WO2016107261A1 - Procédé d'accès à un service vpn et dispositif de réseau - Google Patents

Procédé d'accès à un service vpn et dispositif de réseau Download PDF

Info

Publication number
WO2016107261A1
WO2016107261A1 PCT/CN2015/093091 CN2015093091W WO2016107261A1 WO 2016107261 A1 WO2016107261 A1 WO 2016107261A1 CN 2015093091 W CN2015093091 W CN 2015093091W WO 2016107261 A1 WO2016107261 A1 WO 2016107261A1
Authority
WO
WIPO (PCT)
Prior art keywords
edge device
port
vpn
vpn tunnel
user site
Prior art date
Application number
PCT/CN2015/093091
Other languages
English (en)
Chinese (zh)
Inventor
于德雷
赖晓
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016107261A1 publication Critical patent/WO2016107261A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to communication technologies, and in particular, to a VPN service access method and a network device.
  • Virtual Private Network (English: Virtual Private Network, VPN) is a technology for constructing a private network on a public data network. These private networks are isolated from each other, and data of one private network is not transmitted to another private network. In order to make the data transmission between the user sites using the VPN, the user site needs to first access the VPN service.
  • the current practice of the user site accessing the VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service, and then manually configure the edge devices respectively connected to each of the user sites, thereby Each of the user sites is connected to the VPN service.
  • the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, the resource of the edge device is inevitably occupied, and in the foregoing access mode, the user site cannot access the VPN service on demand, That is to say, even if the user station cannot transmit data after accessing the VPN service, the operator still accesses the user site to the VPN service, thereby causing waste of resources.
  • the technical problem to be solved by the present invention is to provide a VPN service access method and a network device, so as to implement a user site to access the VPN service on demand, thereby reducing resource waste.
  • the present invention provides a method for accessing a virtual private network VPN service, including:
  • the network device configures the first edge device and a second edge device connected to the second user site to access the VPN service by the first user site and the second user site.
  • the network device configures the first edge device and a second edge device that is connected to the second user site, to use the first user site and the The second user site accesses the VPN service, including:
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, where A head end of a VPN tunnel is associated with the first port, a tail end of the first VPN tunnel is associated with the second port, and a head end of the second VPN tunnel is associated with the second port,
  • the second port of the second VPN tunnel is associated with the first port, the first port is a port connected to the first user site on the first edge device, and the second port is the second edge The port on the device that is connected to the second user site.
  • the method further includes:
  • the network device deploys a third VPN tunnel from the first edge device to the third edge device, and deploys a fourth VPN tunnel from the third edge device to the first edge device, the first The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, the fourth The trailing end of the VPN tunnel is associated with the first port, and the third port is a port connected to the third user station on the third edge device;
  • the network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a sixth VPN tunnel from the third edge device to the second edge device, where the The head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, and the head end of the sixth VPN tunnel is associated with the third port, The tail end of the sixth VPN tunnel is associated with the second port.
  • the method further includes:
  • the network device allocates a VPN tunnel identifier to the VPN service
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, including:
  • the network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device ;
  • the network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device .
  • the network device is deployed from the first edge device to the second edge device
  • the first VPN tunnel, and the second VPN tunnel from the second edge device to the first edge device including:
  • the network device sends a request for deploying the first VPN tunnel and the second VPN tunnel to a controller, where the request for deploying the first VPN tunnel and the second VPN tunnel includes the first port
  • the port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device includes the first port
  • the port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device includes the first port.
  • the method further includes:
  • the network device revokes the first VPN tunnel and the second VPN tunnel.
  • the method further includes:
  • the network device sends the related information to the charging device.
  • the first access request further includes the first user site request Accessing the account of the VPN service;
  • the method further includes:
  • the network device deploying the first VPN tunnel from the first edge device to the second edge device including:
  • the network device deploys the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account.
  • the method further includes:
  • the network device After receiving the first access request, the network device stores information that the first user station requests to access the VPN service;
  • the network device determines that the second user site requests to access the VPN service, including:
  • the network device determines that information that the second user site requests to access the VPN service is stored.
  • the first edge device After receiving the online request of the first user station, the first edge device sends the first access request to the network device.
  • the present invention provides a network device, including:
  • a receiving unit configured to receive a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the virtual private network VPN service;
  • a processing unit configured to: when the receiving unit receives the first access request, determine that a second user station requests access to the VPN service, and configure the first edge device and the second user a second edge device connected to the site to access the VPN service by the first user site and the second user site.
