WO2011147334A1 - Method, device and system for providing virtual private network service - Google Patents

Method, device and system for providing virtual private network service Download PDF

Info

Publication number
WO2011147334A1
WO2011147334A1 PCT/CN2011/075208 CN2011075208W WO2011147334A1 WO 2011147334 A1 WO2011147334 A1 WO 2011147334A1 CN 2011075208 W CN2011075208 W CN 2011075208W WO 2011147334 A1 WO2011147334 A1 WO 2011147334A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
request message
parameter
access device
access
Prior art date
Application number
PCT/CN2011/075208
Other languages
French (fr)
Chinese (zh)
Inventor
雷文阳
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011147334A1 publication Critical patent/WO2011147334A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and system for providing a virtual private network service. Background technique
  • Virtual Private Network is defined as a network that provides multiple logical networks on an existing single physical network. These logical networks are isolated from each other, and data traffic in one logical network does not enter another logical network.
  • VPN Virtual Private Network
  • BGP Layer 2 VPN services
  • MPLS Multi-Protocol Label Switching
  • BGP/MPLS Layer 3 VPN services BGP/MPLS Layer 3 VPN services. In the prior art, these services are enabled.
  • the process is as follows: The customer determines the VPN attribute information of the VPN service, including the number of sites, the location of the site, the traffic demand, the bandwidth requirement, etc., by the on-site communication with the basic network operator, and then the departments of the basic network operator (such as planning, network management, and accounting). Coordinating with each other The network planning and accounting schemes of the VPN service determine the VPN configuration parameters of the service provider's edge devices. Then, the network administrators of the basic network operators manually configure the VPN configuration parameters to the service provider edge devices. The network operator will notify the customer that the VPN service has been activated, and the service provider edge device can access the VPN to the customer.
  • Embodiments of the present invention provide a method, device, and system for providing a virtual private network service.
  • a method for providing a virtual private network service including: receiving a request message sent by an access device to access a virtual private network VPN, where the request message carries authentication information;
  • the VPN configuration parameter of the access device is globally allocated, and the VPN configuration parameter is sent to the access device.
  • a method for providing a virtual private network service including: an access device receiving a request message sent by a site to access a virtual private network VPN, where the request message carries authentication information;
  • a backend device comprising: a receiving request message unit, configured to receive a request message sent by an access device to request access to a virtual private network VPN, where the request message carries authentication information; and an authentication unit, configured to perform the authentication according to the The information is used to authenticate the request message; the allocating unit is configured to globally allocate the VPN configuration parameter of the access device after the request message is authenticated;
  • a sending parameter unit configured to send the VPN configuration parameter to the access device.
  • An access device comprising: a receiving unit, configured to receive, by the access device, a request message sent by the station to access the virtual private network VPN, where the request message carries the authentication information;
  • Sending a request message unit configured to send the request message to a backend device
  • a configuration unit configured to receive a VPN configuration parameter sent by the backend device, and perform configuration according to the VPN configuration parameter.
  • a system for providing a virtual private network service comprising: the foregoing back end device and the foregoing access device.
  • the process performed by the backend device is: authenticating the request message for requesting access to the VPN by the site, and assigning the VPN configuration parameter of the access device after the authentication is passed, and transmitting the VPN configuration parameter to the access device. Therefore, the entire process performed by the back-end device does not need to be manually operated, and the configuration parameter can be sent to the access device, so that the access device can quickly access the site to the VPN.
  • Embodiment 1 is a schematic flowchart of Embodiment 1 of a method for providing a virtual private network service according to an embodiment of the present invention
  • Embodiment 2 is a schematic flowchart of Embodiment 2 of a method for providing a virtual private network service according to an embodiment of the present invention
  • Embodiment 3 is a schematic flowchart of Embodiment 3 of a method for providing a virtual private network service according to an embodiment of the present invention
  • Embodiment 4 is a schematic flowchart of Embodiment 4 of a method for providing a virtual private network service according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram showing the logical structure of the fifth embodiment of the backend device in the embodiment of the present invention
  • FIG. 6 is a schematic diagram showing the logical structure of the sixth embodiment of the access device according to the embodiment of the present invention
  • Embodiments of the present invention provide a method for providing a virtual private network service. Embodiments of the present invention also provide corresponding devices and systems. The details are described below separately.
  • Embodiment 1 Referring to FIG. 1 , an embodiment of a method for providing a virtual private network service in an embodiment of the present invention includes:
  • the basic network operator Before the basic network operator provides VPN services to the site, the basic network operator must complete the network connectivity configuration and network tunnel configuration of all access devices in the basic network.
  • the OSPF Open Shortest Path First
  • the access device is configured with an MPLS tunnel
  • the BGP is enabled with the VPN technology.
  • the access device When the site needs to access the VPN, that is, when the site needs to open the VPN service, the access device receives the request message for the site requesting access to the VPN, and the request message carries the authentication information, and the access device sends the request message to the user. End device.
  • the request message is typically sent to the access device through an edge device located at the site. It should be noted that the access device is usually located at the edge of the carrier's basic network. Generally, a customer has multiple sites that require access to the VPN.
  • the backend device After receiving the request message of the site requesting access to the VPN, the backend device authenticates the request message according to the authentication information. .
  • the backend device can allocate the VPN configuration parameter of the access device, and then send the VPN configuration parameter to the access device, so that the access device can follow the Configure the parameters to complete the configuration and add the site to the VPN.
  • the process performed by the backend device is: authenticating the request message for requesting access to the VPN by the site, and assigning the VPN configuration parameter of the access device after the authentication is passed, and transmitting the VPN configuration parameter to the access device, thereby It can be seen that the entire process does not need to be manually operated, and the configuration parameters are automatically sent to the access device, so that the access device joins the site to the VPN.
  • Embodiment 2 Referring to FIG. 2, another embodiment of the method for providing a virtual private network service according to the embodiment of the present invention includes:
  • the basic network operator usually provides a VPLS with private attribute information according to the requirements of the user.
  • the VPLS attribute information includes the VPLS traffic type, the maximum number of sites allowed to access the VPLS, the access bandwidth, and so on.
  • Users can provide VPLS attribute information to the basic network operator in various ways, such as face-to-face communication, phone calls, fax, and so on.
  • the user can provide attribute information to the basic network operator by itself, specifically:
  • the user can send a VPLS service request to the backend device.
  • the VPLS service request carries the VPLS attribute information.
  • the backend device globally assigns a unique identifier to the VPLS attribute information and saves the VPLS attribute information.
  • the VPLS service application message It should be noted that the unique identifier that the backend device globally assigns to the VPLS attribute information is an integer such as 32bits or 64bits.
  • the user can directly send a VPLS service request to the back-end device, so that the back-end device obtains the VPLS attribute information, and the VPLS service request is sent to the front-end device, and then the front-end device sends the VPLS attribute information.
  • the front-end device feeds back to the user a message that the VPLS service request has been accepted, for example,
  • the front-end device can be the user's computer.
  • the user can log in to the VPLS service platform of the VPLS service application to apply for the VPLS service.
  • the user can also input the required VPLS attribute information on the WEB service platform.
  • the back-end device can also provide the user with a VPLS access pass, such as the username and password for connecting to the VPLS.
  • a VPLS access pass such as the username and password for connecting to the VPLS.
  • the username and password for connecting to the VPLS can also be entered by the user on the WEB service platform of the VPLS service application.
  • the username and password for connecting to the VPLS are also carried in the VPLS service request, regardless of the username and password of the VPLS connected to the backend device or the username and password of the VPLS connection provided by the backend device to the user. They are stored in the authentication table, and their identifiers in the authentication table correspond to the identification of the attribute information of the VPLS.
  • the site runs an 802.1x client to send a request message for the site requesting access to the VPLS to the access device, and the request message carries the connection entered by the user using the site on the 802.1x client.
  • VPLS username and password It should be noted that the 802.1x client is usually located on the edge device of the site.
  • the access device acting as the Radius client forwards the request message to the backend device in the form of an AAA authentication packet.
  • the end device uses the AAA server system, and the AAA server authenticates the AAA authentication packet.
  • the 802.1x client is a type of VPN dial-up client.
  • the AAA server parses the username and password of the VPLS connection entered by the user using the site on the 802.1x client from the received AAA authentication data packet, and resolves the username and password of the VPLS connection and the pre-existing authentication of the backend device.
  • the username and password for connecting to the VPLS in the table are authenticated.
  • the back-end device finds the attribute information of the VPLS according to the identifier of the user name and password of the VPLS in the authentication table, and determines whether the attribute information of the VPLS can be authenticated, for example, The end device can check whether the number of sites currently accessing the VPLS has exceeded the maximum number of sites allowed to access the VPLS. Whenever one site successfully accesses the VPLS, the counter in the backend device is incremented by 1. If the data in the counter is No more than allowed The maximum number of sites accessing the VPLS is authenticated by the attribute information of the backend device. If the data in the counter exceeds the maximum number of sites allowed to access the VPLS, the device sends a failure message to the site.
  • the back-end device After the attribute information of the back-end device is authenticated, the back-end device globally allocates the VPLS configuration parameters of the access device. For example, the back-end device globally allocates unique route target parameters (RT, Route Target) and route specifier parameters for the access device. (RD, Route Distinguisher ),
  • RD is an 8-byte number, usually expressed in the form of 100:100, indicating that the first 4 bytes are 100 and the last 4 bytes are 100.
  • Each VPN must have a unique RD, for example, the back end.
  • the device can set the value of the first assigned RD to 100:101 based on 100:100, the value of the second allocated RD to 100:102, and so on. There is also a way to allocate RD:
  • the access device can also preset the base of 100:100. When the backend device allocates RD for the first time, it only assigns a value of 4, and then sends the parameter 4 to the access device. When the device gets 4 plus the base, the RD value is 100:104.
  • the allocation method of RD and RT is the same, and will not be described again.
  • the back-end device can also allocate the VPLS configuration parameters globally after the site successfully applies for the VPLS service. After the attribute information of the back-end device passes the authentication, the back-end device can extract the previously assigned VPLS configuration parameters.
