establish an IPSec tunnel.
- the invention has the beneficial effects that the network resources are small and the cost is low. Easy to configure, DRAWINGS
- Figure 1 is a network topology diagram of an embodiment.
- the BGP dynamic routing protocol is used to send the resource information to be protected by the local end to the remote VPN device in the manner of BGP routing update.
- the remote VPN device obtains the legal address of the local VPN device based on the next hop address in the received BGP route update and the extended community attribute of the BGP route.
- IPSec is responsible for automatically establishing related IPSec tunnels based on the learned information.
- the virtual private network connection method of the present invention includes the following steps:
- the IPSec device of the central node and the IPSec device of the branch establish BGP adjacency through the static IPSec tunnel.
- the IPSec device automatically adds a route mapping policy to the BGP neighbors that have established BGP adjacencies, and sets the extended community attribute value of the routing information.
- the IPSec device in the IPSec VPN network advertises the IP address/network segment of the local network to be protected to other IPSec devices through the BGP routing protocol.
- the IPSec device of the central node distributes the IP address/network segment information of the data to be protected by the branch to the IPSec device of other branches through the BGP route reflector function.
- the IPSec device between the branches learns the IP address/network segment information of the data that the other branches need to protect. Then, obtain the peer public network address from the extended community attribute, and then negotiate to establish an IPSec tunnel.
- the IPSec device of the central node and the IPSec device of the branch establish a BGP adjacency relationship through the static IPSec tunnel and the IP address of the loopback interface of the IPSec device.
- the extension The community attribute value is the respective public network IP address.
- the extended community attribute value is the public network IP address of the central node device.
- the IPSec device of the central node distributes the IP address/network segment information of the data to be protected by the branch to the IPSec device of the other branch through the BGP route reflector function, and specifies Protected protocol and port number.
- the BGP tunnel cannot be traversed.
- the IPSec tunnel is used to protect the transmission of BGP packets.
- the BGP protocol supports the source interface for sending packets.
- the loopback interface of the IPSec device of each branch office and the central node is used as the source interface for BGP packets.
- the IP address allocation of the loopback interface can be completely planned by the user, which also provides great convenience for configuring the static protection data flow of BGP communication.
- the BGP protocol is negotiated to establish the BGP adjacency relationship between the IPSec device of the branch and the IPSec device of the central node.
- the IPSec device of the central node learns the IP address information to be protected by each branch office in the manner of route update notification (corresponding to the current static IPSec protection data flow, the IP address information learned here) To protect the destination address of the data stream).
- the BGP protocol supports the feature of CIDR (Classless Inter-Domain Routing), which can accurately control the learning of protected data stream addresses.
- the IPSec device configured on the central node is a BGP route reflector.
- the information about the IPSec tunnel protection that is learned from the IPSec device of the other branch is distributed to the IPSec device of the branch office in the route update notification.
- the public network address of the IPSec device of the branch is added to the extended community attribute by the central node, while the IP address of the IPSec device is sent to the IPSec device of the branch. In this way, the IPSec device of the same IPSEC VPN network can learn the IP address/network segment of the IPSec tunnel protection and the public network address of the IPSec device.
- the IPSec device of each branch office and the corresponding IPSec device public network according to the destination address of the access data.
- the IPSec negotiation is performed on the address to establish an IPSec tunnel to ensure user service access and security.
- NAT detection is automatically completed by the IPSec protocol.
- the public network IP address filled in the extended community attribute is the IPSec device of the central node. IP address.
- the IPSec device of the other branch node after discovering that the peer is behind the NAT and not behind the NAT, does not initiate tunnel negotiation actively, but waits for the branch behind the NAT to initiate tunnel negotiation. If both ends are behind the NAT, the IPSec device of the branch will actively negotiate with the IPSec device at the central node to the tunnel of the peer branch. After receiving the routing information, the other end will also process the same. In this way, the connection can be completed by the forwarding of the central node in the manner of a star network. This method increases the flexibility of IPSec access and greatly reduces the access requirements for users to deploy dynamic IPSec VPN.
- the BGP routing information attribute used in the present invention is:
- this attribute carries the IP address/network segment of the protection data issued by the branch office.
- this information corresponds to the destination address/segment of the static IPSec.
- this information corresponds to the source address/segment of the static IPSec.
