WO2015007196A1 - Discovery of network device of a vpn network - Google Patents

Discovery of network device of a vpn network Download PDF

Info

Publication number
WO2015007196A1
WO2015007196A1 PCT/CN2014/082195 CN2014082195W WO2015007196A1 WO 2015007196 A1 WO2015007196 A1 WO 2015007196A1 CN 2014082195 W CN2014082195 W CN 2014082195W WO 2015007196 A1 WO2015007196 A1 WO 2015007196A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
network
site layer
discovered
branch
Prior art date
Application number
PCT/CN2014/082195
Other languages
French (fr)
Inventor
Caifu WU
Original Assignee
Hangzhou H3C Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co., Ltd. filed Critical Hangzhou H3C Technologies Co., Ltd.
Publication of WO2015007196A1 publication Critical patent/WO2015007196A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • VPN Virtual Private Network
  • Figure 1 is a schematic diagram illustrating a structure of a VPN network according to various examples of the present disclosure.
  • Figure 2 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure.
  • Figure 3 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure.
  • Figure 4 is a schematic flowchart illustrating a method for discovering a VPN device according to various examples of the present disclosure.
  • Figure 5 is a schematic diagram illustrating a structure of branch VPNs according to various examples of the present disclosure.
  • Figure 6 is a schematic diagram illustrating an apparatus for discovering a network device of a VPN network according to various examples of the present disclosure. Detailed Description
  • the terms “comprising,” “including,” “having,” “containing,” “involving,” and the like are to be understood to be open-ended, i.e., to mean including but not limited to.
  • the phrase “at least one of A, B, and C” should be construed to mean a logical (A or B or C), using a non-exclusive logical OR. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure.
  • FIG. 1 is a schematic diagram illustrating a structure of a VPN network according to various examples of the present disclosure.
  • the VPN network includes devices of operators and network devices.
  • the devices of operators may include an AAA server, a Main server and a Backup server shown in Figure 1.
  • the network devices mainly include VPN devices and site layer devices.
  • the VPN devices may include Hub devices and Spoke devices.
  • the Hub device is a center device in the VPN, e.g. a center device of route information transfer, or a center device of data transfer in a Hub-Spoke networking.
  • the Spoke device is a gateway device of a corporation branch institution, and does not transfer data of other VPN devices.
  • the Spoke devices include Spoke 1, Spoke2 and Spoke3.
  • the site layer devices are included in a site layer, e.g. sitel or site 2 shown in Figure 1.
  • the VPN network shown in Figure 1 includes multiple branch VPNs, and each branch VPN includes VPN devices and site layer devices.
  • FIG. 2 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure. As shown in Figure 2, the method includes the following processing. 521, at least one current seed device in a branch VPN of a VPN network is determined.
  • the network devices of the VPN network are discovered by taking a branch VPN as a unit.
  • VPN devices in the branch VPN are discovered firstly, each discovered VPN device is taken as the current seed device in turn.
  • Site layer devices in the branch VPN are discovered via a downlink port of the current seed device.
  • IP Sec Internet Protocol Security
  • DVPN Dynamic Virtual Private Network
  • the discovered VPN devices are the determined current seed devices.
  • a discovery operation is performed via a downlink port of each of the at least one current seed device to discover at least one network device of a next level.
  • the network device of the next level is the site layer device.
  • each of the at least one network device of the next level is taken as the current seed device of the branch VPN, and processing at S22 is performed.
  • the network device of the next level i.e., the network device discovered by the last discovery operation is determined as the current seed device.
  • each network device may be taken as the seed device.
  • the network devices of the branch VPN in the VPN network when the network devices of the branch VPN in the VPN network are discovered and added to the network management system, the network devices in the VPN network may be managed.
  • the network devices are discovered via downlink ports level by level, the number of discovery operations is reduced, the number of determining operations performed by the network device is reduced, and thus the efficiency of discovering network devices is improved.
  • network devices of other branch VPN are not introduced, and thus the capability of discovering the network device is improved.
  • the examples of the present disclosure may be applied to the VPN networks of different types, For example the above described method may still work even if different branch VPNs are implemented with different modes e.g. e.g. Internet Protocol Security (IP Sec) VPN, Dynamic Virtual Private Network (DVPN) and etc.
  • IP Sec Internet Protocol Security
  • DVPN Dynamic Virtual Private Network
  • Figure 3 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure. As shown in Figure 3, the method includes the following processing.
  • At least one current seed device in a branch VPN of the VPN network is determined.
  • the type of the branch VPN is Dynamic Virtual Private Network (DVPN).
  • the branch VPN includes at least one VPN Address Management Server (VAMS), at least one VPN device and at least one site layer device.
  • VAMS receives register information of the VPN devices, manages and maintains information of the VPN devices.
  • a VAMS of the current branch VPN is added to a preset first seed queue.
  • Information is read from an address mapping table stored by the VAMS.
  • the VAMS is cancelled from the first seed queue, and is added to a preset finish queue.
  • adding a device to a certain queue and cancelling a device from a certain queue are performed based on identifier of the device, rather than the device itself. For example, when the VAMS is added to the finish queue, the identifier of the VAMS is added to the finish queue.
  • the address mapping table stored in the VAMS includes register information of VAM clients after the DVPN is established.
  • the VAMS client may be the Hub device or the Spoke device of the VPN network.
  • Table 1 shows an example of the address mapping table which at least includes private IP addresses, public IP addresses and VPN names.
  • the VPN information includes multiple items of address mapping information related to the current branch VPN. As shown in table 1, each item of address mapping information includes information of the VPN device, e.g. information of registered Hub device or Spoke device. Because all Hub devices and Spoke devices need to register in the VAMS, by reading the address mapping table stored by the VMAS, information of all registered Hub devices and Spoke devices are obtained.