  • the back-end device uses the AAA server system to configure the VPLS configuration parameters (such as the route target parameter and the route specifier parameter) as the packet payload based on the Radius protocol, and sends the configuration to the access device through the Radius protocol, so that the access device can receive these configurations. You can perform the configuration on the access device and add the site to the VPLS to allow the site to access the VPLS through the access device. Since the AAA server system has a charging function, when the site accesses the VPLS, the back-end device can start charging using the AAA server system.
  • the VPLS configuration parameters such as the route target parameter and the route specifier parameter
  • the backend device may use the AAA server system to use the access bandwidth parameter together with the route target parameter and the route specifier parameter as the Radius protocol-based report.
  • the payload is sent to the access device through the Radius protocol.
  • the access device can configure the upper limit bandwidth and limit the network speed on the access of the connected site.
  • the user who uses the site can also modify the attribute information of the VPLS, for example, The user who uses the site logs in to the WEB service platform that modifies the required VPLS attribute information through the computer, and increases the maximum number of access sites or access bandwidth in the attribute information that is allowed to access the VPLS.
  • the backend device receives the modified version sent by the computer. After the attribute information, the modified attribute information is used as the packet payload based on the Radius protocol by the AAA server system, and is sent to the access device through the Radius protocol.
  • the user can provide the required information to the backend device by sending a service request.
  • the attribute information of the VPN improves the efficiency of the VPN service provided by the basic network operator, and the user can change the attribute information at any time during the running of the VPN, thereby increasing the flexibility of the VPN service.
  • the statistical multiplexing ratio enables the basic network operator's basic network to be fully utilized.
  • the method for providing the virtual private network service in the embodiment of the present invention is described above from the perspective of the back-end device.
  • the method for providing the virtual private network service in the embodiment of the present invention is described below from the perspective of the access device.
  • Embodiment 3 Referring to FIG. 3, another embodiment of a method for providing a virtual private network service in the embodiment of the present invention includes:
  • This example takes the VPLS service provided by the basic network operator as an example.
  • the site When a site accesses the VPLS, the site runs an 802.1x client installed on the edge device of the site to send a request message carrying the authentication information to the access device.
  • the access device receives the request message, it is equivalent to Received information about the site requesting access to the VPLS.
  • the access device forwards the request message to the backend device.
  • the backend device may generate a VPLS configuration parameter of the access device: a route target parameter and a route specifier parameter, and will include The packets of the configuration parameters are sent to the carrier edge device.
  • the access device receives the route target parameter and the route specifier parameter sent by the backend device, and the access device allocates the virtual switch instance resource locally, and then configures the received route target parameter and the route specifier parameter to the allocated virtual switch. Instance and join the 802.1x port to the virtual switch instance. At this point, the access device connects the site to the VPLS.
  • the access device may receive the configuration parameters of the VPN from the backend device, according to
  • the configuration parameters are configured to connect the site to the VPN.
  • the entire process does not require the manual operation of the network administrator, which improves the efficiency of the VPN service provided by the basic network operator.
  • the BGP/MPLS Layer 3 VPN service is provided by the basic network operator as an example to describe the interaction process between the back-end device and the access device in a specific application scenario.
  • Embodiment 4 Referring to FIG. 4, another embodiment of a method for providing a virtual private network service in the embodiment of the present invention includes:
  • the user requests to access the virtual private network.
  • the user sends a BGP/MPLS Layer 3 VPN service request to the front-end device.
  • the front-end device sends the BGP/MPLS Layer 3 VPN attribute information to the back-end device.
  • the front-end device After receiving the response from the back-end device, the front-end device sends the request to the user.
  • the feedback has accepted the message of BGP/MPLS Layer 3 VPN service application.
  • the BGP/MPLS Layer 3 VPN attributes must be the same as the VPLS attribute information. However, the BGP/MPLS Layer 3 VPN attributes must carry the access IP address pool information and the loopback IP address pool information.
  • the station sends a request message.
  • the pppoe client installed on the edge device of the site runs a request message to the operator edge device, and the request message carries the user who uses the site.
  • the carrier edge device which is the Radius client, then forwards the request message to the backend device in the form of an AAA authentication packet.
  • the backend device uses the AAA server system, and the AAA server authenticates the AAA authentication packet.
  • the pppoe client is another type of VPN dial-up client.
  • the backend device performs authentication
  • the AAA server parses out the username and password of the BGP/MPLS Layer 3 VPN connected to the pppoe client from the received AAA authentication packet, and resolves the username and password of the BGP/MPLS Layer 3 VPN.
  • the password and the username and password of the BGP/MPLS Layer 3 VPN connected to the authentication table of the pre-existing device are authenticated, and the authentication process is encrypted transmission.
  • the backend device sends configuration parameters.
  • the backend device After passing the authentication, globally allocates the VPN configuration parameters of the access device.
  • the backend device After passing the authentication, globally allocates the VPN configuration parameters of the access device.
  • the backend device globally allocates a route target parameter and a route specifier parameter.
  • the back-end device After the back-end device globally allocates the route target parameter and the route specifier parameter, the back-end device sends the route target parameter and the route specifier parameter to the packet payload based on the Radius protocol through the AAA server system, and sends the packet to the access device through the Radius protocol. Enables the access device to join the BGP/MPLS Layer 3 VPN to the site.
  • the access device is configured according to configuration parameters.
  • the access device After receiving the route target parameter and the route specifier parameter sent by the backend device, the access device allocates the VPN route forwarding table resource locally, and then configures the route target parameter and route specifier parameter of the received BGP/MPLS Layer 3 VPN. To the assigned VPN routing forwarding table, create a ppp interface locally, add the ppp interface to the VPN routing forwarding table, and enable the RIP routing protocol on the ppp interface. The access device connects the site to the BGP/MPLS Layer 3 VPN.
  • the access device sends a message that can access the virtual private network.
  • the access device sends a message to the edge device at the site that can access the VPN.
  • the backend device can automatically send the VPN configuration parameter of the access device to the access device, and the access device can receive the VPN configuration parameter from the backend device, configure according to the VPN configuration parameter, and quickly make the site Accessing the VPN, the entire network operator's entire process of providing virtual private network services does not require manual operation by network administrators, which improves efficiency.
  • the back-end device includes:
  • the receiving request message unit 501 is configured to receive, by the access device, a request message for requesting access to the virtual private network VPN, where the request message carries the authentication information;
  • the authentication unit 502 is configured to authenticate the request message according to the authentication information, where the authentication information may be a username and a password for connecting to the virtual private network, and the authentication unit 502 may use the AAA server system to authenticate the request message according to the username and the password.
  • the allocating unit 503 is configured to globally allocate VPN configuration parameters of the access device after the request message is authenticated;
  • the sending parameter unit 504 is configured to send the VPN configuration parameter to the access device.
  • the service application unit 505 is configured to receive a VPN service request request message, where the VPN service request request message carries VPN attribute information, assigns a unique identifier to the VPN attribute information, and saves the VPN attribute information.
  • the access device in this embodiment may further have the following features:
  • the determining unit 506 is configured to: after the request message passes the authentication, determine whether the site currently accessing the VPN exceeds the maximum number of sites allowed to access the VPN, and if yes, feed back a failure message to the site, and if not, allocate the access device globally
  • the VPN configuration parameter sends the VPN configuration parameters to the access device.
  • the judging unit 506 extracts the maximum number of stations that are allowed to access the VPN from the attribute information of the VPN.
  • the allocating unit 503 can globally allocate the routing target parameter and the routing specifier parameter; the sending parameter unit 504 sets the VPN attribute information, the routing destination, and the routing specifier.
  • the device sends the packet to the access device through the Radius protocol. After receiving the packet from the Radius protocol, the access device allows the site to access the VPN.
  • the access device in the embodiment of the present invention is described below.
  • Embodiment 6 Referring to FIG. 6, an embodiment of the access device in the embodiment of the present invention includes:
  • the receiving unit 601 is configured to receive, by the access device, a request message sent by the station to request access to the virtual private network VPN, where the request message carries the authentication information;
  • the configuration unit 603 is configured to receive the VPN configuration parameter sent by the backend device, and configure according to the VPN configuration parameter.
  • the configuration unit 603 can locally allocate the virtual switch instance resource. Configure the virtual switch instance according to the route target parameter and the route specifier parameter, and then add the 802.1x port to the virtual switch instance.
  • the access device connects the site to the VPN.
  • an embodiment of a system for providing a virtual private network service in the embodiment of the present invention includes:
  • the backend device 701 may be a series of devices that run VPN management management functions, including Web service functions for accepting VPN service requests; including global resource management functions, such as global allocation of VPN configuration parameters (such as globally assigning unique RD/RT parameters). And sending the VPN configuration parameter to the access device 702; and further including an access management function, such as maintaining the number of the uplink site of the VPN, recording the status of the online site; and including the authentication and charging function, authenticating the online site according to the user name and password, Counting traffic to the on-line sites to implement billing functions.
  • VPN management management functions including Web service functions for accepting VPN service requests; including global resource management functions, such as global allocation of VPN configuration parameters (such as globally assigning unique RD/RT parameters). And sending the VPN configuration parameter to the access device 702; and further including an access management function, such as maintaining the number of the uplink site of the VPN, recording the status of the online site; and including the authentication and charging function, authenticating the online site according to the user name and password, Counting traffic to the on-line sites
  • the access device 702 can send a request message for requesting access to the VPN of the sending station to the back end device 701, configure according to the VPN configuration parameter sent by the backend device 701, and connect the station to the VPN.
  • backend device 701 in this embodiment may be the same as the backend device shown in FIG. 5, and the access device 702 in this embodiment may be the same as the access device shown in FIG. I will not repeat them here.
  • the system for providing virtual private network services further includes: a VPN dial-in device 703, and may also include a head-end device 704.
  • the front-end device 704 is configured to run a personal computer device installed with the WEB service platform, and the user uses the front-end device 704 device to perform an application operation of the VPN service.
  • a program instructing related hardware may be stored in a computer readable storage medium, and the storage medium may include: a ROM, a RAM, a magnetic disk or an optical disk.