- the next hop address Because the loopback interface address of each IPSec device is used when BGP adjacency is established, the next hop of each routing information is the loopback interface address of the IPSec device that advertises the routing information.
- the loopback interface address is planned by the user. In the network, it uniquely represents each IPSec device (each branch office). Therefore, it is recommended that the assigned loopback interface address be the host address.
- the BGP routing protocol supports two community attributes, one is a standard community attribute and the other is an extended community attribute. Some values in the standard community properties are dedicated to controlling the propagation of routes.
- the format using the standard community attribute may be a number, and the attribute is used to define the protocol type of the data stream to be protected. If the TCP protocol is protected, the value is specified as 259. Accurate control over the range of resources that need to be protected can greatly improve the security of the network.
- the routing target attribute of the community attribute and The route source attribute supports values in two formats. One is ASN:N; the kind is IP address: NN.
- the public address information of the IPSec device is carried by using the IP address of the route destination attribute: NN format.
- the latter NN code is used as an extension definition to implement the security isolation function. This allows for more precise control of access rights in the IPSec VPN network, enabling isolation of different permissions in the same IPSEC VPN network.
- the protocol port number is defined using the ASN:NN format in the route source attribute.
- the standard community attribute values correspond to the protocol types as follows:
- Extended community attribute RT attribute value in the public network IP address fill in the rules:
- the IPSec device of the branch is not behind the NAT.
- the IP address filled in the extended community attribute is the public network of the IPSec device of the branch. IP address.
- the IPSec device of the branch is behind the NAT.
- the IP address filled in the extended community attribute is the public IP address of the IPSec device of the central node. .
- IP address of the IPSec device is the same as the IP address of the IPSec device on the central node, and the next hop of the route is the IP address of the loopback interface of the non-central node, determine the branch that advertises the routing information.
- the organization's IPSec device is behind NAT.
- the dynamic IPSec VPN network which uses BGP dynamic routing and the IPSec protocol, uses the flexibility of the BGP routing protocol to ensure the flexibility of network topology scaling. Supports multiple access modes and supports NAT traversal. Only an IPSec device with one access point has a public IP address to form a dynamic IPSec VPN network. Other access points can use any access method. As long as they can access the public network, they can join the dynamic IPSec VPN network. Moreover, the present invention has high network access control capabilities and security. Use the routing community attribute value to specify the communication protocol and port number to be protected, and implement precise control of the protection data flow. Use the routing community extension attribute to implement security isolation. That is, the same IPSec VPN network can be accessed. .
- branches there are three branches and one central node, and a dynamic IPSec VPN needs to be established. Branches need to access each other.
- the access IP address provided by the network service provider of branch office C is the network service provider's own intranet address, which is a private IP address. Access to the Internet (that is, the public network) requires NAT.
- the access methods of the other two branches A and B get dynamic public IP addresses.
- the invention mainly utilizes the BGP routing protocol, uses unicast, and does not need to be directly connected to the neighbors, and does not need to support the IP address: the characteristics of the extended community attribute in the NN format, so that the IPSec devices of each branch office and the central node dynamically learn Go to the data stream to be protected and the public network address of the peer IPSec device.
- at least one IPSec device needs to have a fixed public address in the entire IPSec VPN network.
- the network segment judges the existence of NAT and performs special processing.
- All loopback interface addresses are assigned to all IPSec devices according to the overall network plan (host address is recommended).
- Configure BGP on the IPSec device at the central node and each branch and use the loopback interface address as the neighbor address and the address of the negotiation/update packet (it can be regarded as the specified loopback interface address as the BGP address) and configure to send BGP to the neighbor.
- the extended community attribute is used to carry the corresponding public IP address of the IPSec device in the route distribution process.
- On the IPSec device of the branch only the IPSec device of the central node is configured as the neighbor, and the IPSec device of the central node needs to accept the IPSec device of each branch as the neighbor.
- BGP network commands are used to advertise locally protected IP addresses/network segments.
- the source address/segment of the data stream is protected.
- the IP address/network segment advertised by the network command is sent by the BGP process to the IPSec device of the central node or the branch as the normal route.
- the destination address of the protected data stream of the IPSec device is learned. .
- the IPSec device learned by the IPSec device of the central node In order to allow the IPSec device learned by the IPSec device of the central node to be distributed to the IPSec device of the other branch, the IPSec device of the central node needs to be configured as a route reflector. Client.