  • the processing unit is specifically configured to deploy a first VPN tunnel from the first edge device to the second edge device, and deploy the second edge device to the a second VPN tunnel of the first edge device, the head end of the first VPN tunnel is associated with the first port, and the tail end of the first VPN tunnel is associated with the second port, the second VPN tunnel The head end is associated with the second port, the tail end of the second VPN tunnel is associated with the first port, and the first port is connected to the first user station on the first edge device. a port, the second port being a port on the second edge device that is connected to the second user site.
  • the receiving unit is further configured to receive a second access request sent by the third edge device, The second access request is used to request that the third user station connected to the third edge device access the VPN service;
  • the processing unit is further configured to: when the receiving unit receives the second access request, determine that the first user site and the second user site access the VPN service, and deploy the Deploying a first edge device to a third VPN tunnel of the third edge device, deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying from the second edge device to the a fifth VPN tunnel of the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device;
  • the head end of the third VPN tunnel is associated with the first port
  • the tail end of the third VPN tunnel is associated with the third port
  • the head end of the fourth VPN tunnel is associated with the third port.
  • the trailing end of the fourth VPN tunnel is associated with the first port
  • the head end of the fifth VPN tunnel is associated with the second port
  • the tail end of the fifth VPN tunnel is associated with the third port.
  • the head end of the sixth VPN tunnel is associated with the third port
  • the tail end of the sixth VPN tunnel is associated with the second port
  • the third port is the third edge device and the The port to which the third user site is connected.
  • the method further includes: a sending unit;
  • the processing unit is further configured to allocate a VPN tunnel identifier for the VPN service
  • the processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the sending, by the sending unit, sending the first configuration parameter to the first edge device, to And sending, by the sending unit, the second configuration parameter to the second edge device;
  • the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device;
  • the second configuration parameter includes: the VPN tunnel identifier, the a port identifier of the second port, and a device identifier of the first edge device.
  • the method further includes: a sending unit;
  • the processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the request for deploying the first VPN tunnel and the second VPN tunnel is sent to the controller by using the sending unit, where the request for deploying the first VPN tunnel and the second VPN tunnel includes The port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
  • the receiving unit is further configured to receive, by the first edge device, a first exit request or a second exit request sent by the second edge device, the first exit request is used to request to exit the VPN service from the first user site, and the second exit request is used to request Exiting the second user site from the VPN service;
  • the processing unit is further configured to: when the receiving unit receives the first exit request or the second exit request, cancel the deployed first VPN tunnel and the second VPN tunnel.
  • the method further includes: a sending unit;
  • the processing unit is further configured to acquire related information used to indicate deployment time of the first VPN tunnel and the second VPN tunnel;
  • the sending unit is configured to send the related information to a charging device.
  • the first access request further includes the first user site request Accessing the account of the VPN service;
  • the processing unit is further configured to acquire a quality of service QoS corresponding to the account;
  • the processing unit is specifically configured to deploy from the first edge device to the QoS based on the QoS corresponding to the account The first VPN tunnel of the second edge device.
  • the processing unit is further configured to: when the receiving And receiving, by the unit, the information that the first user station requests to access the VPN service when receiving the first access request;
  • the processing unit is specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
  • the first edge device is configured to receive the first After the online request of the user site, the device that sends the first access request to the network device is sent.
  • the network device in the present invention when the network device in the present invention receives the first access request for requesting the first user site to access the VPN service, the first user site does not directly access the VPN service. Determining that a second user site different from the first user site requests to access the VPN service, that is, the first user site can transmit data with the second user site after accessing the VPN service. Configuring a first edge device connected to the first user site and a second edge device connected to the second user site to access the first user site and the second user site VPN business. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN. The service, that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
  • FIG. 1 is a schematic flow chart of an embodiment of a method provided by the present invention.
  • FIG. 3 is a schematic flow chart of another method embodiment provided by the present invention.
  • Figure 5 is a specific path of the first VPN tunnel acquired by the controller
  • FIG. 6 is a schematic structural diagram of an apparatus embodiment of a network device according to the present invention.
  • FIG. 7 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention.
  • FIG. 8 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention.
  • the user site In order to enable data transmission between users' sites using VPN, the user site needs to be first connected to the VPN service.
  • the user site is a user-side device.
  • Each user site is connected to the edge device of the carrier through a physical connection.
  • the edge devices of the carrier can transmit data through the backbone network.
  • the current practice of connecting a user site to a VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service. When all the user sites are determined, the edge of each of the user sites is separately connected. The device is manually configured to access each of the user sites to the VPN service.
  • the inventor has found that the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, which will inevitably occupy the resources of the edge device.