  • information of the VPN device e.g. information of registered Hub device or Spoke device. Because all Hub devices and Spoke devices need to register in the VAMS, by reading the address mapping table stored by the VMAS, information of all registered Hub devices and Spoke devices are obtained.
  • an item of address mapping information of the current branch VPN is read from the VPN information, and information of a VPN device is obtained from the obtained address mapping information.
  • information of the Hub device or Spoke device may be obtained from the address mapping information, e.g. a public address and a private address of the Hub device, or a public address and a private address of the Spoke device.
  • the information of the VPN device may include other information obtained from the address mapping information. For example, a hub device identifier or a spoke device identifier which are used to indicate the type of the VPN device may be obtained. Further, a VPN name of the branch VPN including the VPN device may be obtained. When the VPN device belongs to multiple branch VPNs, the information of the VPN device includes multiple VPN names corresponding to the multiple branch VPNs. In addition, an identifier may be included in the information of the VPN device to indicate that the Hub device or the Spoke device is the device of the branch VPN.
  • the discovered network devices may be directly added to a VPN module of the network management system. Further, since the public address is unnecessary in the procedure of discovering the site layer device, the private address corresponding to the site layer device may be obtained only when obtaining the information of the VPN device.
  • the VPN device is added to the first seed queue.
  • the discovery procedure is finished. According to the above processing, the Hub devices and the Spoke devices in the branch VPN are added to the first seed queue.
  • two VAMSs may be added to the first seed queue to avoid problems caused by crash of one of the VAMS.
  • the information of the VPN device may be read from the two VAMS by using a parallel mode.
  • the Hub device is the device of the operator, and thus the Hub device may be not discovered in the procedure of discovering the network device.
  • the information of the VPN devices are read from the address mapping table stored by the VAMS randomly or according to a certain rules.
  • the Hub devices and the Spoke devices of the current branch VPN are discovered and added to the first seed queue as the current seed devices, so as to automatically discover the site layer devices. Further, at S31, the VPN name corresponding to the Hub device and the Spoke device, the public address and the private address of the Hub device and the Spoke device are determined, and it is also determined each VPN device is a Hub device or a Spoke device.
  • S32 in the current branch VPN, a discovery operation is performed via a downlink port of each of the at least one current seed device to discover at least one network device of a next level. When the current seed device is the VPN device, the site layer devices are discovered as the network devices of the next level via the downlink port of the VPN device.
  • the site layer devices are discovered by using a route discovery mode. For example, according to private addresses in routes related to the downlink port of the VPN device, the site layer devices corresponding to the private addresses are discovered.
  • next-hop network device corresponding to each discovered site layer device is a VPN device in another branch VPN, so as to determine whether the discovered site layer device belongs to the current branch VPN.
  • the next-hop network device corresponding to the site layer device discovered by a certain VPN device refers to a next-hop device close to the VPN device in the route from the VPN device to the discovered site layer device.
  • branch VPNs For example, the structure of branch VPNs is shown in Figure 5.
  • the current branch VPN includes spokel and devices in sitel, i.e. Al l, A12, B i l l, B 112 and B 121.
  • Spoke 2 is included in another branch VPN and Cl l is a site layer device in the another branch VPN.
  • the next-hop network device corresponding to Cl l is spoke2 which is the VPN device of the another branch VPN. That is, when the next-hop network device corresponding to the discovered site layer device is the VPN device in the another branch VPN, the discovered site layer device does not belong to the current branch VPN.
  • the VPN devices in the current branch VPN are included in the first seed queue.
  • the discovered site layer device For each discovered site layer device, when the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN, the discovered site layer device is added to a preset second seed queue, when the next-hop network device corresponding to the discovered site layer device is the VPN device in the another branch VPN, it is indicated that the discovered site layer device is a site layer device of the another branch VPN, and the discovered site layer device is not processed.
  • the VPN device is cancelled from the first seed queue and is added to the first finish queue.
  • the site layer devices of the next level are discovered as the network devices of the next level via the downlink port of the site layer device.
  • the discovered site layer device of the next level For each discovered site layer device of the next level, when the discovered site layer device of the next level is not one of the site layer devices discovered formerly, the discovered site layer device of the next level is added to the second seed queue. When the discovered site layer device of the next level is one of the site layer devices discovered formerly, the discovered site layer device of the next level is not processed.
  • the second seed queue is null, so as to determine whether all of the network devices in the branch VPN are discovered.
  • processing at S34 is performed, when the second seed queue is not null, each of the site layer device in the second queue is taken as the current seed device of the branch VPN, and processing at S32 is performed.
  • the current seed device when no site layer device of the next level can be discovered by the current seed device, the current seed device is cancelled from the second seed queue and is added to the second finish queue.
  • the second seed queue is null, it is indicates that all site layer devices are discovered in the current branch VPN.
  • each of the site layer devices in the second seed queue is taken as the current seed device, and processing at S32 is performed to discover the site layer device of the next level, until all site layer devices are discovered.
  • the processing at S32 and S33 all of the site layer devices in the branch VPN are discovered, and the information of the VPN devices in the current branch VPN is cancelled from the obtained information of the VPN devices. For example, the VPN devices in the current branch VPN is cancelled from the seed devices determined at S31.