Abstract

A method for providing virtual private network service is disclosed in the embodiments of the present invention, and a corresponding device and system are also disclosed in the embodiments of the present invention. In the embodiments of the present invention, a back end device performs the procedure as follows: authenticating a request message which requests for accessing a virtual private network (VPN) from a site, and globally allocating the VPN configuration parameters of the access device when the authentication succeeds, and transmitting said VPN configuration parameters to the access device. Therefore, the whole procedure does not involve any manual operation, and the automatically distribution of the configuration parameters to the access device is implemented, so the access device could make the site access to the VPN quickly.

Description

提供虚拟私有网业务的方法、 设备和系统 本申请要求于 2010 年 11 月 30 日提交中国专利局、 申请号为 201010566397.2、 发明名称为"提供虚拟私有网业务的方法、 设备和系统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method, device and system for providing virtual private network service This application claims to be submitted to the Chinese Patent Office on November 30, 2010, the application number is 201010566397.2, and the Chinese patent entitled "Method, Equipment and System for Providing Virtual Private Network Service" Priority of the application, the entire contents of which are incorporated herein by reference. Technical field
本发明涉及通信技术领域, 具体涉及一种提供虚拟私有网业务的方法、 设备和系统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method, device, and system for providing a virtual private network service. Background technique
虚拟私有网 ( VPN, Virtual Private Network )被定义为在已有的单个物 理网络上提供多个逻辑的网络, 这些逻辑的网络互相隔离, 一个逻辑网络 里面的数据流量不会进入到另一个逻辑网络, 目前许多基础网络运营商都 能够提供 VPN业务, 通常, 这些基础网络运营商向客户提供基于虚拟私有 局域网业务( VPLS, Virtual Private LAN Service ) 的二层 VPN业务(筒称 为 VPLS 业务)和基于边界网关协议(BGP, Border Gateway Protocol ) 以 及多协议标签交换(MPLS, Multi-Protocol Label Switching ) 的三层 VPN 业务( 筒称为 BGP/MPLS三层 VPN业务 ), 现有技术中, 这些业务的开通 流程如下: 客户通过和基础网络运营商现场沟通确定 VPN业务的 VPN属 性信息, 包括站点数量、 站点位置、 流量需求、 带宽需求等, 然后基础网 络运营商的各部门(例如规划、 网管、计费等部门)互相协调, 确定出 VPN 业务的网络规划以及计费等方案, 进而确定了业务运营商边缘设备的 VPN 配置参数, 接着由基础网络运营商的网管人员通过手工操作将 VPN配置参 数配置到业务运营商边缘设备, 最后基础网络运营商将通知客户已开通 VPN业务, 业务运营商边缘设备可以将客户接入 VPN。  Virtual Private Network (VPN) is defined as a network that provides multiple logical networks on an existing single physical network. These logical networks are isolated from each other, and data traffic in one logical network does not enter another logical network. Currently, many basic network operators are able to provide VPN services. Generally, these basic network operators provide customers with Layer 2 VPN services (called VPLS services) based on Virtual Private LAN Service (VPLS) and boundary-based. Layer 3 VPN services (BGP, MPLS, Multi-Protocol Label Switching), which are called BGP/MPLS Layer 3 VPN services. In the prior art, these services are enabled. The process is as follows: The customer determines the VPN attribute information of the VPN service, including the number of sites, the location of the site, the traffic demand, the bandwidth requirement, etc., by the on-site communication with the basic network operator, and then the departments of the basic network operator (such as planning, network management, and accounting). Coordinating with each other The network planning and accounting schemes of the VPN service determine the VPN configuration parameters of the service provider's edge devices. Then, the network administrators of the basic network operators manually configure the VPN configuration parameters to the service provider edge devices. The network operator will notify the customer that the VPN service has been activated, and the service provider edge device can access the VPN to the customer.
在对现有技术的研究和实践过程中, 本发明的发明人发现, 若还有新 站点要开通 VPN业务, 需要重新执行上述繁瑣的 VPN业务开通流程, 可 是随着信息技术的飞速发展, 客户需要基础网络运营商能够快速让新站点 接入 VPN , 但是现有技术无法满足这一需求。 发明内容 In the research and practice of the prior art, the inventor of the present invention found that if there is a new site to open the VPN service, it is necessary to re-execute the above-mentioned cumbersome VPN service opening process, but with the rapid development of information technology, the customer The underlying network operator is required to quickly connect the new site to the VPN, but the prior art cannot meet this requirement. Summary of the invention
本发明实施例提供一种提供虚拟私有网业务的方法、 设备和系统。 一种提供虚拟私有网业务的方法, 包括: 接收由接入设备发送的请求 接入虚拟私有网 VPN的请求消息, 所述请求消息携带认证信息;  Embodiments of the present invention provide a method, device, and system for providing a virtual private network service. A method for providing a virtual private network service, including: receiving a request message sent by an access device to access a virtual private network VPN, where the request message carries authentication information;
按照所述认证信息对所述请求消息进行认证;  And authenticating the request message according to the authentication information;
当所述请求消息通过认证后, 全局分配所述接入设备的 VPN配置参数, 将所述 VPN配置参数发送给所述接入设备。  After the request message is authenticated, the VPN configuration parameter of the access device is globally allocated, and the VPN configuration parameter is sent to the access device.
一种提供虚拟私有网业务的方法, 包括: 接入设备接收站点发送的请 求接入虚拟私有网 VPN的请求消息, 所述请求消息携带认证信息;  A method for providing a virtual private network service, including: an access device receiving a request message sent by a site to access a virtual private network VPN, where the request message carries authentication information;
向后端设备发送所述请求消息;  Sending the request message to a backend device;
接收所述后端设备发送的 VPN配置参数, 按照所述 VPN配置参数进行 配置。  Receiving the VPN configuration parameters sent by the backend device, and configuring according to the VPN configuration parameters.
一种后端设备, 包括: 接收请求消息单元, 用于接收由接入设备发送 的请求接入虚拟私有网 VPN的请求消息, 所述请求消息携带认证信息; 认证单元, 用于按照所述认证信息对所述请求消息进行认证; 分配单元, 用于当所述请求消息通过认证后, 全局分配所述接入设备 的 VPN配置参数;  A backend device, comprising: a receiving request message unit, configured to receive a request message sent by an access device to request access to a virtual private network VPN, where the request message carries authentication information; and an authentication unit, configured to perform the authentication according to the The information is used to authenticate the request message; the allocating unit is configured to globally allocate the VPN configuration parameter of the access device after the request message is authenticated;
发送参数单元, 用于将所述 VPN配置参数发送给所述接入设备。  And a sending parameter unit, configured to send the VPN configuration parameter to the access device.
一种接入设备, 包括: 接收单元, 用于接入设备接收站点发送的请求 接入虚拟私有网 VPN的请求消息, 所述请求消息携带认证信息;  An access device, comprising: a receiving unit, configured to receive, by the access device, a request message sent by the station to access the virtual private network VPN, where the request message carries the authentication information;
发送请求消息单元, 用于向后端设备发送所述请求消息;  Sending a request message unit, configured to send the request message to a backend device;
配置单元,用于接收所述后端设备发送的 VPN配置参数,按照所述 VPN 配置参数进行配置。  And a configuration unit, configured to receive a VPN configuration parameter sent by the backend device, and perform configuration according to the VPN configuration parameter.
一种提供虚拟私有网业务的系统, 包括: 上述后端设备和上述接入设 备。  A system for providing a virtual private network service, comprising: the foregoing back end device and the foregoing access device.
在本发明实施例中, 后端设备执行的流程为: 对站点请求接入 VPN的 请求消息进行认证, 认证通过后分配接入设备的 VPN配置参数, 将该 VPN 配置参数发送给接入设备。 由此可见, 后端设备执行的整个流程都不需要 手工操作, 就能够实现向接入设备下发配置参数, 让接入设备快速将站点 接入 VPN。 附图说明 In the embodiment of the present invention, the process performed by the backend device is: authenticating the request message for requesting access to the VPN by the site, and assigning the VPN configuration parameter of the access device after the authentication is passed, and transmitting the VPN configuration parameter to the access device. Therefore, the entire process performed by the back-end device does not need to be manually operated, and the configuration parameter can be sent to the access device, so that the access device can quickly access the site to the VPN. DRAWINGS
图 1 是本发明实施例中提供虚拟私有网业务的方法的实施例一的流程 示意图;  1 is a schematic flowchart of Embodiment 1 of a method for providing a virtual private network service according to an embodiment of the present invention;
图 2是本发明实施例中提供虚拟私有网业务的方法的实施例二的流程 示意图;  2 is a schematic flowchart of Embodiment 2 of a method for providing a virtual private network service according to an embodiment of the present invention;
图 3是本发明实施例中提供虚拟私有网业务的方法的实施例三的流程 示意图;  3 is a schematic flowchart of Embodiment 3 of a method for providing a virtual private network service according to an embodiment of the present invention;
图 4是本发明实施例中提供虚拟私有网业务的方法的实施例四的流程 示意图;  4 is a schematic flowchart of Embodiment 4 of a method for providing a virtual private network service according to an embodiment of the present invention;
图 5是本发明实施例中后端设备的实施例五的逻辑结构示意图; 图 6是本发明实施例中接入设备的实施例六的逻辑结构示意图; 图 7是本发明实施例中提供虚拟私有网业务的系统的实施例七的逻辑 结构示意图。 具体实施方式  5 is a schematic diagram showing the logical structure of the fifth embodiment of the backend device in the embodiment of the present invention; FIG. 6 is a schematic diagram showing the logical structure of the sixth embodiment of the access device according to the embodiment of the present invention; A logical structure diagram of Embodiment 7 of the system of the private network service. detailed description
本发明实施例提供一种提供虚拟私有网业务的方法。 本发明实施例还 提供相应的设备和系统。 以下分别进行详细说明。 实施例一、 请参阅图 1 , 本发明实施例中提供虚拟私有网业务的方法的 一个实施例包括:  Embodiments of the present invention provide a method for providing a virtual private network service. Embodiments of the present invention also provide corresponding devices and systems. The details are described below separately. Embodiment 1 Referring to FIG. 1 , an embodiment of a method for providing a virtual private network service in an embodiment of the present invention includes:
101、 接收接入设备发送的请求消息;  101. Receive a request message sent by an access device.
在基础网络运营商向站点提供 VPN业务之前, 基础网络运营商必须要 完成基础网络中所有接入设备的网络连通性配置和网络隧道配置。 例如, 网络域中配置开放式最短路径优先(OSPF, Open Shortest Path First )路由 协议, 接入设备配置 MPLS隧道, 配置 BGP使能 VPN技术。  Before the basic network operator provides VPN services to the site, the basic network operator must complete the network connectivity configuration and network tunnel configuration of all access devices in the basic network. For example, the OSPF (Open Shortest Path First) routing protocol is configured in the network domain, the access device is configured with an MPLS tunnel, and the BGP is enabled with the VPN technology.