  • Accessing the VPN service means that even if the user station accesses the VPN service, the data cannot be transmitted, and the operator still accesses the user site to the VPN service.
  • the resources of the edge device connected to the user site are occupied, the user site cannot transmit data, thereby causing waste of resources.
  • the following is illustrated by an example. It is assumed that there are three user sites: user site 01, user site 02, and user site 03.
  • a VPN service access method and a network device are provided to implement a user site to access a VPN service on demand, thereby reducing resource waste.
  • an embodiment of the present invention provides an embodiment of a method for accessing a VPN service.
  • FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention.
  • the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network.
  • the first edge device is connected to the first user site by means of a physical connection.
  • the first user site may also be referred to as being attached to the first edge device.
  • the first port connected to the first user site on the first edge device may be referred to as an access port of the first user site.
  • the second edge device is connected to the second user site, and the second port on the second edge device connected to the second user site may be referred to as an access port of the second user site.
  • the VPN data of the first user site and the second user site need to be transmitted by using the first edge device, the backbone network, and the second edge device.
  • the solid line indicates the physical connection
  • the broken line indicates the logical relationship, that is, the interaction between the devices is the control information.
  • the network device receives the first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the VPN service. .
  • the network device when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device sends the first access request.
  • the embodiment may further include that the first edge device sends the online request to the network device after receiving the online request of the first user station. First access request.
  • the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator.
  • the VPN service may correspond to one registered account, or may correspond to multiple registered accounts.
  • the network device saves the correspondence between the opened VPN service and the registered account.
  • the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected. Entering the VPN service to send the first access request to the network device.
  • the first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
  • the first access request may include an identifier of the first user site and an identifier of the VPN service.
  • the identifier of the first user site may specifically be a port identifier of the first port.
  • the identifier of the VPN service may be specifically allocated by the network device.
  • the first access request may be included in the billing CC information to the network device.
  • the network device determines that the second user site requests to access the VPN service.
  • the second user site is a user site different from the first user site.
  • the first user site is not directly connected to the VPN service, but is further determined whether there is a first The second user site that is different from the user site accesses the VPN service, and if yes, the network device determines that the second user site requests to access the VPN service.
  • the network device determines that the second user site requests access to the VPN service, indicating that both the first user site and the second user site request to access the VPN service, After the first user site and the second user site access the VPN service, the first user site can transmit data with the second user site.
  • the second user site refers to any user site different from the first user site. That is, when the network device determines that any user station different from the first user site accesses the VPN service, the user site is used as the second user site.
  • the network device configures the first edge device and the second edge device connected to the second user site to access the first user site and the second user site to the VPN business.
  • the network device determines that the second user site different from the first user site requests to access the VPN service
  • the first user site access can be further determined.
  • the VPN service can then transmit data with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site. Said VPN business.
  • the embodiment further includes: if the network device determines that the user site other than the first user site accesses the VPN service, the first user site accesses the VPN If the data cannot be transmitted after the service, the process may not be performed 103. Instead, the process of this embodiment may be directly ended. After the preset period, it may be determined whether there is a second one different from the first user site. The user site accesses the VPN service.
  • the network device in the embodiment of the present invention receives the first access request for requesting the first user station to access the VPN service
  • the network device does not directly A user site accesses the VPN service, but determines that the second user site that is different from the first user site requests to access the VPN service, that is, the first user site accesses the
  • the VPN service is capable of transmitting data with the second user site, configuring the first edge device connected to the first user site and the second edge device connected to the second user site to The first user site and the second user site access the VPN service.
  • the first user site and the second user site are access to the VPN.
  • the service that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
  • the network device may be a device with a collaborative management function, such as a collaboration device, an orchestrator device, or a network management device.
  • the first edge device and the second edge device may be Broadband Network Gateway (BNG).
  • BNG Broadband Network Gateway
  • CPE user premises equipment
  • the network device receives the first access request sent by the first edge device, and may further store information that the first user site requests to access the VPN service, for example, Storing a correspondence between the VPN service and a port identifier of the first port, when again After receiving the access request sent by the other edge device, the information about the first user site accessing the VPN service may be determined according to the stored information. Therefore, the network device in the 102 determines that the second user station requests to access the VPN service, and the method includes: determining, by the network device, that the second user site requests to access the VPN service. .
  • the network device when the network device receives the first access request, and determines that the second user site requests access to the VPN service, configuring the first edge device and the first The two edge devices are configured to access the VPN service by using the first user site and the second user site.
  • the network device may have two configurations when the first edge device and the second edge device are configured.