  • the network devices in the first finish queue and the second finish queue may be added to a preset general discovery queue, and the network devices in the general discovery queue are added to the network management system.
  • the network devices in the first finish queue and the network devices in the second finish queue may be added to the network management system respectively.
  • the network devices of the multiple branch VPNs may be discovered respectively.
  • all network devices of the VPN network are discovered and added to the network management system, and thus all network devices of the VPN network are managed.
  • the network devices are discovered via downlink ports level by level, the number of discovery operations is reduced, and thus the efficiency and veracity of discovering network devices is improved. Further, network devices of other branch VPN are not introduced, and thus the capability of discovering the network devices is improved. Moreover, the examples of the present disclosure may be applied to the VPN networks of different types, practicality is strong.
  • Figure 6 is a schematic diagram illustrating an apparatus for discovering a network device of a VPN network according to various examples of the present disclosure.
  • the apparatus includes storage 60 and a processor 61.
  • the storage 60 may be non-transitory computer readable storage medium.
  • the storage 60 stores computer readable instructions for implementing a determining module 601, a discovering module 602, a branch determining module 603, and an adding module 604.
  • the processor 61 may execute the computer readable instructions stored in the storage 60.
  • the determining module 601 determines at least one current seed device in a branch VPN of a VPN network.
  • the discovering module 602 performs a discovery operation via a downlink port of each of the at least one current seed device to discover at least one network device of a next level.
  • the branch determining module 603 determines whether all of network devices in the branch VPN are discovered. When all of the network devices in the branch VPN are discovered, the adding module 604 is called. When not all of the network devices in the branch VPN are discovered, each of the at least one network device of the next level is taken as the current seed device of the branch VPN, and the discovering module 602 is called.
  • the adding module 604 adds all of the network devices in the branch VPN to a network management system.
  • the storage 60 further includes computer readable instructions for implementing a networking determining module 605.
  • the networking determining module 605 determines at least one current seed device in the another branch VPN of the VPN network, and calls the discovering module 602 to discover network devices in the another branch VPN.
  • the network devices include VPN devices and site layer devices.
  • the discovering module 602 may include a VPN device discovering sub-module and a site layer device discovering sub-module.
  • the VPN device discovering sub-module discovers at least one site layer device of the next level via a downlink port of the VPN device.
  • the site layer device discovering sub-module discovers at least one site layer devices of the next level via a downlink port of the site layer device.
  • the branch VPN may include one or multiple VAMSs
  • the VPN device may include the Hub device and the Spoke device.
  • the determining module 601 selects at least one VPN device in the branch VPN according to an address mapping table stored in one VAMS, and determines the selected at least one VPN device as the current seed device in the branch VPN.
  • the determining module 601 adds one VAMS to a preset first seed queue, reads information of VPN devices from the address mapping table of the one VAMS, cancels the VAMS from the first seed queue, and adds the VAMS to a preset finish queue.
  • the determining module 601 adds the VPN devices to the first seed queue, and takes one of the VPN devices in the first seed queue as the current seed device of the current branch VPN.
  • the VPN device discovering sub-module discovers the at least one site layer device of the next level via the downlink port of the VPN device, determines whether a next-hop network device corresponding to the discovered site layer device is a VPN device in another branch VPN. When the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN, the VPN device discovering sub-module determines the discovered site layer device as the site layer device of the next level.
  • the site layer device discovering sub-module discovers at least one site layer device of the next level via the downlink port of the site layer device, determines whether the discovered site layer device is one of site layer devices discovered formerly. When the discovered site layer device is not one of the site layer device discovered formerly, the site layer device discovering sub-module determines the discovered site layer device as the site layer device of the next level. In an example, the branch determining module determines whether there is a site layer device of the next level in the branch VPN, and determines all of the network devices of the branch VPN are discovered when there is no site layer device of the next level in the current branch VPN.
  • the present disclosure can be realized as methods, systems or computer program products.
  • the above described modules of present disclosure can be realized by hardware or software in combination with hardware platforms.
  • the present disclosure may be implemented as a software product, and the computer software product is stored in a storage medium and includes machine readable instructions to make a computer device (such as a personal computer, a server or a network device) perform the method in embodiments of the present disclosure.
  • the present disclosure provides machine-readable storage medium that stores machine-readable program codes or instructions for implementing functions of any of the above examples and that may make the system or the apparatus (or CPU or MPU) read and execute the program codes stored in the storage medium.
  • the program codes or instructions read from the storage medium may implement any one of the above examples.
  • the storage medium for providing the program codes or instructions may include floppy disk, hard drive, magneto-optical disk, compact disk (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape drive, Flash card, ROM and so on.
  • the program code or instructions may be downloaded from a server computer via a communication network.
  • program codes being executed by a computer
  • at least part of the operations performed by the program codes may be implemented by an operation system running in a computer following instructions based on the program codes.
  • program codes implemented from a storage medium may be written in a storage in an extension board inserted in the computer or in a storage in an extension unit connected to the computer.
  • a CPU in the extension board or the extension unit may execute at least part of the operations according to the instructions based on the program codes.