当站点需要接入 VPN时, 即当站点需要开通 VPN业务时, 接入设备会 接收到站点请求接入 VPN的请求消息, 而且该请求消息携带认证信息, 接 入设备将该请求消息发送给后端设备。 该请求消息通常是通过位于站点的 边缘设备向接入设备发送的。 需要说明的是, 接入设备通常位于运营商基 础网络的边缘, 一般而言一个客户会有多个站点要求接入 VPN。  When the site needs to access the VPN, that is, when the site needs to open the VPN service, the access device receives the request message for the site requesting access to the VPN, and the request message carries the authentication information, and the access device sends the request message to the user. End device. The request message is typically sent to the access device through an edge device located at the site. It should be noted that the access device is usually located at the edge of the carrier's basic network. Generally, a customer has multiple sites that require access to the VPN.
102、 对该请求消息进行认证; 由于 VPN是虚拟私有网, 当然只能允许合法的站点接入到为客户提供 的 VPN中, 因此后端设备接收到站点请求接入 VPN的请求消息后, 会按照 认证信息对该请求消息进行认证。 102. Perform authentication on the request message. Since the VPN is a virtual private network, of course, only the legitimate site can be allowed to access the VPN provided for the client. Therefore, after receiving the request message of the site requesting access to the VPN, the backend device authenticates the request message according to the authentication information. .
103、 将配置参数发送给接入设备。  103. Send configuration parameters to the access device.
当站点请求接入 VPN的请求消息通过了后端设备的认证后, 后端设备 可以分配接入设备的 VPN配置参数, 然后将该 VPN配置参数发送给接入设 备, 使得接入设备能够按照该配置参数完成配置, 将站点加入 VPN。  After the request message of the site requesting access to the VPN passes the authentication of the backend device, the backend device can allocate the VPN configuration parameter of the access device, and then send the VPN configuration parameter to the access device, so that the access device can follow the Configure the parameters to complete the configuration and add the site to the VPN.
本实施例中, 后端设备执行的流程为: 对站点请求接入 VPN的请求消 息进行认证, 认证通过后分配接入设备的 VPN配置参数, 将该 VPN配置参 数发送给接入设备, 由此可见, 整个流程都不需要手工操作, 能够实现向 接入设备自动下发配置参数, 让接入设备将站点加入 VPN。  In this embodiment, the process performed by the backend device is: authenticating the request message for requesting access to the VPN by the site, and assigning the VPN configuration parameter of the access device after the authentication is passed, and transmitting the VPN configuration parameter to the access device, thereby It can be seen that the entire process does not need to be manually operated, and the configuration parameters are automatically sent to the access device, so that the access device joins the site to the VPN.
下面将以提供 VPLS业务为例对提供虚拟私有网业务的方法进行详细 描述, 实施例二、 请参阅图 2, 本发明实施例还提供虚拟私有网业务的方法 的另一实施例, 包括:  The following is a description of a method for providing a virtual private network service by using the VPLS service as an example. Embodiment 2: Referring to FIG. 2, another embodiment of the method for providing a virtual private network service according to the embodiment of the present invention includes:
201、 接收虚拟私有网业务申请请求;  201. Receive a virtual private network service application request.
基础网络运营商通常都是根据用户的需求提供一个具有私有属性信息 的 VPLS, 其中 VPLS的属性信息包括 VPLS流量类型, 允许接入 VPLS的站点 的最大数量, 接入带宽等等。 用户可以有多种手段向基础网络运营商提供 VPLS的属性信息, 例如当面交流, 打电话, 传真等等。 但是在本实施例中, 用户可以自助的向基础网络运营商提供属性信息, 具体为:  The basic network operator usually provides a VPLS with private attribute information according to the requirements of the user. The VPLS attribute information includes the VPLS traffic type, the maximum number of sites allowed to access the VPLS, the access bandwidth, and so on. Users can provide VPLS attribute information to the basic network operator in various ways, such as face-to-face communication, phone calls, fax, and so on. However, in this embodiment, the user can provide attribute information to the basic network operator by itself, specifically:
用户可以向后端设备发送 VPLS业务申请请求,其中 VPLS业务申请请求 携带有 VPLS的属性信息,后端设备会为 VPLS的属性信息全局分配唯一标识 并保存 VPLS的属性信息,然后向用户反馈已接受 VPLS业务申请的消息。需 要说明的是, 通常后端设备为 VPLS的属性信息全局分配的唯一标识是一个 整数, 如 32bits或者 64bits。  The user can send a VPLS service request to the backend device. The VPLS service request carries the VPLS attribute information. The backend device globally assigns a unique identifier to the VPLS attribute information and saves the VPLS attribute information. The VPLS service application message. It should be noted that the unique identifier that the backend device globally assigns to the VPLS attribute information is an integer such as 32bits or 64bits.
需要说明的是, 用户可以直接向后端设备发送 VPLS业务申请请求, 从 而让后端设备获得 VPLS的属性信息,也可以先向前端设备发送 VPLS业务申 请请求, 然后前端设备将 VPLS的属性信息发送给后端设备, 当接收到后端 设备的响应后, 前端设备再向用户反馈已接受 VPLS业务申请的消息, 例如 前端设备可以是用户的电脑,用户通过电脑登陆 VPLS业务申请的 WEB服务 平台进行 VPLS业务申请, 用户还可以在 WEB服务平台上输入所需的 VPLS 的属性信息。 It should be noted that the user can directly send a VPLS service request to the back-end device, so that the back-end device obtains the VPLS attribute information, and the VPLS service request is sent to the front-end device, and then the front-end device sends the VPLS attribute information. After receiving the response from the backend device, the front-end device feeds back to the user a message that the VPLS service request has been accepted, for example, The front-end device can be the user's computer. The user can log in to the VPLS service platform of the VPLS service application to apply for the VPLS service. The user can also input the required VPLS attribute information on the WEB service platform.
后端设备还可以向用户提供 VPLS访问通行证,例如连接 VPLS的用户名 和密码, 需要说明的是, 连接 VPLS的用户名和密码也可以让用户通过电脑 在 VPLS业务申请的 WEB服务平台上输入, 然后该连接 VPLS的用户名和密 码也会被携带在 VPLS业务申请请求中,不论是后端设备接收到的连接 VPLS 的用户名和密码还是后端设备向用户提供的连接 VPLS的用户名和密码, 后 端设备都会将它们保存在认证表中, 并且它们在认证表的标识会与 VPLS的 属性信息的标识相对应。  The back-end device can also provide the user with a VPLS access pass, such as the username and password for connecting to the VPLS. It should be noted that the username and password for connecting to the VPLS can also be entered by the user on the WEB service platform of the VPLS service application. The username and password for connecting to the VPLS are also carried in the VPLS service request, regardless of the username and password of the VPLS connected to the backend device or the username and password of the VPLS connection provided by the backend device to the user. They are stored in the authentication table, and their identifiers in the authentication table correspond to the identification of the attribute information of the VPLS.
202、 接收接入设备发送的请求消息;  202. Receive a request message sent by an access device.
当网络中有站点要接入 VPLS时, 站点运行 802.1x客户端向接入设备发 送站点请求接入 VPLS的请求消息, 并且该请求消息携带有使用该站点的用 户在 802.1x客户端输入的连接 VPLS的用户名和密码,需要说明的是, 802.1x 客户端一般位于站点的边缘设备上,然后作为 Radius客户端的接入设备会将 该请求消息以 AAA认证数据包的形式转发给后端设备, 后端设备采用的是 AAA服务器系统, AAA服务器会对 AAA认证数据包进行认证。 802.1x客户 端是 VPN拨号客户端的一种类型。  When a site in the network needs to access the VPLS, the site runs an 802.1x client to send a request message for the site requesting access to the VPLS to the access device, and the request message carries the connection entered by the user using the site on the 802.1x client. VPLS username and password. It should be noted that the 802.1x client is usually located on the edge device of the site. Then, the access device acting as the Radius client forwards the request message to the backend device in the form of an AAA authentication packet. The end device uses the AAA server system, and the AAA server authenticates the AAA authentication packet. The 802.1x client is a type of VPN dial-up client.
203、 进行用户名和密码认证;  203. Perform username and password authentication;
AAA服务器从接收的 AAA认证数据包中, 解析出使用该站点的用户在 802.1x客户端输入的连接 VPLS的用户名和密码,将解析出的连接 VPLS的用 户名和密码和预存在后端设备的认证表中的连接 VPLS的用户名和密码进 行认证。  The AAA server parses the username and password of the VPLS connection entered by the user using the site on the 802.1x client from the received AAA authentication data packet, and resolves the username and password of the VPLS connection and the pre-existing authentication of the backend device. The username and password for connecting to the VPLS in the table are authenticated.
204、 进行属性信息认证;  204. Perform attribute information authentication.
当后端设备的用户名和密码认证通过之后, 后端设备按照认证表中的 访问 VPLS的用户名和密码的标识找出 VPLS的属性信息,判断能否通过这些 VPLS的属性信息的认证,例如,后端设备可以检查当前接入 VPLS的站点数 量是否已经超过允许接入 VPLS的站点的最大数量, 每当有一个站点成功接 入到 VPLS, 后端设备中的计数器就加 1 , 若计数器中的数据没有超过允许 接入 VPLS的站点的最大数量, 则通过后端设备的属性信息认证, 若计数器 中的数据超过允许接入 VPLS的站点的最大数量, 则向站点反馈失败消息。 After the user name and password of the back-end device are authenticated, the back-end device finds the attribute information of the VPLS according to the identifier of the user name and password of the VPLS in the authentication table, and determines whether the attribute information of the VPLS can be authenticated, for example, The end device can check whether the number of sites currently accessing the VPLS has exceeded the maximum number of sites allowed to access the VPLS. Whenever one site successfully accesses the VPLS, the counter in the backend device is incremented by 1. If the data in the counter is No more than allowed The maximum number of sites accessing the VPLS is authenticated by the attribute information of the backend device. If the data in the counter exceeds the maximum number of sites allowed to access the VPLS, the device sends a failure message to the site.
205、 分配虚拟私有网配置参数;  205. Allocate virtual private network configuration parameters.
当后端设备的属性信息认证通过后, 后端设备全局分配接入设备的 VPLS配置参数, 例如后端设备为接入设备全局分配唯一的路由目标参数 ( RT, Route Target )和路由区分符参数(RD, Route Distinguisher ),  After the attribute information of the back-end device is authenticated, the back-end device globally allocates the VPLS configuration parameters of the access device. For example, the back-end device globally allocates unique route target parameters (RT, Route Target) and route specifier parameters for the access device. (RD, Route Distinguisher ),
RD是一个 8字节的数, 通常可以用 100:100这样的形式表示, 表示前 4 字节为 100, 后 4字节为 100, 每一个 VPN都要有一个唯一的 RD, 例如, 后 端设备可以以 100:100为基数, 将第一次分配的 RD的值定为 100:101 , 第二 次分配的 RD的值定为 100:102, 依次类推。 还有一种分配 RD的方式是: 接 入设备也可以预置 100:100这个基数, 后端设备第一次分配 RD时, 只分配一 个数值 4, 然后将 4这个参数发送到接入设备, 接入设备拿到 4加上基数, 就 可以获得 RD值是 100:104。 RD和 RT的分配方法是一样的, 就不再赘述。  RD is an 8-byte number, usually expressed in the form of 100:100, indicating that the first 4 bytes are 100 and the last 4 bytes are 100. Each VPN must have a unique RD, for example, the back end. The device can set the value of the first assigned RD to 100:101 based on 100:100, the value of the second allocated RD to 100:102, and so on. There is also a way to allocate RD: The access device can also preset the base of 100:100. When the backend device allocates RD for the first time, it only assigns a value of 4, and then sends the parameter 4 to the access device. When the device gets 4 plus the base, the RD value is 100:104. The allocation method of RD and RT is the same, and will not be described again.
需要说明的是, 后端设备也可以在站点成功申请 VPLS业务后, 就全局 分配 VPLS配置参数, 当后端设备的属性信息认证通过后, 后端设备可以提 取出之前分配的 VPLS配置参数。  It should be noted that the back-end device can also allocate the VPLS configuration parameters globally after the site successfully applies for the VPLS service. After the attribute information of the back-end device passes the authentication, the back-end device can extract the previously assigned VPLS configuration parameters.
206、 向接入设备发送配置参数。  206. Send configuration parameters to the access device.