  • the first configuration manner is that the first user site and the second user site are independent. Accessing the VPN service, that is, each user site accessing the VPN service does not know other user equipments that access the VPN service.
  • the second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site.
  • the two configuration methods are described below.
  • the first configuration manner the network device may separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service.
  • the network device sends a configuration parameter to the first edge device, where the configuration parameter includes only configuration parameters for accessing the first user site to the VPN service, for example, a port identifier of the first port. Without including the configuration parameters associated with the second user site.
  • the port identifier of the first port may be obtained from the first access request.
  • the network device may further send, to the first edge device, a first route target parameter (English: Route Target, referred to as RT) allocated by the network device to the first user site.
  • RT Route Target
  • a routing specifier parameter (English: Route Ditinguiher, referred to as: RD).
  • the configuration parameter sent by the network device to the second edge device only includes configuration parameters for accessing the VPN service by the second user site, for example, a port identifier of the second port, and Configuration parameters related to the first user site are not included.
  • the port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service.
  • the network device may further send, to the second edge device, a second RT and a second RD that are allocated by the network device to the second user site.
  • the first edge device and the second edge device respectively respectively use the first edge device and the second edge device according to configuration parameters sent by the network device Independent access to the VPN service.
  • the second configuration mode is: in some scenarios, for example, when the user applies for the VPN service, and the VPN service is a point-to-point service type, the second configuration mode may be adopted, that is, The VPN service is deployed in a manner that a VPN tunnel is deployed between the first edge device and the second edge device. This will be specifically described below by way of an embodiment.
  • an embodiment of the present invention provides another method embodiment of a method for accessing a VPN service. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
  • the method of the present embodiment includes 301 to 303, wherein 301 and 302 are similar to 101 and 102 of the embodiment shown in FIG. 1, so the description is relatively simple, and the relevant embodiment is shown in FIG. This embodiment focuses on 303.
  • the network device receives a first access request sent by the first edge device, where the first access request is used to request that the first user station that is connected to the first edge device access the VPN business.
  • the network device determines that the second user site requests access to the VPN service, and the second user site is a user site different from the first user site.
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the first VPN tunnel is associated with the second port
  • the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port.
  • the first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site
  • the second port is on the second edge device.
  • the port to which the second user site is connected that is, the access port of the second user site.
  • the first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship.
  • the trailing end of the first VPN tunnel is associated with the second port, and may be specifically configured to store the second port and the first on the second edge device.
  • the mapping relationship of the VPN tunnel so that the second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
  • the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
  • the network device after receiving the first access request, the network device does not directly access the first user station to the VPN service, but determines whether there is the second user.
  • the site requests access to the VPN service, and if yes, the network device actually acquires two user sites that access the VPN service, and the network device may deploy the first VPN tunnel and the first The two VPN tunnels access the two user sites to the VPN service.
  • the implementation manner of the second configuration manner is described, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device. And the first user site and the second user site are connected to the VPN service.
  • the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first
  • the configuration mode is that the first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol.
  • Edge devices have lower equipment requirements and lower error rates.
  • the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively.
  • the specific implementation manner is that the network device receives a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN
  • the network device determines that the first user site and the second user site access the VPN service; and the network device deploys the first edge device to the third edge device a third VPN tunnel, and a fourth VPN tunnel from the third edge device to the first edge device, the head end of the third VPN tunnel being associated with the first port, the third VPN tunnel
  • the trailing end is associated with the third port, the head end of the fourth VPN tunnel is associated with the third port, the tail end of the fourth VPN tunnel is associated with the first port, and the third port is the a port connected to the third user site on the third edge device; the network device deploying a fifth VPN from the second edge device to the third edge device a tunnel, and a sixth VPN tunnel from the third edge device to the second edge device, a head end of the fifth VPN tunnel is associated with the second port, and a tail end of the fifth VPN
  • the specific manner of the port is associated with the head end or the tail end of the tunnel.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
  • the network device may be configured by directly configuring the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first The edge device and the second edge device send configuration parameters.
  • the network device may further configure the first edge device and the second edge device indirectly, for example, by sending a request to other devices, and deploying the first VPN tunnel and the second VPN tunnel by other devices. The following are explained separately.
  • the embodiment may further include: the network device assigning a VPN tunnel identifier to the VPN service.
  • 303 of the present embodiment includes 3031 and 3032.
  • the VPN tunnel identifier is used to uniquely represent the VPN tunnel.
  • the VPN tunnel refers to a VPN tunnel for carrying VPN services, for example, an MPLS LSP tunnel, an MPLS TE tunnel, an L2TP tunnel, a GRE tunnel, an IPSEC tunnel, and the like, which are not limited in this embodiment of the present invention.