Abstract

According to an example,at least one current seed device in a branch VPN of a VPN network is determined,and a discovery operation is performed via a downlink port of each of the at least one current seed device to discover at least one network device of a next level. It is determined whether all of network devices in the branch VPN are discovered. When not all of the network devices in the branch VPN are discovered,each of the at least one network device of the next level is taken as the current seed device of the branch VPN,and the discovery operation is performed again. When all of the network devices in the branch VPN are discovered,all of the network devices in the branch VPN are added to a network management system.

Description

DISCOVERY OF NETWORK DEVICE OF A VPN NETWORK
Background
Along with the developments of Internet technologies, Virtual Private Network (VPN) technologies are widely used. By using the VPN technology, private data of users may be transferred safely via a public network. More and more companies establish VPNs by using the public network, so as to connect multiple offices in different geographical locations.
After the VPN is established, network devices are discovered. However, in conventional discovery procedure, operations are complicated and may be performed repeatedly, and thus the efficiency of discovering the network devices is low. Further, additional operations are needed to discover site layer devices.
Brief Description of the Drawings
Figure 1 is a schematic diagram illustrating a structure of a VPN network according to various examples of the present disclosure. Figure 2 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure.
Figure 3 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure.
Figure 4 is a schematic flowchart illustrating a method for discovering a VPN device according to various examples of the present disclosure.
Figure 5 is a schematic diagram illustrating a structure of branch VPNs according to various examples of the present disclosure.
Figure 6 is a schematic diagram illustrating an apparatus for discovering a network device of a VPN network according to various examples of the present disclosure. Detailed Description
The present disclosure will be illustrated in detail hereinafter with reference to the accompanying drawings and specific examples.
As used in the description herein and throughout the claims that follow, the meaning of "a", "an", and "the" includes both the singular and plural unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of "in" includes "in" and "on" unless the context clearly dictates otherwise.
As used herein, the terms "comprising," "including," "having," "containing," "involving," and the like are to be understood to be open-ended, i.e., to mean including but not limited to. As used herein, the phrase "at least one of A, B, and C" should be construed to mean a logical (A or B or C), using a non-exclusive logical OR. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure.
Figure 1 is a schematic diagram illustrating a structure of a VPN network according to various examples of the present disclosure. As shown in Figure 1, the VPN network includes devices of operators and network devices. The devices of operators may include an AAA server, a Main server and a Backup server shown in Figure 1. The network devices mainly include VPN devices and site layer devices. The VPN devices may include Hub devices and Spoke devices. Generally, the Hub device is a center device in the VPN, e.g. a center device of route information transfer, or a center device of data transfer in a Hub-Spoke networking. The Spoke device is a gateway device of a corporation branch institution, and does not transfer data of other VPN devices. In Figure 1, the Spoke devices include Spoke 1, Spoke2 and Spoke3. The site layer devices are included in a site layer, e.g. sitel or site 2 shown in Figure 1. The VPN network shown in Figure 1 includes multiple branch VPNs, and each branch VPN includes VPN devices and site layer devices.
Figure 2 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure. As shown in Figure 2, the method includes the following processing. 521, at least one current seed device in a branch VPN of a VPN network is determined.
In an example, the network devices of the VPN network are discovered by taking a branch VPN as a unit. In an example, VPN devices in the branch VPN are discovered firstly, each discovered VPN device is taken as the current seed device in turn. Site layer devices in the branch VPN are discovered via a downlink port of the current seed device.
In the VPN network, different branch VPNs may be implemented by using different modes, e.g. Internet Protocol Security (IP Sec) VPN, Dynamic Virtual Private Network (DVPN) and etc.
When discovering the VPN devices in the branch VPN, different discovery modes may be used according to the mode of implementing the branch VPN, and the discovered VPN devices are the determined current seed devices.
522, a discovery operation is performed via a downlink port of each of the at least one current seed device to discover at least one network device of a next level.
In an example, the network device of the next level is the site layer device.
523, it is determined whether all of network devices in the branch VPN are discovered. When not all of the network devices in the branch VPN are discovered, processing at S24 is performed. When all of the network devices in the branch VPN are discovered, processing at S25 is performed.
524, each of the at least one network device of the next level is taken as the current seed device of the branch VPN, and processing at S22 is performed.
In an example, after the current seed device is determined originally, the network device of the next level, i.e., the network device discovered by the last discovery operation is determined as the current seed device. In the branch VPN, each network device may be taken as the seed device.
At S25, all of network devices discovered in the branch VPN are added to a network management system.
According to the solutions of the present disclosures, when the network devices of the branch VPN in the VPN network are discovered and added to the network management system, the network devices in the VPN network may be managed. In addition, the network devices are discovered via downlink ports level by level, the number of discovery operations is reduced, the number of determining operations performed by the network device is reduced, and thus the efficiency of discovering network devices is improved. Further, network devices of other branch VPN are not introduced, and thus the capability of discovering the network device is improved. Moreover, the examples of the present disclosure may be applied to the VPN networks of different types, For example the above described method may still work even if different branch VPNs are implemented with different modes e.g. e.g. Internet Protocol Security (IP Sec) VPN, Dynamic Virtual Private Network (DVPN) and etc.
Figure 3 is a schematic flowchart illustrating a method for discovering a network device of a VPN network according to various examples of the present disclosure. As shown in Figure 3, the method includes the following processing.
S31, at least one current seed device in a branch VPN of the VPN network is determined.
In an example, the type of the branch VPN is Dynamic Virtual Private Network (DVPN). The branch VPN includes at least one VPN Address Management Server (VAMS), at least one VPN device and at least one site layer device. The VAMS receives register information of the VPN devices, manages and maintains information of the VPN devices.
According to an example, a method for discovering a VPN device of a current branch VPN is shown in Figure 4.
S41, a VAMS of the current branch VPN is added to a preset first seed queue. Information is read from an address mapping table stored by the VAMS. After the information is read, the VAMS is cancelled from the first seed queue, and is added to a preset finish queue. In the example, adding a device to a certain queue and cancelling a device from a certain queue are performed based on identifier of the device, rather than the device itself. For example, when the VAMS is added to the finish queue, the identifier of the VAMS is added to the finish queue.
In an example, the address mapping table stored in the VAMS includes register information of VAM clients after the DVPN is established. The VAMS client may be the Hub device or the Spoke device of the VPN network. Table 1 shows an example of the address mapping table which at least includes private IP addresses, public IP addresses and VPN names.
[PrimaryServer] display vam server address-map all
VPN name: 1
Total address- -map number: 4
Private-ip Public -ip Type Holding time
10.0.1.1 192.168.1.1 Hub OH 52M 7S
10.0.1.2 192.168.1.2 Hub OH 47M 31S
10.0.1.3 192.168.1.3 Spoke OH 28M 25S
10.0.1.4 192.168.1.4 Spoke OH 19M 15S
VPN name: 2
Total address- -map number: 4
Private-ip Public -ip Type Holding time
10.0.2.1 192.168.1.1 Hub 0H 51M 44S
10.0.2.2 192.168.1.2 Hub OH 46M 45S
10.0.2.3 192.168.1.5 Spoke OH 11M 25S
10.0.2.4 192.168.1.4 Spoke OH 18M 32S
Table 1
S42, it is determined whether the read information includes unprocessed VPN information. When the read information includes unprocessed VPN information, processing at S43 is performed. When the read information does not include unprocessed VPN information, processing at S47 is performed.