后端设备通过 AAA服务器系统将 VPLS的配置参数 (例如路由目标参数 和路由区分符参数)作为基于 Radius协议的报文载荷, 通过 Radius协议发送 到接入设备, 使得接入设备可以收到这些配置参数, 就能在接入设备上执 行配置操作, 将站点加入 VPLS, 让站点可以通过接入设备接入 VPLS。 由于 AAA服务器系统具有计费功能, 当站点接入到 VPLS后, 后端设备可以采用 AAA服务器系统开始计费。  The back-end device uses the AAA server system to configure the VPLS configuration parameters (such as the route target parameter and the route specifier parameter) as the packet payload based on the Radius protocol, and sends the configuration to the access device through the Radius protocol, so that the access device can receive these configurations. You can perform the configuration on the access device and add the site to the VPLS to allow the site to access the VPLS through the access device. Since the AAA server system has a charging function, when the site accesses the VPLS, the back-end device can start charging using the AAA server system.
进一步的, 对于与配置接入设备相关的 VPLS的属性信息, 例如接入带 宽, 后端设备可以通过 AAA服务器系统将接入带宽参数与路由目标参数和 路由区分符参数一起作为基于 Radius协议的报文载荷, 通过 Radius协议发送 到接入设备, 接入设备可以在联接站点的接入上配置上限带宽, 限制网速。  Further, for the VPLS attribute information related to the configuration of the access device, for example, the access bandwidth, the backend device may use the AAA server system to use the access bandwidth parameter together with the route target parameter and the route specifier parameter as the Radius protocol-based report. The payload is sent to the access device through the Radius protocol. The access device can configure the upper limit bandwidth and limit the network speed on the access of the connected site.
需要说明的是, 当后端设备执行完本实施例中的所有流程后, 并且站 点接入了 VPLS之后, 使用站点的用户还可以修改 VPLS的属性信息, 例如, 使用站点的用户通过电脑登陆修改所需的 VPLS的属性信息的 WEB服务平 台, 增加属性信息中的允许接入 VPLS的站点的最大数量或者接入带宽, 后 端设备接收到电脑发送的修改后的属性信息后, 通过 AAA服务器系统将修 改后的属性信息作为基于 Radius协议的报文载荷, 通过 Radius协议发送给接 入设备。 It should be noted that, after the backend device performs all the processes in this embodiment, and the site accesses the VPLS, the user who uses the site can also modify the attribute information of the VPLS, for example, The user who uses the site logs in to the WEB service platform that modifies the required VPLS attribute information through the computer, and increases the maximum number of access sites or access bandwidth in the attribute information that is allowed to access the VPLS. The backend device receives the modified version sent by the computer. After the attribute information, the modified attribute information is used as the packet payload based on the Radius protocol by the AAA server system, and is sent to the access device through the Radius protocol.
本实施例中, 用户可以通过发送业务申请请求向后端设备提供所需的 In this embodiment, the user can provide the required information to the backend device by sending a service request.
VPN的属性信息, 从而提高了基础网络运营商提供 VPN业务的效率, 而且 用户可以在 VPN的运行过程中随时更改属性信息, 增加了 VPN业务的灵活 性, 大量的 VPN业务上线后, 存在一定的统计复用比, 能够使得基础网路 运营商的基础网络得到充分运用。 上面从后端设备的角度对本发明实施例中提供虚拟私有网业务的方 法进行了描述, 下面从接入设备的角度对本发明实施例中的提供虚拟私有 网业务的方法进行描述。 实施例三、 请参阅图 3, 本发明实施例中提供虚拟 私有网业务的方法的另一实施例包括: The attribute information of the VPN improves the efficiency of the VPN service provided by the basic network operator, and the user can change the attribute information at any time during the running of the VPN, thereby increasing the flexibility of the VPN service. After a large number of VPN services are online, there is a certain The statistical multiplexing ratio enables the basic network operator's basic network to be fully utilized. The method for providing the virtual private network service in the embodiment of the present invention is described above from the perspective of the back-end device. The method for providing the virtual private network service in the embodiment of the present invention is described below from the perspective of the access device. Embodiment 3 Referring to FIG. 3, another embodiment of a method for providing a virtual private network service in the embodiment of the present invention includes:
本实施例仍以基础网络运营商提供 VPLS业务为例。  This example takes the VPLS service provided by the basic network operator as an example.
301、 接收请求消息;  301. Receive a request message.
当网络中有站点要接入 VPLS时, 站点运行安装在位于站点的边缘设备 上的 802.1x客户端向接入设备发送携带认证信息的请求消息,当接入设备接 收到该请求消息就等同于接收到了站点请求接入 VPLS的信息。  When a site accesses the VPLS, the site runs an 802.1x client installed on the edge device of the site to send a request message carrying the authentication information to the access device. When the access device receives the request message, it is equivalent to Received information about the site requesting access to the VPLS.
302、 向后端设备转发请求消息;  302. Forward a request message to a backend device.
接入设备向后端设备转发该请求消息, 当通过后端设备对该请求消息 的认证之后, 后端设备可以生成接入设备的 VPLS配置参数: 路由目标参数 和路由区分符参数, 并将包含配置参数的报文发送给运营商边缘设备。  The access device forwards the request message to the backend device. After the request message is authenticated by the backend device, the backend device may generate a VPLS configuration parameter of the access device: a route target parameter and a route specifier parameter, and will include The packets of the configuration parameters are sent to the carrier edge device.
303、 按照接收的配置参数进行配置;  303. Configure according to the received configuration parameters.
接入设备接收到后端设备发送的路由目标参数和路由区分符参数, 接 入设备会在本地分配虚拟交换实例资源, 再将接收的路由目标参数和路由 区分符参数配置给分配完的虚拟交换实例,并将 802.1x端口加入到虚拟交换 实例。 至此, 接入设备将站点接入 VPLS。  The access device receives the route target parameter and the route specifier parameter sent by the backend device, and the access device allocates the virtual switch instance resource locally, and then configures the received route target parameter and the route specifier parameter to the allocated virtual switch. Instance and join the 802.1x port to the virtual switch instance. At this point, the access device connects the site to the VPLS.
本实施例中, 接入设备可以从后端设备接收到 VPN的配置参数, 按照 该配置参数进行配置, 从而将站点接入 VPN, 整个过程不需要网管人员的 手动操作, 提高了基础网络运营商提供 VPN业务的效率。 下面以基础网络运营商提供 BGP/MPLS三层 VPN业务为例,通过一个具 体应用场景对后端设备和接入设备的交互过程进行详细描述。 实施例四、 请参阅图 4, 本发明实施例中提供虚拟私有网业务的方法的另一实施例包 括: In this embodiment, the access device may receive the configuration parameters of the VPN from the backend device, according to The configuration parameters are configured to connect the site to the VPN. The entire process does not require the manual operation of the network administrator, which improves the efficiency of the VPN service provided by the basic network operator. The BGP/MPLS Layer 3 VPN service is provided by the basic network operator as an example to describe the interaction process between the back-end device and the access device in a specific application scenario. Embodiment 4 Referring to FIG. 4, another embodiment of a method for providing a virtual private network service in the embodiment of the present invention includes:
401、 用户请求接入虚拟私有网;  401. The user requests to access the virtual private network.
用户先向前端设备发送 BGP/MPLS三层 VPN业务申请请求,然后前端设 备将 BGP/MPLS三层 VPN的属性信息发送给后端设备,当接收到后端设备的 响应后, 前端设备再向用户反馈已接受 BGP/MPLS三层 VPN业务申请的消 息。 BGP/MPLS三层 VPN的属性信息和 VPLS属性信息大致相同, 但是 BGP/MPLS三层 VPN的属性信息中必须携带接入 IP地址池信息和环回 IP地 址池信息。  The user sends a BGP/MPLS Layer 3 VPN service request to the front-end device. The front-end device sends the BGP/MPLS Layer 3 VPN attribute information to the back-end device. After receiving the response from the back-end device, the front-end device sends the request to the user. The feedback has accepted the message of BGP/MPLS Layer 3 VPN service application. The BGP/MPLS Layer 3 VPN attributes must be the same as the VPLS attribute information. However, the BGP/MPLS Layer 3 VPN attributes must carry the access IP address pool information and the loopback IP address pool information.
402、 站点发送请求消息;  402. The station sends a request message.
当网络中有站点要接入 BGP/MPLS三层 VPN时,站点运行安装在位于站 点的边缘设备上的 pppoe客户端向运营商边缘设备发送请求消息, 并且该请 求消息携带有使用该站点的用户在 pppoe客户端输入的连接 BGP/MPLS三层 VPN的用户名和密码。然后作为 Radius客户端的运营商边缘设备会将该请求 消息以 AAA认证数据包的形式转发给后端设备, 后端设备采用的是 AAA服 务器系统, AAA服务器会对 AAA认证数据包进行认证。 pppoe客户端是 VPN 拨号客户端的另一种类型。  When a site in the network needs to access the BGP/MPLS Layer 3 VPN, the pppoe client installed on the edge device of the site runs a request message to the operator edge device, and the request message carries the user who uses the site. The username and password for connecting to the BGP/MPLS Layer 3 VPN entered on the pppoe client. The carrier edge device, which is the Radius client, then forwards the request message to the backend device in the form of an AAA authentication packet. The backend device uses the AAA server system, and the AAA server authenticates the AAA authentication packet. The pppoe client is another type of VPN dial-up client.
403、 后端设备进行认证;  403. The backend device performs authentication;
AAA服务器从接收的 AAA认证数据包中, 解析出使用该站点的客户在 pppoe客户端输入的连接 BGP/MPLS三层 VPN的用户名和密码, 将解析出的 连接 BGP/MPLS三层 VPN的用户名和密码和预存在后端设备的认证表中的 连接 BGP/MPLS三层 VPN的用户名和密码进行认证,而且认证的过程是加密 传输。  The AAA server parses out the username and password of the BGP/MPLS Layer 3 VPN connected to the pppoe client from the received AAA authentication packet, and resolves the username and password of the BGP/MPLS Layer 3 VPN. The password and the username and password of the BGP/MPLS Layer 3 VPN connected to the authentication table of the pre-existing device are authenticated, and the authentication process is encrypted transmission.
404、 后端设备发送配置参数;  404. The backend device sends configuration parameters.
当通过认证后, 后端设备全局分配接入设备的 VPN配置参数, 在本实 施例中, 后端设备全局分配路由目标参数和路由区分符参数。 After passing the authentication, the backend device globally allocates the VPN configuration parameters of the access device. In the embodiment, the backend device globally allocates a route target parameter and a route specifier parameter.
后端设备全局分配完路由目标参数和路由区分符参数之后, 后端设备 通过 AAA服务器系统将路由目标参数和路由区分符参数作为基于 Radius协 议的报文载荷, 通过 Radius协议发送到接入设备,使得接入设备可以将站点 的加入 BGP/MPLS三层 VPN。  After the back-end device globally allocates the route target parameter and the route specifier parameter, the back-end device sends the route target parameter and the route specifier parameter to the packet payload based on the Radius protocol through the AAA server system, and sends the packet to the access device through the Radius protocol. Enables the access device to join the BGP/MPLS Layer 3 VPN to the site.
405、 接入设备按照配置参数进行配置;  405. The access device is configured according to configuration parameters.
接入设备接收到后端设备发送的路由目标参数和路由区分符参数后, 会在本地分配 VPN路由转发表资源,再将接收的 BGP/MPLS三层 VPN的路由 目标参数和路由区分符参数配置给分配完的 VPN路由转发表, 本地创建 ppp 接口, 将 ppp接口加入到 VPN路由转发表, 在 ppp接口上启动 RIP路由协议, 至此接入设备将站点接入 BGP/MPLS三层 VPN。  After receiving the route target parameter and the route specifier parameter sent by the backend device, the access device allocates the VPN route forwarding table resource locally, and then configures the route target parameter and route specifier parameter of the received BGP/MPLS Layer 3 VPN. To the assigned VPN routing forwarding table, create a ppp interface locally, add the ppp interface to the VPN routing forwarding table, and enable the RIP routing protocol on the ppp interface. The access device connects the site to the BGP/MPLS Layer 3 VPN.