  • the network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, a port identifier of the first port, and the second edge device Equipment Identity.
  • the device identifier of the second edge device may specifically be an IP address of the second edge device.
  • the network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, a port identifier of the second port, and the first edge device Equipment Identity.
  • the device identifier of the first edge device may specifically be an IP address of the first edge device.
  • the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device
  • the second edge device is The second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device.
  • the first edge device and the second side The edge device deploys the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be configured according to any one of the current VPN tunnels. Limited.
  • the network device may further send, to the first edge device, a first RT and a first RD allocated for the first user site, and send the first RD to the second edge device.
  • the 303 of the embodiment may include: the network device sending, to the controller 401, the first VPN tunnel and the deployment between the first edge device and the second edge device.
  • the request for the first VPN tunnel and the second VPN tunnel includes the port identifier of the first port, the port identifier of the second port, and the first request The device identifier of the edge device and the device identifier of the second edge device.
  • the request for deploying the first VPN tunnel and the second VPN tunnel may further include an identifier of the VPN service.
  • the controller 401 deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request.
  • the controller 401 may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed.
  • the specific path of the tunnel and the second VPN tunnel that is, the path device of the first VPN tunnel and the second VPN tunnel.
  • the controller 401 can be an SDN controller.
  • the forwarding entry may include a label allocated by the controller 401 and an output port.
  • the manner in which the first VPN tunnel is deployed is illustrated by a specific example.
  • the path device of the first VPN tunnel acquired by the controller 401 includes: BNG1, RouterRouter1, Router2, and BNG2.
  • the BNG1 and the BNG2 are the first edge device and the second edge device, respectively.
  • the request sent by the network device to the controller 401 is:
  • the forwarding entry sent by the controller 401 to the BNG1 is:
  • the forwarding entry sent by the controller 401 to the Router1 is:
  • the forwarding entry sent by the controller 401 to the Router 2 is:
  • the forwarding entry sent by the controller 401 to the BNG2 is:
  • the port 1 is the first port
  • the port 2 is the second port
  • the port 3 and port 4 are ports connected to the BNG 1 and the router 1
  • the port 5 and port 6 are the router 1 and the port 1 Ports connected to Router 2, where port 7 and port 8 are ports connected to Router 2 and the BNG 2.
  • the forwarding entry is delivered to each of the path devices, so that the first VPN tunnel is deployed between the first edge device and the second edge device.
  • the route device includes the first edge device and the second edge device.
  • the deployment manner of the second VPN tunnel is similar to that of the first VPN tunnel, and details are not described herein again.
  • the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number.
  • the first access request further includes an account that the first user station requests to access the VPN service; the embodiment may further include: the network device acquiring a QoS corresponding to the account; the network The device deploying the first VPN tunnel from the first edge device to the second edge device includes: the network device deploying from the first edge device to the second edge device based on QoS corresponding to the account The first VPN tunnel.
  • the account of the second user site requesting access to the VPN service may be further obtained, and the second VPN tunnel is deployed according to the QoS corresponding to the account.
  • the first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and
  • the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests offline, the first user site may further be revoked. a VPN tunnel and the second VPN tunnel to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel.
  • the network device receives a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request the first user The site exits the VPN service, and the second exit request is used to request that the second user site exit the VPN service; the network device revokes deployment between the first edge device and the second edge device The first VPN tunnel and the second VPN tunnel.
  • the QoS is generally performed according to the QoS of the opened VPN service.
  • the first VPN tunnel and the second VPN tunnel may be The deployment time, that is, the actual time of accessing the VPN service of the first user site for charging.
  • the embodiment further includes: the network device acquiring related information for indicating a deployment time of the first VPN tunnel and the second VPN tunnel; and the network device sending the related information to the The charging device may obtain the deployment time of the first VPN tunnel and the second VPN tunnel according to the related information, so as to perform charging according to the deployment time.
  • the related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel.
  • the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
  • an embodiment of the present invention provides an apparatus embodiment of a network device 600.
  • FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention.
  • the network device is connected to the first edge device and the second edge device, and the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network.
  • the first edge device is connected to the first user site by means of a physical connection.
  • the second edge device is connected to the second user site by being physically connected.
  • the network device 600 of this embodiment includes: a receiving unit 601 and a processing unit 602.
  • the receiving unit 601 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device.
  • VPN business
  • the network device 600 when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device 600 sends the first access request.
  • the first edge device may be a device that sends the first access request to the network device 600 after receiving an online request of the first user site.
  • the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator.