The VPN information includes multiple items of address mapping information related to the current branch VPN. As shown in table 1, each item of address mapping information includes information of the VPN device, e.g. information of registered Hub device or Spoke device. Because all Hub devices and Spoke devices need to register in the VAMS, by reading the address mapping table stored by the VMAS, information of all registered Hub devices and Spoke devices are obtained.
S43, an item of address mapping information of the current branch VPN is read from the VPN information, and information of a VPN device is obtained from the obtained address mapping information.
In an example, information of the Hub device or Spoke device may be obtained from the address mapping information, e.g. a public address and a private address of the Hub device, or a public address and a private address of the Spoke device. In an example, the information of the VPN device may include other information obtained from the address mapping information. For example, a hub device identifier or a spoke device identifier which are used to indicate the type of the VPN device may be obtained. Further, a VPN name of the branch VPN including the VPN device may be obtained. When the VPN device belongs to multiple branch VPNs, the information of the VPN device includes multiple VPN names corresponding to the multiple branch VPNs. In addition, an identifier may be included in the information of the VPN device to indicate that the Hub device or the Spoke device is the device of the branch VPN.
In this way, the discovered network devices may be directly added to a VPN module of the network management system. Further, since the public address is unnecessary in the procedure of discovering the site layer device, the private address corresponding to the site layer device may be obtained only when obtaining the information of the VPN device.
S44, it is determined whether the VPN device is included in the first seed queue. When the VPN device is included in the first seed queue, processing at S46 is performed, when the VPN device is not included in the first seed queue, processing at S45 is performed.
545, the VPN device is added to the first seed queue.
546, it is determined whether each item of the address mapping information of the current branch VPN is read. When each item of the address mapping information of the current branch VPN is read, processing at S42 is performed, when not each item of the address mapping information of the current branch VPN is read, processing at S43 is performed.
547, the discovery procedure is finished. According to the above processing, the Hub devices and the Spoke devices in the branch VPN are added to the first seed queue.
In an example, two VAMSs may be added to the first seed queue to avoid problems caused by crash of one of the VAMS. When there are two VAMS, the information of the VPN device may be read from the two VAMS by using a parallel mode. Generally, the Hub device is the device of the operator, and thus the Hub device may be not discovered in the procedure of discovering the network device.
In an example, the information of the VPN devices are read from the address mapping table stored by the VAMS randomly or according to a certain rules.
After the processing at S31 is performed, the Hub devices and the Spoke devices of the current branch VPN are discovered and added to the first seed queue as the current seed devices, so as to automatically discover the site layer devices. Further, at S31, the VPN name corresponding to the Hub device and the Spoke device, the public address and the private address of the Hub device and the Spoke device are determined, and it is also determined each VPN device is a Hub device or a Spoke device. S32, in the current branch VPN, a discovery operation is performed via a downlink port of each of the at least one current seed device to discover at least one network device of a next level. When the current seed device is the VPN device, the site layer devices are discovered as the network devices of the next level via the downlink port of the VPN device.
In an example, the site layer devices are discovered by using a route discovery mode. For example, according to private addresses in routes related to the downlink port of the VPN device, the site layer devices corresponding to the private addresses are discovered.
In an example, it is further determined whether a next-hop network device corresponding to each discovered site layer device is a VPN device in another branch VPN, so as to determine whether the discovered site layer device belongs to the current branch VPN. The next-hop network device corresponding to the site layer device discovered by a certain VPN device refers to a next-hop device close to the VPN device in the route from the VPN device to the discovered site layer device.
For example, the structure of branch VPNs is shown in Figure 5. The current branch VPN includes spokel and devices in sitel, i.e. Al l, A12, B i l l, B 112 and B 121. Spoke 2 is included in another branch VPN and Cl l is a site layer device in the another branch VPN.
If Cl l is discovered via the downlink port of spokel, the next-hop network device corresponding to Cl l is spoke2 which is the VPN device of the another branch VPN. That is, when the next-hop network device corresponding to the discovered site layer device is the VPN device in the another branch VPN, the discovered site layer device does not belong to the current branch VPN.
In an example, according to the processing at S31, the VPN devices in the current branch VPN are included in the first seed queue. At S32, it may be directly determined whether the next-hop network device corresponding to the discovered site layer device is included in the first seed queue, so as to determine whether the discovered site layer device belongs to the current branch VPN.
For each discovered site layer device, when the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN, the discovered site layer device is added to a preset second seed queue, when the next-hop network device corresponding to the discovered site layer device is the VPN device in the another branch VPN, it is indicated that the discovered site layer device is a site layer device of the another branch VPN, and the discovered site layer device is not processed. When each site layer device discovered via the downlink port of the VPN device is added to the second seed queue, the VPN device is cancelled from the first seed queue and is added to the first finish queue.
When the current seed device is the site layer device, the site layer devices of the next level are discovered as the network devices of the next level via the downlink port of the site layer device.
It is determined whether the discovered site layer device of the next level is one of the site layer devices discovered formerly.
For each discovered site layer device of the next level, when the discovered site layer device of the next level is not one of the site layer devices discovered formerly, the discovered site layer device of the next level is added to the second seed queue. When the discovered site layer device of the next level is one of the site layer devices discovered formerly, the discovered site layer device of the next level is not processed.
When each site layer device of the next level discovered via the downlink port of the site layer device is added to the second seed queue, the site layer device is cancelled from the second seed queue and is added to the second finish queue.
S33, it is determined whether all of the network devices in the branch VPN are discovered. When all of the network devices in the branch VPN are discovered, processing at S34 is performed. When not all of the network devices in the branch VPN are discovered, each of the discovered site layer device of the next level is taken as the current seed device of the branch VPN, and processing at S32 is performed.
In an example, at S33, it is determined whether the second seed queue is null, so as to determine whether all of the network devices in the branch VPN are discovered. When the second seed queue is null, processing at S34 is performed, when the second seed queue is not null, each of the site layer device in the second queue is taken as the current seed device of the branch VPN, and processing at S32 is performed.
In an example, when no site layer device of the next level can be discovered by the current seed device, the current seed device is cancelled from the second seed queue and is added to the second finish queue. When the second seed queue is null, it is indicates that all site layer devices are discovered in the current branch VPN.
When the second seed queue is not null, each of the site layer devices in the second seed queue is taken as the current seed device, and processing at S32 is performed to discover the site layer device of the next level, until all site layer devices are discovered.
According to the processing at S32 and S33, all of the site layer devices in the branch VPN are discovered, and the information of the VPN devices in the current branch VPN is cancelled from the obtained information of the VPN devices. For example, the VPN devices in the current branch VPN is cancelled from the seed devices determined at S31.