406、 接入设备发送能够接入虚拟私有网的消息。  406. The access device sends a message that can access the virtual private network.
接入设备向位于站点的边缘设备发送能够接入 VPN的消息。  The access device sends a message to the edge device at the site that can access the VPN.
本实施例中, 后端设备能够自动将接入设备的 VPN配置参数发送给接 入设备, 而且接入设备可以从后端设备接收到 VPN配置参数, 按照该 VPN 配置参数进行配置, 快速让站点接入 VPN, 基础网络运营商的整个提供虚 拟私有网业务的过程不需要网管人员的手动操作, 提高了效率。 下面对本发明实施例中的后端设备进行描述, 实施例五、 请参阅图 5, 本发明实施例中的后端设备一个实施例包括:  In this embodiment, the backend device can automatically send the VPN configuration parameter of the access device to the access device, and the access device can receive the VPN configuration parameter from the backend device, configure according to the VPN configuration parameter, and quickly make the site Accessing the VPN, the entire network operator's entire process of providing virtual private network services does not require manual operation by network administrators, which improves efficiency. The following is a description of the back-end device in the embodiment of the present invention. Embodiment 5: Referring to FIG. 5, an embodiment of the back-end device in the embodiment of the present invention includes:
接收请求消息单元 501 , 用于接收由接入设备发送的请求接入虚拟私有 网 VPN的请求消息, 该请求消息携带认证信息;  The receiving request message unit 501 is configured to receive, by the access device, a request message for requesting access to the virtual private network VPN, where the request message carries the authentication information;
认证单元 502, 用于按照认证信息对该请求消息进行认证, 该认证信息 可以是连接虚拟私有网的用户名和密码时,认证单元 502可以采用 AAA服务 器系统按照这个用户名和这个密码对请求消息进行认证  The authentication unit 502 is configured to authenticate the request message according to the authentication information, where the authentication information may be a username and a password for connecting to the virtual private network, and the authentication unit 502 may use the AAA server system to authenticate the request message according to the username and the password.
分配单元 503, 用于当请求消息通过认证后, 全局分配接入设备的 VPN 配置参数;  The allocating unit 503 is configured to globally allocate VPN configuration parameters of the access device after the request message is authenticated;
发送参数单元 504, 用于将 VPN配置参数发送给接入设备。  The sending parameter unit 504 is configured to send the VPN configuration parameter to the access device.
为了能够更快速的向客户提供 VPN业务, 本实施例中的接入设备还可 以进一步具有如下特征: 业务申请单元 505, 用于接收 VPN业务申请请求消息, VPN业务申请请 求消息携带 VPN属性信息, 为 VPN属性信息分配唯一标识, 并保存 VPN属 性信息。 In order to provide the VPN service to the client, the access device in this embodiment may further have the following features: The service application unit 505 is configured to receive a VPN service request request message, where the VPN service request request message carries VPN attribute information, assigns a unique identifier to the VPN attribute information, and saves the VPN attribute information.
为了能够提高连接 VPN的安全性, 本实施例中的接入设备还可以进一 步具有如下特征:  In order to improve the security of the connected VPN, the access device in this embodiment may further have the following features:
判断单元 506, 用于当请求消息通过认证之后, 判断当前接入 VPN的站 点是否超过允许接入 VPN的站点的最大数量, 若是, 则向站点反馈失败消 息, 若否, 则全局分配接入设备的 VPN配置参数, 将 VPN配置参数发送给 接入设备。  The determining unit 506 is configured to: after the request message passes the authentication, determine whether the site currently accessing the VPN exceeds the maximum number of sites allowed to access the VPN, and if yes, feed back a failure message to the site, and if not, allocate the access device globally The VPN configuration parameter sends the VPN configuration parameters to the access device.
判断单元 506是从 VPN的属性信息中提取出允许接入 VPN的站点的最 大数量。  The judging unit 506 extracts the maximum number of stations that are allowed to access the VPN from the attribute information of the VPN.
当当前接入 VPN的站点没有超过允许接入 VPN的站点的最大数量时, 分配单元 503可以全局分配路由目标参数和路由区分符参数; 发送参数单元 504将 VPN属性信息、 路由目标和路由区分符作为基于 Radius协议的报文载 荷,通过 Radius协议发送给接入设备,接入设备接收到 Radius协议的报文后, 让站点接入 VPN。 下面对本发明实施例中的接入设备进行描述, 实施例六、 请参阅图 6, 本发明实施例中的接入设备一个实施例包括:  When the site currently accessing the VPN does not exceed the maximum number of sites allowed to access the VPN, the allocating unit 503 can globally allocate the routing target parameter and the routing specifier parameter; the sending parameter unit 504 sets the VPN attribute information, the routing destination, and the routing specifier. As a packet payload based on the Radius protocol, the device sends the packet to the access device through the Radius protocol. After receiving the packet from the Radius protocol, the access device allows the site to access the VPN. The access device in the embodiment of the present invention is described below. Embodiment 6 Referring to FIG. 6, an embodiment of the access device in the embodiment of the present invention includes:
接收单元 601 , 用于接入设备接收站点发送的请求接入虚拟私有网 VPN 的请求消息, 该请求消息携带认证信息;  The receiving unit 601 is configured to receive, by the access device, a request message sent by the station to request access to the virtual private network VPN, where the request message carries the authentication information;
发送请求消息单元 602, 用于向后端设备发送该请求消息;  Sending a message unit 602, configured to send the request message to a backend device;
配置单元 603, 用于接收后端设备发送的 VPN配置参数, 按照 VPN配置 参数进行配置。  The configuration unit 603 is configured to receive the VPN configuration parameter sent by the backend device, and configure according to the VPN configuration parameter.
当站点发送的请求接入 VPN的请求消息是站点通过 802.1x客户端发送 的, 并且后端设备发送的 VPN配置参数为路由目标参数和路由区分符参数, 配置单元 603可以本地分配虚拟交换实例资源, 按照路由目标参数和路由区 分符参数对虚拟交换实例进行配置,再将 802.1x端口加入虚拟交换实例, 至 此接入设备将站点接入 VPN。  When the request message sent by the site to access the VPN is sent by the site through the 802.1x client, and the VPN configuration parameter sent by the backend device is a route target parameter and a route specifier parameter, the configuration unit 603 can locally allocate the virtual switch instance resource. Configure the virtual switch instance according to the route target parameter and the route specifier parameter, and then add the 802.1x port to the virtual switch instance. The access device connects the site to the VPN.
或者,  Or,
当站点发送的请求接入 VPN的请求消息是站点通过 pppoe客户端发送 的, 并且后端设备发送的 VPN配置参数为路由目标参数和路由区分符参数, 配置单元 603可以本地分配 VPN路由转发表资源, 按照路由目标参数和路由 区分符参数对 VPN路由转发表进行配置, 本地创建 ppp接口, 将创建的 ppp 接口加入到 VPN路由转发表, 并在 ppp接口启动路由信息协议, 至此接入设 备将站点接入 VPN。 下面对本发明实施例中的提供虚拟私有网业务的系统进行描述, 实施 例七、 请参阅图 7, 本发明实施例中的提供虚拟私有网业务的系统一个实施 例包括: When the request sent by the site to access the VPN is sent by the site through the pppoe client And the VPN configuration parameter sent by the backend device is a route target parameter and a route specifier parameter, and the configuration unit 603 can locally allocate the VPN route forwarding table resource, and configure the VPN route forwarding table according to the route target parameter and the route specifier parameter, Create a ppp interface locally, add the created ppp interface to the VPN routing forwarding table, and enable the routing information protocol on the ppp interface. The access device connects the site to the VPN. The system for providing a virtual private network service in the embodiment of the present invention is described below. Embodiment 7 Referring to FIG. 7, an embodiment of a system for providing a virtual private network service in the embodiment of the present invention includes:
后端设备 701和接入设备 702。  Backend device 701 and access device 702.
后端设备 701可以是一系列运行 VPN管理管理功能设备的统称, 包括受 理 VPN业务申请的 Web服务功能; 包括全局资源管理功能,如全局分配 VPN 配置参数(例如全局分配唯一的 RD/RT参数), 发送 VPN配置参数给接入设 备 702; 还包括接入管理功能, 如维护 VPN上线站点的数量, 记录上线站点 的状态; 还包括认证计费功能, 对上线的站点按照用户名和密码进行认证, 对上线的站点进行计时计流量, 实现计费功能, 这些功能通常运行在一个 或者一组服务器上, 可以统称为后端设备 701。  The backend device 701 may be a series of devices that run VPN management management functions, including Web service functions for accepting VPN service requests; including global resource management functions, such as global allocation of VPN configuration parameters (such as globally assigning unique RD/RT parameters). And sending the VPN configuration parameter to the access device 702; and further including an access management function, such as maintaining the number of the uplink site of the VPN, recording the status of the online site; and including the authentication and charging function, authenticating the online site according to the user name and password, Counting traffic to the on-line sites to implement billing functions. These functions usually run on one or a group of servers and can be collectively referred to as back-end devices 701.
接入设备 702可以负责发送站点的请求接入 VPN的请求消息发送到后 端设备 701 , 按照后端设备 701发送的 VPN配置参数进行配置, 将站点接入 VPN。  The access device 702 can send a request message for requesting access to the VPN of the sending station to the back end device 701, configure according to the VPN configuration parameter sent by the backend device 701, and connect the station to the VPN.
需要说明的是, 本实施例中的后端设备 701可以与前述图 5所示的后端 设备相同, 本实施例中的接入设备 702可以与前述图 6所示的接入设备相同, 具体此处不再赘述。  It should be noted that the backend device 701 in this embodiment may be the same as the backend device shown in FIG. 5, and the access device 702 in this embodiment may be the same as the access device shown in FIG. I will not repeat them here.
提供虚拟私有网业务的系统还包括: VPN拨入设备 703 , 以及还可以包 括前端设备 704。  The system for providing virtual private network services further includes: a VPN dial-in device 703, and may also include a head-end device 704.
VPN拨入设备 703, 也就是位于站点的边缘设备, 用于运行 VPN拨号客 户端的网络设备, 负责为客户站点发起认证请求。  The VPN dial-in device 703, that is, the edge device located at the site, is used to run the network device of the VPN dial-up client, and is responsible for initiating an authentication request for the client site.
前端设备 704, 用于运行安装有 WEB服务平台的个人计算机设备, 用户 使用前端设备 704设备进行 VPN业务的申请操作。 本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分 步骤是可以通过程序来指令相关的硬件来完成, 该程序可以存储于一计算 机可读存储介质中, 存储介质可以包括: ROM、 RAM, 磁盘或光盘等。 The front-end device 704 is configured to run a personal computer device installed with the WEB service platform, and the user uses the front-end device 704 device to perform an application operation of the VPN service. One of ordinary skill in the art can understand all or part of the various methods of the above embodiments. The steps may be completed by a program instructing related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may include: a ROM, a RAM, a magnetic disk or an optical disk.
以上对本发明实施例所提供的提供虚拟私有网业务的方法、 设备和系  The method, device and system for providing virtual private network service provided by the embodiments of the present invention
行了阐述, 以上实施例的说明只是用于帮助理解本发明的方法及其核心思 想; 同时, 对于本领域的一般技术人员, 依据本发明的思想, 在具体实施 方式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为 对本发明的限制。 It is to be noted that the description of the above embodiments is only for helping to understand the method of the present invention and its core ideas; at the same time, for those skilled in the art, according to the idea of the present invention, there will be a specific embodiment and application range. The details of the description are not to be construed as limiting the invention.