- the process is mainly to determine the source and destination IP address/network segment of the data packets that need to be forwarded through the IPSec tunnel.
- IPSec tunnel to protect BGP traffic.
- the IPSec device configuration of the branch VIII, B, and C corresponds to the protection data flow.
- the source address is the loopback interface address of the local IPSec device
- the destination address is the loopback interface address of the central node.
- the IPSec device of the central node finds that the IPSec device of branch C is behind the NAT, and the IPSec devices of other branches have the public IP address. Therefore, the IPSec device at the central node actively searches for the BGP configuration according to the address of the peer loopback interface that protects the BGP communication tunnel, and adds the m-direction route mapping to the BGP neighbor configuration corresponding to the branches A, B, and C.
- the extended community attribute values are the IP addresses of the IPSec devices on the public network.
- the extended community attribute value is the public IP address of the IPSec device on the central node. Because the loopback interface is used as the BGP neighbor address and the negotiation update packet address, the BGP adjacency can only be established after the IPSec tunnel that protects its communication is established. This sequence ensures the timeliness of the central node IPSec to set the route map. After the BGP adjacency is established, the IPSec devices of each branch learn from each other to protect the IP address/network segment information. The IPSec device of the branch A or B is based on the IP of the corresponding community extension attribute in the learned BGP route.
- the IPSec device of the branch office A or B After receiving the protection data flow information about the branch office C, the IPSec device of the branch office A or B checks that the public network address of the peer end and the IPSec device address of the central node are the same, and the corresponding The BGP route next hop is not the loopback interface address of the IPSec device of the central node. In the process of negotiating the BGP IPSec tunnel, you can know that you are not behind the NAT. The IPSec device of branch C actively establishes a tunnel.
- the IPSec device of branch C When the IPSec device of branch C receives the protection address information of the corresponding A or B branch through BGP, and finds that the IP address in the corresponding extended community attribute is not the IP address of the central node, the IPSec device of branch C actively takes the initiative.
- the IP address in the extended attribute is used as the peer address to establish an IPSec tunnel. It is assumed that there is another branch D after the NAT. At this time, the IPSec device of the branch C or D receives the protected address information of the other party. Check the extended attributes and the next hop address of the BGP route to ensure that the other party is behind the NAT.
- the NAT detection function of the IPSec protocol can obtain information about whether it is behind the NAT, and then know that the peer is behind the NAT, then Establish an IPSec tunnel corresponding to the data flow with the IPSec device of the central node.
- the IPSec device at the central node needs to perform special processing on the branch offices behind the NAT to ensure that the IPSec tunnel is established.
- the IPSec device forwarding of the central node is used to implement branch access. At this point, the IPSec tunnel is established.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200710048341.6 | 2007-01-26 | ||
CNB2007100483416A CN100440846C (zh) | 2007-01-26 | 2007-01-26 | 虚拟专用网动态连接方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008092351A1 true WO2008092351A1 (fr) | 2008-08-07 |