534, all network devices of the current branch VPN are added to the network management system.
In an example, the network devices in the first finish queue and the second finish queue may be added to a preset general discovery queue, and the network devices in the general discovery queue are added to the network management system. In another example, the network devices in the first finish queue and the network devices in the second finish queue may be added to the network management system respectively.
535, it is determined whether the VPN network includes another branch VPN. When the VPN network includes another branch VPN, processing at S31 is performed for the another branch VPN, when the VPN network does not include another branch VPN, processing at S36 is performed. S36, the procedure of discovering the network devices of the VPN network is finished.
When the VPN network includes multiple branch VPNs, the network devices of the multiple branch VPNs may be discovered respectively. In an example, at S35, it is determined whether the first seed queue is null. When the first seed queue is null, the procedure of discovering the network devices of the VPN network is finished. When the first seed queue is not null, processing at S31 is performed.
In an example, all network devices of the VPN network are discovered and added to the network management system, and thus all network devices of the VPN network are managed.
According to the solutions of the present disclosures, the network devices are discovered via downlink ports level by level, the number of discovery operations is reduced, and thus the efficiency and veracity of discovering network devices is improved. Further, network devices of other branch VPN are not introduced, and thus the capability of discovering the network devices is improved. Moreover, the examples of the present disclosure may be applied to the VPN networks of different types, practicality is strong.
It should be noted that, although the examples of the method are described as combination as a combination of a series of actions, the examples of the present disclosure are not limited by the sequence of the actions.
Figure 6 is a schematic diagram illustrating an apparatus for discovering a network device of a VPN network according to various examples of the present disclosure. As shown in Figure 6, the apparatus includes storage 60 and a processor 61. According to an example, the storage 60 may be non-transitory computer readable storage medium. The storage 60 stores computer readable instructions for implementing a determining module 601, a discovering module 602, a branch determining module 603, and an adding module 604. The processor 61 may execute the computer readable instructions stored in the storage 60.
The determining module 601 determines at least one current seed device in a branch VPN of a VPN network.
The discovering module 602 performs a discovery operation via a downlink port of each of the at least one current seed device to discover at least one network device of a next level.
The branch determining module 603 determines whether all of network devices in the branch VPN are discovered. When all of the network devices in the branch VPN are discovered, the adding module 604 is called. When not all of the network devices in the branch VPN are discovered, each of the at least one network device of the next level is taken as the current seed device of the branch VPN, and the discovering module 602 is called.
The adding module 604 adds all of the network devices in the branch VPN to a network management system.
When the VPN network includes another branch VPN, the storage 60 further includes computer readable instructions for implementing a networking determining module 605.
When the VPN network includes another branch VPN, the networking determining module 605 determines at least one current seed device in the another branch VPN of the VPN network, and calls the discovering module 602 to discover network devices in the another branch VPN. In an example, the network devices include VPN devices and site layer devices. The discovering module 602 may include a VPN device discovering sub-module and a site layer device discovering sub-module.
When the current seed device in the branch VPN is the VPN device, the VPN device discovering sub-module discovers at least one site layer device of the next level via a downlink port of the VPN device.
When the current seed device in the branch VPN is the site layer device, the site layer device discovering sub-module discovers at least one site layer devices of the next level via a downlink port of the site layer device.
In an example, the branch VPN may include one or multiple VAMSs, the VPN device may include the Hub device and the Spoke device. The determining module 601 selects at least one VPN device in the branch VPN according to an address mapping table stored in one VAMS, and determines the selected at least one VPN device as the current seed device in the branch VPN. In an example, the determining module 601 adds one VAMS to a preset first seed queue, reads information of VPN devices from the address mapping table of the one VAMS, cancels the VAMS from the first seed queue, and adds the VAMS to a preset finish queue. The determining module 601 adds the VPN devices to the first seed queue, and takes one of the VPN devices in the first seed queue as the current seed device of the current branch VPN.
In an example, the VPN device discovering sub-module discovers the at least one site layer device of the next level via the downlink port of the VPN device, determines whether a next-hop network device corresponding to the discovered site layer device is a VPN device in another branch VPN. When the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN, the VPN device discovering sub-module determines the discovered site layer device as the site layer device of the next level.
In an example, the site layer device discovering sub-module discovers at least one site layer device of the next level via the downlink port of the site layer device, determines whether the discovered site layer device is one of site layer devices discovered formerly. When the discovered site layer device is not one of the site layer device discovered formerly, the site layer device discovering sub-module determines the discovered site layer device as the site layer device of the next level. In an example, the branch determining module determines whether there is a site layer device of the next level in the branch VPN, and determines all of the network devices of the branch VPN are discovered when there is no site layer device of the next level in the current branch VPN.
According to the above description of examples, it can be clearly understood by those skilled in the art that the present disclosure can be realized as methods, systems or computer program products. Hence, the above described modules of present disclosure can be realized by hardware or software in combination with hardware platforms. In some examples the present disclosure may be implemented as a software product, and the computer software product is stored in a storage medium and includes machine readable instructions to make a computer device (such as a personal computer, a server or a network device) perform the method in embodiments of the present disclosure.
The present disclosure provides machine-readable storage medium that stores machine-readable program codes or instructions for implementing functions of any of the above examples and that may make the system or the apparatus (or CPU or MPU) read and execute the program codes stored in the storage medium. In this example, the program codes or instructions read from the storage medium may implement any one of the above examples.
The storage medium for providing the program codes or instructions may include floppy disk, hard drive, magneto-optical disk, compact disk (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape drive, Flash card, ROM and so on. Optionally, the program code or instructions may be downloaded from a server computer via a communication network.
It should be noted that, alternatively to the program codes being executed by a computer, at least part of the operations performed by the program codes may be implemented by an operation system running in a computer following instructions based on the program codes.
In addition, the program codes implemented from a storage medium may be written in a storage in an extension board inserted in the computer or in a storage in an extension unit connected to the computer. In this example, a CPU in the extension board or the extension unit may execute at least part of the operations according to the instructions based on the program codes.
What has been described and illustrated herein is an example of the disclosure along with some of its variations. The terms, descriptions and figures used herein are set forth by way of illustration only and are not meant as limitations. Many variations are possible within the spirit and scope of the disclosure, which is intended to be defined by the following claims— and their equivalents— in which all terms are meant in their broadest reasonable sense unless otherwise indicated.