  • the VPN service may correspond to one registered account, or may correspond to multiple registered accounts.
  • the network device 600 saves the correspondence between the opened VPN service and the registered account.
  • the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected.
  • the VPN service is entered, thereby transmitting the first access request to the network device 600.
  • the first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
  • the first access request may include an identifier of the first user site and an identifier of the VPN service.
  • the identifier of the first user site may specifically be a port identifier of the first port.
  • the identifier of the VPN service may be specifically allocated by the network device 600.
  • the processing unit 602 is configured to determine, when the receiving unit 601 receives the first access request, that the second user station requests to access the VPN service.
  • the second user site is a user site different from the first user site.
  • the processing unit 602 does not directly access the first user station to the VPN service, but further determines whether The second user site that is different from the first user site accesses the VPN service, and if yes, the processing unit 602 determines that the second user site requests to access the VPN service.
  • processing unit 602 determines that the second user site requests to access the VPN service, The first user site and the second user site are both requested to access the VPN service, and after the first user site and the second user site are connected to the VPN service, the The first user site is capable of transmitting data with the second user site.
  • the second user site refers to any user site different from the first user site. That is, the processing unit 602 is specifically configured to determine that any user site different from the first user site accesses the VPN service, and use any one of the user sites as the second user site.
  • the processing unit 602 is further configured to: configure the first edge device and the second edge connected to the second user site when determining that the second user site requests access to the VPN service
  • the device is configured to access the VPN service by using the first user site and the second user site.
  • the processing unit 602 determines that the second user site different from the first user site requests to access the VPN service
  • the first user site can be further determined.
  • the data can be transmitted with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site.
  • the VPN service is
  • the processing unit 602 is further configured to: if it is determined that the user site other than the first user site accesses the VPN service, the first user site cannot transmit after accessing the VPN service. In the case of data, the first user site is not connected to the VPN service, but may end the work, or may be re-determined after the preset period whether there is a second second different from the first user site. The user site accesses the VPN service.
  • the processing unit 602 not directly accessing the first user site to the VPN service, but determining that the second user site different from the first user site requests access to the VPN service, that is, the first Configuring the first edge device connected to the first user site and the first connection with the second user site when the user site can access the VPN service and can transmit data with the second user site
  • the two edge devices are configured to access the VPN service by using the first user site and the second user site. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN.
  • the service that is, the first user site is accessed to access the VPN on demand. The service, so as to avoid the situation that the resources of the first edge device are occupied but the first user site cannot transmit data, thereby reducing resource waste.
  • the network device 600 may be a device with a collaborative management function, such as a collaboration device, an orchestration device, and a network management device.
  • the first edge device and the second edge device may be BNGs, and the first user site and the second user site may be CPEs.
  • the processing unit 602 when the receiving unit 601 receives the first access request sent by the first edge device, the processing unit 602 may be further configured to store the first user site request
  • the information about the VPN service for example, the corresponding relationship between the VPN service and the port identifier of the first port is specifically stored.
  • the processing unit 602. Determine, according to the stored information, information that the first user station accesses the VPN service. Therefore, when it is determined that the second user site requests to access the VPN service, the processing unit 602 may be specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
  • the processing unit 602 when the receiving unit 601 receives the first access request, and the processing unit 602 determines that the second user site requests access to the VPN service, the processing unit 602 And configuring the first edge device and the second edge device to access the VPN service by using the first user site and the second user site.
  • the processing unit 602 may have two configurations when configuring the first edge device and the second edge device, where the first configuration manner is to use the first user site and the second user site.
  • the user accesses the VPN service independently, that is, each user station accesses the VPN service and does not know other user equipments that access the VPN service.
  • the second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site.
  • the two configuration methods are described below.
  • the first configuration mode the processing unit 602 can separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service. .
  • the network device 600 may further include a sending unit, where the processing unit 602 sends a configuration parameter to the first edge device by using the sending unit, where the configuration parameter includes only for accessing the first user station.
  • the configuration parameter of the VPN service for example, the port identifier of the first port, does not include configuration parameters related to the second user site.
  • the processing unit 602 may further send, by the sending unit, the first edge device, the first RT and the first RD that are allocated by the network device 600 to the first user site.
  • the configuration parameter sent by the processing unit 602 to the second edge device by using the sending unit includes only configuration parameters for accessing the second user station to the VPN service, for example, The port identification of the second port, without including the configuration parameters associated with the first user site.
  • the port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service.
  • the processing unit 602 may further send, by the sending unit, the second edge device, the second RT and the second RD that the network device 600 allocates to the second user site.