Family
ID=38697778
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2007/071137 WO2008092351A1 (fr) | 2007-01-26 | 2007-11-28 | Procédé de liaison dynamique de réseau privé virtuel |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN100440846C (zh) |
RU (1) | RU2438254C2 (zh) |
WO (1) | WO2008092351A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015047143A1 (en) * | 2013-09-30 | 2015-04-02 | Telefonaktiebolaget L M Ericsson (Publ) | A method performed at an ip network node for ipsec establishment |
CN105471725A (zh) * | 2014-08-05 | 2016-04-06 | 杭州华三通信技术有限公司 | 穿越自治系统的路由方法和装置 |
US10469595B2 (en) * | 2017-02-17 | 2019-11-05 | Arista Networks, Inc. | System and method of dynamic establishment of virtual private networks using border gateway protocol ethernet virtual private networks technology |
WO2021103986A1 (zh) * | 2019-11-29 | 2021-06-03 | 中兴通讯股份有限公司 | 一种网络设备管理方法、装置、网络管理设备及介质 |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100440846C (zh) * | 2007-01-26 | 2008-12-03 | 成都迈普产业集团有限公司 | 虚拟专用网动态连接方法 |
CN101626366B (zh) * | 2008-07-10 | 2012-11-07 | 华为技术有限公司 | 保护代理邻居发现的方法、系统和相关装置 |
CN103259726B (zh) | 2012-02-21 | 2017-04-12 | 华为技术有限公司 | 存储和发送mac地址表项的方法、设备及系统 |
CN103259725B (zh) * | 2012-02-21 | 2017-04-12 | 华为技术有限公司 | 报文发送方法和网络设备 |
JP5941703B2 (ja) * | 2012-02-27 | 2016-06-29 | 株式会社日立製作所 | 管理サーバ及び管理方法 |
CN102711106B (zh) * | 2012-05-21 | 2018-08-10 | 中兴通讯股份有限公司 | 建立IPSec隧道的方法及系统 |
CN102739530B (zh) * | 2012-06-19 | 2018-08-07 | 南京中兴软件有限责任公司 | 一种避免网络可达性检测失效的方法及系统 |
CN104253733B (zh) * | 2013-06-26 | 2017-12-19 | 北京思普崚技术有限公司 | 一种基于IPSec的VPN多方连接方法 |
CN104348923B (zh) * | 2013-07-29 | 2017-10-03 | 中国电信股份有限公司 | 基于IPSec VPN的通信方法、装置与系统 |
CN103491088B (zh) * | 2013-09-22 | 2016-03-02 | 成都卫士通信息产业股份有限公司 | 一种IPSec VPN网关数据处理方法 |
CN104883287B (zh) * | 2014-02-28 | 2018-06-12 | 杭州迪普科技股份有限公司 | IPSec VPN系统控制方法 |
CN104486292B (zh) * | 2014-11-24 | 2018-01-23 | 东软集团股份有限公司 | 一种企业资源安全访问的控制方法、装置及系统 |
CN104954260A (zh) * | 2015-05-22 | 2015-09-30 | 上海斐讯数据通信技术有限公司 | 一种基于数据链路层的点对点vpn路由方法及系统 |
CN107222449B (zh) * | 2016-03-21 | 2020-06-16 | 华为技术有限公司 | 基于流规则协议的通信方法、设备和系统 |
CN106100960B (zh) * | 2016-07-06 | 2020-03-24 | 新华三技术有限公司 | 跨存储区域网络Fabric互通的方法、装置及系统 |
CN106302424B (zh) * | 2016-08-08 | 2020-10-13 | 新华三技术有限公司 | 一种安全隧道的建立方法及装置 |
CN108512755B (zh) * | 2017-02-24 | 2021-03-30 | 华为技术有限公司 | 一种路由信息的学习方法及装置 |
CN107800569B (zh) * | 2017-10-16 | 2020-09-04 | 中国联合网络通信有限公司广东省分公司 | 一种基于ont的vpn快速接入系统和方法 |
CN109639848A (zh) * | 2018-12-20 | 2019-04-16 | 全链通有限公司 | 在区块链中发布域名的方法、设备、系统及存储介质 |
CN109495362B (zh) * | 2018-12-25 | 2020-12-11 | 新华三技术有限公司 | 一种接入认证方法及装置 |
US11563600B2 (en) | 2019-07-31 | 2023-01-24 | Palo Alto Networks, Inc. | Dynamic establishment and termination of VPN tunnels between spokes |
CN111064670B (zh) * | 2019-12-30 | 2021-05-11 | 联想(北京)有限公司 | 一种获取下一跳路由信息的方法和装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1394042A (zh) * | 2001-06-29 | 2003-01-29 | 华为技术有限公司 | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 |
CN101009629A (zh) * | 2007-01-26 | 2007-08-01 | 成都迈普产业集团有限公司 | 虚拟专用网动态连接方法 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020184388A1 (en) * | 2001-06-01 | 2002-12-05 | Nimer Yaseen | Layered approach to virtual private routing |
US20060083215A1 (en) * | 2004-10-19 | 2006-04-20 | James Uttaro | Method and apparatus for providing a scalable route reflector topology for networks |
US8547874B2 (en) * | 2005-06-30 | 2013-10-01 | Cisco Technology, Inc. | Method and system for learning network information |
CN1761253A (zh) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | 支持大规模多用户并发访问的mplsvpn在线实验方法 |
-
2007
- 2007-01-26 CN CNB2007100483416A patent/CN100440846C/zh active Active
- 2007-11-28 RU RU2009139311/07A patent/RU2438254C2/ru active
- 2007-11-28 WO PCT/CN2007/071137 patent/WO2008092351A1/zh active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1394042A (zh) * | 2001-06-29 | 2003-01-29 | 华为技术有限公司 | 在虚拟私有网的隧道虚接口上保证互联网协议安全的方法 |