Claims

Claims
1. A method for discovering a network device of a Virtual Private Network (VPN) network, comprising:
determining at least one current seed device in a branch VPN of a VPN network; performing a discovery operation via a downlink port of each of the at least one current seed device to discover at least one network device of a next level;
determining whether all of network devices in the branch VPN are discovered;
when not all of the network devices in the branch VPN are discovered, taking each of the at least one network device of the next level as the current seed device of the branch VPN, and performing the discovery operation again;
when all of the network devices in the branch VPN are discovered, adding all of the network devices in the branch VPN to a network management system.
2. The method of claim 1, further comprising:
when the VPN network comprises another branch VPN,
determining at least one current seed device in the another branch VPN of the VPN network;
performing the discovery operation via a downlink port of each of the at least one current seed device to discover at least one network device of a next level in the another branch VPN;
determining whether all of network devices in the another branch VPN are discovered;
when not all of the network devices in the another branch VPN are discovered, taking the at least one network device of the next level as the current seed device of the another branch VPN, and performing the discovery operation again;
when all of the network devices in the another branch VPN are discovered, adding all of the network devices in the another branch VPN to the network management system.
3. The method of claim 1, wherein the network device comprises at least one VPN device and at least one site layer device.
4. The method of claim 3, wherein when the current seed device in the branch VPN is the VPN device, performing the discovery operation via the downlink port of each of the at least one current seed device to discover at least one network device of the next level comprises:
discovering at least one site layer device of the next level via a downlink port of the VPN device;
when the current seed device in the branch VPN is the site layer device, performing the discovery operation via the downlink port of each of the at least one current seed device to discover at least one network device of the next level comprises:
discovering at least one site layer device of the next level via a downlink port of the site layer device.
5. The method of claim 3, wherein determining at least one current seed device in the branch VPN of the VPN network comprises:
selecting at least one VPN device in the branch VPN according to an address mapping table stored in a VPN Address Management Server (VAMS) of the branch VPN; and
determining the at least one VPN device selected as the at least one current seed device in the branch VPN of the VPN network.
6. The method of claim 4, wherein discovering at least one site layer device of the next level via the downlink port of the VPN device comprises:
discovering at least one site layer device of the next level via the downlink port of the VPN device;
determining whether a next-hop network device corresponding to the discovered site layer device is a VPN device in another branch VPN;
determining the discovered site layer device as the site layer device of the next level, when the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN.
7. The method of claim 4, wherein discovering at least one site layer device of the next level via the downlink port of the site layer device comprises:
discovering at least one site layer device of the next level via the downlink port of the site layer device; determining whether the discovered site layer device is one of site layer devices discovered formerly;
determining the discovered site layer device as the site layer device of the next level, when the discovered site layer device is not one of the site layer devices discovered formerly.
8. The method of claim 4, wherein determining whether all of the network devices in the branch VPN are discovered comprises:
determining whether there is a site layer device of the next level in the branch VPN, and determining all of the network devices of the branch VPN are discovered when there is no site layer device of the next level in the branch VPN.
9. An apparatus for discovering a network device of a Virtual Private Network (VPN) network, comprising:
a determining module, to determine at least one current seed device in a branch VPN of a VPN network;
a discovering module, to perform a discovery operation via a downlink port of each of the at least one current seed device to discover at least one network device of a next level;
a branch determining module, to determine whether all of network devices in the branch VPN are discovered; when all of the network devices in the branch VPN are discovered, call an adding module; when not all of the network devices in the branch VPN are discovered, take each of the at least one network device of the next level as the current seed device of the branch VPN and call the discovering module; and
the adding module, to add all of the network devices in the branch VPN to a network management system.
10. The apparatus of claim 9, further comprising:
a networking determining module, when the VPN network comprises another branch VPN, to determine at least one current seed device in the another branch VPN of the VPN network, call the discovering module to discover network devices in the another branch VPN.
11. The apparatus of claim 9, wherein the network device comprises at least one VPN device and at least one site layer device.
12. The apparatus of claim 11, wherein the discovering module comprises:
a VPN device discovering sub-module, to discover at least one site layer device of the next level via a downlink port of the VPN device, when the current seed device in the branch VPN is the VPN device;
a site layer device discovering sub-module, to discover at least one site layer device of the next level via a downlink port of the site layer device, when the current seed device in the branch VPN is the site layer device.
13. The apparatus of claim 12, wherein
the VPN device discovering sub-module is to discover at least one site layer device of the next level via the downlink port of the VPN device; determine whether a next-hop network device corresponding to the discovered site layer device is a VPN device in another branch VPN; determine the discovered site layer device as the site layer device of the next level when the next-hop network device corresponding to the discovered site layer device is not the VPN device in the another branch VPN.
14. The apparatus of claim 12, wherein
the site layer device discovering sub-module is to discover at least one site layer device of the next level via the downlink port of the site layer device, determine whether the discovered site layer device is one of site layer devices discovered formerly; determine the discovered site layer device as the site layer device of the next level when the discovered site layer device is not one of the site layer devices discovered formerly.
15. The apparatus of claim 11, wherein
the branch determining module is to determine whether there is a site layer device of the next level in the branch VPN, and determine all of the network devices of the branch VPN are discovered when there is no site layer device of the next level in the branch VPN.
PCT/CN2014/082195 2013-07-18 2014-07-15 Discovery of network device of a vpn network WO2015007196A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310308716.3A CN104301192B (en) 2013-07-18 2013-07-18 A kind of network equipment discovery method and device of VPN networking
CN201310308716.3 2013-07-18