  • the first edge device and the second edge device independently access the VPN service by the first edge device and the second edge device according to the configuration parameters sent by the network device 600.
  • the second configuration mode is: in some scenarios, for example, when the user requests the VPN service to set the VPN service as a point-to-point service type, the first edge device and the first A VPN tunnel is deployed between the two edge devices to access the VPN service. This will be specifically described below by way of an embodiment.
  • an embodiment of the present invention provides another apparatus embodiment of the network device 700. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
  • the network device 700 of this embodiment includes: a receiving unit 701 and a processing unit 702.
  • the receiving unit 701 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device.
  • the VPN service is configured to provide a first access request to the first edge device.
  • the processing unit 702 is configured to: when the receiving unit 701 receives the first access request, determine that the second user station requests to access the VPN service, where the second user site is A different user site of the first user site.
  • the functions of the receiving unit 701 and the processing unit 702 are similar to those of the receiving unit 601 and the processing unit 602 in the embodiment shown in FIG. 6, so the description is relatively simple.
  • the processing unit 702 is further configured to: when it is determined that the second user site requests to access the During the VPN service, a first VPN tunnel from the first edge device to the second edge device is deployed, and a second VPN tunnel from the second edge device to the first edge device is deployed.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the first VPN tunnel is associated with the second port
  • the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port.
  • the first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site
  • the second port is on the second edge device.
  • the port to which the second user site is connected that is, the access port of the second user site.
  • the first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship.
  • the trailing end of the first VPN tunnel is associated with the second port, and the mapping relationship between the second port and the first VPN tunnel is stored on the second edge device, so that the The second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
  • the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
  • the processing unit 702 does not directly access the first user station to the VPN service, but determines whether The second user site requests access to the VPN service, and if so, the processing unit 702 actually acquires two user sites that access the VPN service, and the processing unit 702 can deploy the The two VPN sites access the VPN service in a manner of the first VPN tunnel and the second VPN tunnel.
  • the implementation manner of the second configuration manner is implemented, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device.
  • the first user site and the second user site are connected to the VPN service.
  • the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first Configuration side
  • the first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol, and the edge device is Equipment requirements are lower and the error rate is lower.
  • the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively.
  • the receiving unit 701 is further configured to receive a second access request sent by the third edge device, where the second access request is used to request a third user site that connects the third edge device.
  • the processing unit 702 is further configured to: when the receiving unit 701 receives the second access request, determine that the first user site and the second user site are connected Deploying the VPN service, deploying a third VPN tunnel from the first edge device to the third edge device, and deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying a slave And a fifth VPN tunnel from the second edge device to the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device.
  • the head end of the third VPN tunnel is associated with the first port
  • the tail end of the third VPN tunnel is associated with the third port
  • the head end of the fourth VPN tunnel is associated with the third port.
  • the trailing end of the fourth VPN tunnel is associated with the first port
  • the head end of the fifth VPN tunnel is associated with the second port
  • the tail end of the fifth VPN tunnel is associated with the third port
  • the head end of the sixth VPN tunnel is associated with the third port
  • the tail end of the sixth VPN tunnel is associated with the second port.
  • the specific manner of the port is associated with the head end or the tail end of the tunnel. For details, refer to that the head end of the first VPN tunnel is associated with the first port, and the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
  • processing unit 702 may be configured to directly deploy the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first edge.
  • the device and the second edge device send configuration parameters.
  • the processing unit 702 can also indirectly configure the first edge device and the second edge device, for example, deploying the first VPN tunnel and the second VPN tunnel by other devices by sending a request to other devices. The following are explained separately.
  • the network device 700 of this embodiment further includes a sending unit.
  • the processing unit 702 is further configured to allocate a VPN tunnel identifier for the VPN service.
  • the VPN tunnel identifier uniquely represents a VPN tunnel, and the VPN tunnel refers to the VPN service. VPN tunnel.
  • the processing unit 702 is specifically configured to use the sending unit to
  • the first edge device sends a first configuration parameter, and sends a second configuration parameter to the second edge device by using the sending unit;
  • the first configuration parameter includes: the VPN tunnel identifier, the first port The port identifier, and the device identifier of the second edge device;
  • the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device.
  • the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device
  • the second edge device is
  • the second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device.
  • the first edge device and the second edge device deploy the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be according to any current VPN.
  • the tunnel deployment mode is not limited in this embodiment of the present invention.
  • the processing unit 702 may be further configured to send, by using the sending unit, the first RT and the first RD allocated to the first user site to the first edge device, and to the first The two edge devices send the second RT and the second RD allocated for the second user site.