CN101009629A (zh) * | 2007-01-26 | 2007-08-01 | 成都迈普产业集团有限公司 | 虚拟专用网动态连接方法 |
Non-Patent Citations (1)
Title |
---|
WEI Y.-K.: "Research and design of BGP/MPLS VPN based IPSec", UNIVERSITY OF ELECTRONIC SCIENCE AND TECHNOLOGY OF CHINA MASTER DISSERTATION COMMUNICATION AND INFORMATION SYSTEM, 26 October 2004 (2004-10-26), pages 36 - 48 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015047143A1 (en) * | 2013-09-30 | 2015-04-02 | Telefonaktiebolaget L M Ericsson (Publ) | A method performed at an ip network node for ipsec establishment |
US10050794B2 (en) | 2013-09-30 | 2018-08-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Method performed at an IP network node for IPSec establishment |
CN105471725A (zh) * | 2014-08-05 | 2016-04-06 | 杭州华三通信技术有限公司 | 穿越自治系统的路由方法和装置 |
CN105471725B (zh) * | 2014-08-05 | 2019-01-22 | 新华三技术有限公司 | 穿越自治系统的路由方法和装置 |
US10469595B2 (en) * | 2017-02-17 | 2019-11-05 | Arista Networks, Inc. | System and method of dynamic establishment of virtual private networks using border gateway protocol ethernet virtual private networks technology |
WO2021103986A1 (zh) * | 2019-11-29 | 2021-06-03 | 中兴通讯股份有限公司 | 一种网络设备管理方法、装置、网络管理设备及介质 |
Also Published As
Publication number | Publication date |
---|---|
RU2009139311A (ru) | 2011-04-27 |
RU2438254C2 (ru) | 2011-12-27 |
CN100440846C (zh) | 2008-12-03 |
CN101009629A (zh) | 2007-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2008092351A1 (fr) | Procédé de liaison dynamique de réseau privé virtuel | |
Gleeson et al. | A framework for IP based virtual private networks | |
US11711242B2 (en) | Secure SD-WAN port information distribution | |
US10148456B2 (en) | Connecting multiple customer sites over a wide area network using an overlay network | |
US7917948B2 (en) | Method and apparatus for dynamically securing voice and other delay-sensitive network traffic | |
US7848335B1 (en) | Automatic connected virtual private network | |
Touch | Dynamic Internet overlay deployment and management using the X-Bone | |
US7373660B1 (en) | Methods and apparatus to distribute policy information | |
US7447901B1 (en) | Method and apparatus for establishing a dynamic multipoint encrypted virtual private network | |
US8971335B2 (en) | System and method for creating a transitive optimized flow path | |
Guichard et al. | MPLS and VPN architectures | |
US20240098061A1 (en) | Secure private traffic exchange in a unified network service | |
WO2007112691A1 (fr) | Système, procédé et dispositif réseau permettant à un client de réseau privé virtuel (vpn) d'accéder à un réseau public | |
Chen | Design and implementation of secure enterprise network based on DMVPN | |
Gleeson et al. | RFC2764: A framework for IP based virtual private networks | |
CN110086720B (zh) | 基于二维路由协议实现l3vpn的方法及系统 | |
JP4011528B2 (ja) | ネットワーク仮想化システム | |
US20090106449A1 (en) | Method and apparatus for providing dynamic route advertisement | |
WO2012075768A1 (zh) | 身份位置分离网络的监听方法和系统 | |
Pepelnjak | Mpls And Vpn Architectures (Volume Ii) | |
US11924172B1 (en) | System and method for instantiation of stateless extranets | |
Edgeworth et al. | Cisco Intelligent WAN (IWAN) | |
Fang | Ruta: Dis-aggregated routing system over multi-cloud | |
Jain | Analyzing Control Plane Traffic | |
Armitage et al. | Network Working Group B. Gleeson Request for Comments: 2764 A. Lin Category: Informational Nortel Networks J. Heinanen Telia Finland |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07817327 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 4446/CHENP/2009 Country of ref document: IN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009139311 Country of ref document: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07817327 Country of ref document: EP Kind code of ref document: A1 |