Publications (1)

Publication Number Publication Date
WO2015007196A1 true WO2015007196A1 (en) 2015-01-22

Family

ID=52320769

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/082195 WO2015007196A1 (en) 2013-07-18 2014-07-15 Discovery of network device of a vpn network

Country Status (2)

Country Link
CN (1) CN104301192B (en)
WO (1) WO2015007196A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11924004B2 (en) * 2018-03-28 2024-03-05 Huawei Technologies Co., Ltd. Link configuration method and controller

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114845351A (en) * 2015-06-02 2022-08-02 利维帕尔森有限公司 Method, system and computer program product for dynamic communication routing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102231A (en) * 2007-08-20 2008-01-09 杭州华三通信技术有限公司 An automatic discovery method and device of PPP link routing device
US20100014424A1 (en) * 2008-07-18 2010-01-21 International Business Machines Corporation Discovering network topology from routing information
CN102387037A (en) * 2011-10-18 2012-03-21 四川九州电子科技股份有限公司 Topology discovery method, device and system of broadcast television network equipment
CN102801567A (en) * 2012-08-28 2012-11-28 北京傲天动联技术有限公司 Method for automatically discovering hierarchical network topology and method for establishing hierarchical network topology

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1254059C (en) * 2002-12-10 2006-04-26 华为技术有限公司 Method of realizing special multiple-protocol label exchanging virtual network
CN1558615A (en) * 2004-01-14 2004-12-29 中国科学院计算技术研究所 A physical network topological discovering system and method thereof
CN101702656B (en) * 2009-11-11 2011-11-30 北京神州泰岳软件股份有限公司 Discovery method of network topology based on MPLS-VPN
CN102325072B (en) * 2011-05-17 2013-12-11 杭州华三通信技术有限公司 Method for automatically discovering VPN (Virtual Private Network) and equipment
CN103209108B (en) * 2013-04-10 2016-03-02 杭州华三通信技术有限公司 A kind of route generating method based on DVPN and equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102231A (en) * 2007-08-20 2008-01-09 杭州华三通信技术有限公司 An automatic discovery method and device of PPP link routing device
US20100014424A1 (en) * 2008-07-18 2010-01-21 International Business Machines Corporation Discovering network topology from routing information
CN102387037A (en) * 2011-10-18 2012-03-21 四川九州电子科技股份有限公司 Topology discovery method, device and system of broadcast television network equipment
CN102801567A (en) * 2012-08-28 2012-11-28 北京傲天动联技术有限公司 Method for automatically discovering hierarchical network topology and method for establishing hierarchical network topology

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11924004B2 (en) * 2018-03-28 2024-03-05 Huawei Technologies Co., Ltd. Link configuration method and controller

Also Published As

Publication number Publication date
CN104301192B (en) 2019-06-11
CN104301192A (en) 2015-01-21

Similar Documents

Publication Publication Date Title
CN106453025B (en) Tunnel creation method and device
US8312066B2 (en) Hash collision resolution with key compression in a MAC forwarding data structure
CN107483574B (en) Data interaction system, method and device under load balance
US20220200898A1 (en) Compute-aware routing method and apparatus
CN108616431A (en) A kind of message processing method, device, equipment and machine readable storage medium
CN103441932B (en) A kind of Host routes list item generates method and apparatus
CN108600109B (en) Message forwarding method and device
US10313154B2 (en) Packet forwarding
CN109104364B (en) Designated forwarder election method and device
US10693785B2 (en) Method and system for forwarding data, virtual load balancer, and readable storage medium
CN110535744A (en) Message processing method, device and Leaf equipment
CN102484611B (en) Link state identifier collision handling
CN108259379B (en) Flow forwarding method and device
CN109474713B (en) Message forwarding method and device
EP3301868A1 (en) Symmetric intersubnet traffic load balancing in multihomed networks
CN108718276B (en) Message forwarding method and device
EP3544244A1 (en) Proxy advertisements in multihomed networks
CN108199947B (en) Designated forwarder DF election method and device
CN107517129B (en) Method and device for configuring uplink interface of equipment based on OpenStack
CN107171857B (en) Network virtualization method and device based on user group
CN108600225B (en) Authentication method and device
CN108600070A (en) It is specified to turn originator DF electoral machinery and device
WO2015007196A1 (en) Discovery of network device of a vpn network
CN107426100B (en) VPN user access method and device based on user group
CN109412851B (en) Link layer path detection method, device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14825762

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14825762

Country of ref document: EP

Kind code of ref document: A1