Claims

权利要求 Rights request
1、 一种提供虚拟私有网业务的方法, 其特征在于, 包括: A method for providing a virtual private network service, comprising:
接收由接入设备发送的请求接入虚拟私有网 VPN的请求消息, 所述请 求消息携带认证信息;  Receiving, by the access device, a request message for requesting access to the virtual private network VPN, where the request message carries the authentication information;
按照所述认证信息对所述请求消息进行认证;  And authenticating the request message according to the authentication information;
当所述请求消息通过认证后, 全局分配所述接入设备的 VPN配置参数, 将所述 VPN配置参数发送给所述接入设备。  After the request message is authenticated, the VPN configuration parameter of the access device is globally allocated, and the VPN configuration parameter is sent to the access device.
2、 根据权利要求 1所述的方法, 其特征在于, 在接收由接入设备发送 的携带认证信息的请求消息的步骤之前, 还包括:  The method according to claim 1, wherein before the step of receiving the request message carrying the authentication information sent by the access device, the method further includes:
接收 VPN业务申请请求消息, 所述 VPN业务申请请求消息携带 VPN属 性信息, 为所述 VPN属性信息分配唯一标识, 并保存所述 VPN属性信息。  Receiving a VPN service request request message, where the VPN service request request message carries VPN attribute information, assigns a unique identifier to the VPN attribute information, and saves the VPN attribute information.
3、 根据权利要求 2所述的方法, 其特征在于, 所述认证信息是连接虚 拟私有网的用户名和密码, 按照所述认证信息对所述请求消息进行认证的 步骤包括:  The method according to claim 2, wherein the authentication information is a username and a password for connecting to the virtual private network, and the step of authenticating the request message according to the authentication information includes:
采用 AAA服务器系统按照所述用户名和所述密码对所述请求消息进行 认证。  The request message is authenticated by the AAA server system according to the username and the password.
4、 根据权利要求 3所述的方法, 其特征在于, 所述 VPN属性信息为允 许接入所述 VPN的站点的最大数量, 在采用 AAA服务器系统按照所述用户 名和所述密码对所述请求消息进行认证的步骤之后, 还包括:  The method according to claim 3, wherein the VPN attribute information is a maximum number of sites that are allowed to access the VPN, and the request is performed according to the user name and the password by using an AAA server system. After the message is authenticated, it also includes:
当所述请求消息通过认证之后, 判断当前接入所述 VPN的站点是否超 过允许接入所述 VPN的站点的最大数量, 若是, 则向所述站点反馈失败消 息, 若否, 则全局分配所述接入设备的 VPN配置参数, 将所述 VPN配置参 数发送给所述接入设备。  After the request message passes the authentication, it is determined whether the site currently accessing the VPN exceeds the maximum number of sites allowed to access the VPN, and if yes, the failure message is fed back to the site, and if not, the global allocation is performed. The VPN configuration parameter of the access device is sent to the access device.
5、 根据权利要求 2或 3所述的方法, 其特征在于, 全局分配所述接入设 备的 VPN配置参数, 将所述 VPN配置参数发送给所述接入设备的步骤具体 为:  The method according to claim 2 or 3, wherein the step of globally allocating the VPN configuration parameters of the access device, and sending the VPN configuration parameter to the access device is specifically:
全局分配所述接入设备的路由目标参数和路由区分符参数;  Globally allocating route target parameters and route specifier parameters of the access device;
将所述 VPN属性信息、 所述路由目标参数和所述路由区分符参数作为 基于 Radius协议的报文载荷, 通过 Radius协议发送给所述接入设备。  The VPN attribute information, the route target parameter, and the route specifier parameter are used as the packet payload based on the Radius protocol, and are sent to the access device by using the Radius protocol.
6、 一种提供虚拟私有网业务的方法, 其特征在于, 包括: 接入设备接收站点发送的请求接入虚拟私有网 VPN的请求消息, 所述 请求消息携带认证信息; 6. A method for providing a virtual private network service, the method comprising: The access device receives a request message sent by the station to access the virtual private network VPN, where the request message carries the authentication information;
向后端设备发送所述请求消息;  Sending the request message to a backend device;
接收所述后端设备发送的 VPN配置参数, 按照所述 VPN配置参数进行 配置。  Receiving the VPN configuration parameters sent by the backend device, and configuring according to the VPN configuration parameters.
7、 根据权利要求 6所述的方法, 其特征在于,  7. The method of claim 6 wherein:
接入设备接收站点通过 802.1x客户端发送的携带认证信息的请求消息, 所所述 VPN配置参数为路由目标参数和路由区分符参数, 按照所述 VPN配 置参数进行配置的步骤为:  The access device receives the request message carrying the authentication information sent by the station through the 802.1x client, where the VPN configuration parameter is a route destination parameter and a route specifier parameter, and the steps of configuring according to the VPN configuration parameter are:
本地分配虚拟交换实例资源, 按照所述路由目标参数和所述路由区分 符参数对所述虚拟交换实例进行配置,再将 802.1x端口加入所述虚拟交换实 例;  The virtual switch instance resource is allocated locally, and the virtual switch instance is configured according to the route target parameter and the route identifier parameter, and the 802.1x port is added to the virtual switch instance.
或者,  Or,
接入设备接收站点通过 pppoe客户端发送的携带认证信息的请求消息, 所述 VPN配置参数为路由目标参数和路由区分符参数, 按照所述 VPN的配 置参数进行配置的步骤为:  The access device receives the request message carrying the authentication information sent by the pppoe client, and the VPN configuration parameter is a route target parameter and a route specifier parameter, and the step of configuring according to the configuration parameter of the VPN is:
本地分配 VPN路由转发表资源, 按照所述路由目标参数和所述路由区 分符参数对所述 VPN路由转发表进行配置, 本地创建 ppp接口, 将所述 ppp 接口加入到所述 VPN路由转发表, 并在所述 ppp接口启动路由信息协议。  Allocating a VPN routing forwarding table resource locally, configuring the VPN routing forwarding table according to the routing target parameter and the routing speculative parameter, locally creating a ppp interface, and adding the ppp interface to the VPN routing forwarding table. And initiating a routing information protocol on the ppp interface.
8、 一种后端设备, 其特征在于, 包括:  8. A backend device, comprising:
接收请求消息单元, 用于接收由接入设备发送的请求接入虚拟私有网 VPN的请求消息, 所述请求消息携带认证信息;  Receiving a request message unit, configured to receive a request message sent by the access device and requesting access to the virtual private network VPN, where the request message carries the authentication information;
认证单元, 用于按照所述认证信息对所述请求消息进行认证; 分配单元, 用于当所述请求消息通过认证后, 全局分配所述接入设备 的 VPN配置参数;  An authentication unit, configured to perform authentication on the request message according to the authentication information, and an allocation unit, configured to globally allocate a VPN configuration parameter of the access device after the request message is authenticated;
发送参数单元, 用于将所述 VPN配置参数发送给所述接入设备。  And a sending parameter unit, configured to send the VPN configuration parameter to the access device.
9、 根据权利要求 8所述的后端设备, 其特征在于, 还包括:  9. The backend device of claim 8, further comprising:
业务申请单元, 用于接收 VPN业务申请请求消息, 所述 VPN业务申请 请求消息携带 VPN属性信息, 为所述 VPN属性信息分配唯一标识, 并保存 所述 VPN属性信息。 The service application unit is configured to receive a VPN service request request message, where the VPN service request request message carries VPN attribute information, allocates a unique identifier to the VPN attribute information, and saves the VPN attribute information.
10、 根据权利要求 9所述的后端设备, 其特征在于, 10. The backend device of claim 9, wherein:
所述认证信息是连接虚拟私有网的用户名和密码, 所述认证单元采用 AAA服务器系统按照所述用户名和所述密码对所述请求消息进行认证。  The authentication information is a username and a password for connecting to the virtual private network, and the authentication unit uses the AAA server system to authenticate the request message according to the username and the password.
11、 根据权利要求 9所述的后端设备, 其特征在于, 所述 VPN属性信息 为允许接入所述 VPN的站点的最大数量, 还包括:  The back-end device according to claim 9, wherein the VPN attribute information is a maximum number of sites that are allowed to access the VPN, and further includes:
判断单元,用于当所述请求消息通过认证之后,判断当前接入所述 VPN 的站点是否超过允许接入所述 VPN的站点的最大数量, 若是, 则向所述站 点反馈失败消息, 若否, 则全局分配所述接入设备的 VPN配置参数, 将所 述 VPN配置参数发送给所述接入设备。  a judging unit, configured to determine, after the request message passes the authentication, whether the site currently accessing the VPN exceeds a maximum number of sites allowed to access the VPN, and if yes, feeding back a failure message to the site, if not And globally allocating the VPN configuration parameter of the access device, and sending the VPN configuration parameter to the access device.
12、 根据权利要求 9或 10所述的后端设备, 其特征在于,  12. A backend device according to claim 9 or 10, characterized in that
所述分配单元全局分配所述接入设备的路由目标参数和路由区分符参 数;  The allocating unit globally allocates a routing target parameter and a routing specifier parameter of the access device;
所述发送参数单元将所述 VPN属性信息、 所述路由目标参数和所述路 由区分符参数作为基于 Radius协议的报文载荷, 通过 Radius协议发送给所述 接入设备。  The sending parameter unit sends the VPN attribute information, the routing target parameter, and the routing specifier parameter as a packet payload based on the Radius protocol, and sends the packet to the access device through the Radius protocol.
13、 一种接入设备, 其特征在于, 包括:  13. An access device, comprising:
接收单元, 用于接入设备接收站点发送的请求接入虚拟私有网 VPN的 请求消息, 所述请求消息携带认证信息;  a receiving unit, configured to receive, by the access device, a request message that is sent by the station and is requested to access the virtual private network VPN, where the request message carries the authentication information;
发送请求消息单元, 用于向后端设备发送所述请求消息;  Sending a request message unit, configured to send the request message to a backend device;
配置单元,用于接收所述后端设备发送的 VPN配置参数,按照所述 VPN 配置参数进行配置。  And a configuration unit, configured to receive a VPN configuration parameter sent by the backend device, and perform configuration according to the VPN configuration parameter.
14、 根据权利要求 13所述的接入设备, 其特征在于, 包括:  The access device according to claim 13, comprising:
所述接收单元用于接入设备接收站点通过 802.1x客户端发送的携带认 证信息的请求消息, 所述 VPN配置参数为路由目标参数和路由区分符参数, 所述配置单元本地分配虚拟交换实例资源, 按照所述路由目标参数和所述 路由区分符参数对所述虚拟交换实例进行配置,再将 802.1x端口加入所述虚 拟交换实例;  The receiving unit is configured to receive, by the access device, a request message that carries the authentication information that is sent by the station through the 802.1x client, where the VPN configuration parameter is a route target parameter and a route specifier parameter, and the configuration unit locally allocates the virtual exchange instance resource. And configuring the virtual switch instance according to the route target parameter and the route specifier parameter, and adding the 802.1x port to the virtual switch instance;
或者,  Or,
所述接收单元用于接入设备接收站点通过 pppoe客户端发送的携带认 证信息的请求消息, 所述 VPN配置参数为路由目标参数和路由区分符参数, 所述配置单元本地分配 VPN路由转发表资源, 按照所述路由目标参数和所 述路由区分符参数对所述 VPN路由转发表进行配置, 本地创建 ppp接口, 将 所述 ppp接口加入到所述 VPN路由转发表, 并在所述 ppp接口启动路由信息 协议。 The receiving unit is configured to receive, by the access device, a request message that carries the authentication information that is sent by the station through the pppoe client, where the VPN configuration parameter is a route target parameter and a route specifier parameter, and the configuration unit locally allocates a VPN routing forwarding table resource. According to the routing target parameters and The routing specifier parameter configures the VPN routing forwarding table, locally creates a ppp interface, adds the ppp interface to the VPN routing forwarding table, and starts a routing information protocol on the ppp interface.
15、 一种提供虚拟私有网业务的系统, 其特征在于, 包括:  A system for providing a virtual private network service, comprising:
如权利要求 8至 12中任一项所述的后端设备, 和如权利要求 13和 14中任 一项所述的接入设备。  A backend device according to any one of claims 8 to 12, and an access device according to any one of claims 13 and 14.
PCT/CN2011/075208 2010-11-30 2011-06-02 Method, device and system for providing virtual private network service WO2011147334A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010566397.2A CN102480403B (en) 2010-11-30 2010-11-30 Method for providing virtual private network service, device and system
CN201010566397.2 2010-11-30

Publications (1)

Publication Number Publication Date
WO2011147334A1 true WO2011147334A1 (en) 2011-12-01

Family

ID=45003331

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/075208 WO2011147334A1 (en) 2010-11-30 2011-06-02 Method, device and system for providing virtual private network service

Country Status (2)

Country Link
CN (1) CN102480403B (en)
WO (1) WO2011147334A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016026124A1 (en) * 2014-08-21 2016-02-25 华为技术有限公司 Wireless network access control method, device and system
WO2022155233A1 (en) * 2021-01-13 2022-07-21 Cisco Technology, Inc. Openroaming based remote worker

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984045B (en) * 2012-12-05 2019-04-19 网神信息技术(北京)股份有限公司 The cut-in method and Virtual Private Network client of Virtual Private Network
CN106302428B (en) * 2016-08-09 2019-09-17 新华三技术有限公司 A kind of automatic deployment method and device of encryption level
CN107005603A (en) * 2016-08-30 2017-08-01 深圳前海达闼云端智能科技有限公司 Method, device, system and the computer program product distributed for IP address

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1725723A (en) * 2005-06-15 2006-01-25 杭州华为三康技术有限公司 Method and system for increasing safety of VPN user
CN101159750A (en) * 2007-11-20 2008-04-09 杭州华三通信技术有限公司 Identification authenticating method and apparatus
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566925B2 (en) * 2006-08-03 2013-10-22 Citrix Systems, Inc. Systems and methods for policy based triggering of client-authentication at directory level granularity

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1725723A (en) * 2005-06-15 2006-01-25 杭州华为三康技术有限公司 Method and system for increasing safety of VPN user
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN101159750A (en) * 2007-11-20 2008-04-09 杭州华三通信技术有限公司 Identification authenticating method and apparatus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016026124A1 (en) * 2014-08-21 2016-02-25 华为技术有限公司 Wireless network access control method, device and system
US10448317B2 (en) 2014-08-21 2019-10-15 Huawei Technologies Co., Ltd. Wireless network access control method, device, and system
US11184770B2 (en) 2014-08-21 2021-11-23 Huawei Technologies Co., Ltd. Wireless network access control method, device, and system
US11765587B2 (en) 2014-08-21 2023-09-19 Huawei Technologies Co., Ltd. Wireless network access control method, device, and system
WO2022155233A1 (en) * 2021-01-13 2022-07-21 Cisco Technology, Inc. Openroaming based remote worker
US11496337B2 (en) 2021-01-13 2022-11-08 Cisco Technology, Inc. Openroaming based remote worker

Also Published As

Publication number Publication date
CN102480403A (en) 2012-05-30
CN102480403B (en) 2014-12-10

Similar Documents

Publication Publication Date Title
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
EP2040431B1 (en) A system and method for the multi-service access
US9553846B2 (en) Method and system for realizing virtual network
US20130205025A1 (en) Optimized Virtual Private Network Routing Through Multiple Gateways
EP2760174A1 (en) Virtual private cloud access authentication method and related apparatus
US10454880B2 (en) IP packet processing method and apparatus, and network system
AU2014261983B2 (en) Communication managing method and communication system
EP3493483A1 (en) Virtual broadband access method, controller, and system
US20130227673A1 (en) Apparatus and method for cloud networking
EP3732833B1 (en) Enabling broadband roaming services
WO2013007158A1 (en) Method for virtual private cloud to access network, network side device and data centre device
CN101711031B (en) Portal authenticating method during local forwarding and access controller (AC)
WO2014075312A1 (en) Method, device and system for providing network traversing service
US9787691B2 (en) Classification of unauthenticated IP users in a layer-2 broadband aggregation network and optimization of session management in a broadband network gateway
CN103166909B (en) The cut-in method of a kind of Virtual Networking System, device and system
WO2017166936A1 (en) Method and device for implementing address management, and aaa server and sdn controller
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
WO2014029367A1 (en) Dynamic configuration method, device and system
WO2011120257A1 (en) Method and system for resource admission control of home network
WO2011147334A1 (en) Method, device and system for providing virtual private network service
WO2011072583A1 (en) User access method, system and access server, access device
WO2021031465A1 (en) Sd-wan-based device authentication method and system
WO2013020267A1 (en) Ip address allocation method, system and device
WO2024000975A1 (en) Session establishment system and method, electronic device, and storage medium
CN112738132A (en) Secondary authentication access system and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11786106

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11786106

Country of ref document: EP

Kind code of ref document: A1