  • the network device 700 of this embodiment further includes a sending unit, when the first VPN tunnel and the second VPN tunnel of the VPN service are deployed between the first edge device and the second edge device,
  • the processing unit 702 is specifically configured to send, by using the sending unit, a request for deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device to a controller, where
  • the request for deploying the first VPN tunnel and the second VPN tunnel includes a port identifier of the first port, a port identifier of the second port, a device identifier of the first edge device, and the The device identifier of the second edge device.
  • the request for deploying the first VPN tunnel and the second VPN tunnel may further include: an identifier of the VPN service.
  • the controller deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request.
  • the controller may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed.
  • the specific path of the tunnel and the second VPN tunnel that is, the path device of the first VPN tunnel and the second VPN tunnel.
  • the label and the output port allocated by the controller 401 may be included in the forwarding entry.
  • the connection relationship between the controller and the network device 700 can be as shown in FIG. 4.
  • the controller may specifically be an SDN controller.
  • the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number.
  • the first access request further includes an account that the first user station requests to access the VPN service; the processing unit 702 is further configured to acquire a QoS corresponding to the account;
  • the processing unit 702 is specifically configured to deploy the first edge device to the second edge device based on the QoS corresponding to the account The first VPN tunnel.
  • the processing unit 702 is further configured to obtain an account that the second user station requests to access the VPN service, and deploy the second VPN tunnel according to the QoS corresponding to the account.
  • the first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel
  • the first VPN tunnel and the office may be further revoked.
  • the second VPN tunnel is configured to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel.
  • the receiving unit 701 is further configured to receive a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request The first user site is logged out of the VPN service, and the second quit request is used to request the second user site to quit the VPN service.
  • the processing unit 702 is further configured to receive, by the receiving unit 701, And canceling, by the first exit request or the second exit request, the first VPN tunnel and the second VPN tunnel deployed between the first edge device and the second edge device.
  • the network device 700 of this embodiment further includes: a sending unit; the processing unit 702 is further configured to: acquire, for indicating a deployment time of the first VPN tunnel and the second VPN tunnel, The sending unit is configured to send the related information to the charging device.
  • the related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel.
  • the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
  • the device embodiment of the network device in the embodiment of the present invention is described above from the perspective of a modular functional entity.
  • the device embodiment of the network device in the embodiment of the present invention will be described below from the perspective of hardware processing.
  • an embodiment of the present invention provides another apparatus embodiment of a network device.
  • the network device 800 of this embodiment may be a microprocessor computer.
  • the network device 800 can be one of a portable device such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet.
  • the network device 800 includes a processor 804, a memory 806, a communication interface 802, and a bus 808.
  • the processor 804, the memory 806, and the communication interface 802 are connected by the bus 808 and complete communication with each other.
  • the bus 808 may be an Industry Standard Architecture (ISA) bus or a Peripheral Component (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus 808 can be divided into one or more of an address bus, a data bus, and a control bus. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
  • the memory 806 is for storing executable program code, the program code including computer operating instructions.
  • the network device 800 executes the program code, the network device 800 can complete the embodiment shown in FIG. 1 or FIG. 3, and can also implement all the functions of the network device in the embodiment shown in FIG. 6 or FIG. 7.
  • the memory 806 can include a high speed RAM (Ramdom Access Memory) memory.
  • the memory 806 may further include a non-volatile memory.
  • the memory 806 can include a disk storage.
  • the processor 804 may be a central processing unit (CPU), or the processor 804 may be an application specific integrated circuit (ASIC), or the processor 804 may Is one or more integrated circuits that are configured to implement embodiments of the present invention.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the communication interface 802 is configured to perform the first access request sent by the first edge device in the embodiment shown in FIG. 1 and FIG. 3, where the first access request is used to request the first edge
  • the first user station connected to the device accesses the VPN service.
  • the processor 804 is configured to read an instruction stored in the memory 806, so as to perform, in the embodiment shown in FIG. 1 and FIG. 3, that the second user site requests to access the VPN service, the second The user site is a user site different from the first user site, and the first edge device and a second edge device connected to the second user site are configured to use the first user site and the second The user site accesses the VPN service.
  • each functional unit of the network device provided by the present invention may be a specific implementation based on the method of the embodiment shown in FIG. 1 or FIG. 3 and the function of the apparatus shown in FIG. 6 or FIG.
  • the definitions and descriptions of the terms are consistent with the embodiments shown in FIGS. 1, 3, 6, and 7, and are not described herein again.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Abstract

L'invention concerne un procédé d'accès à un service VPN et un dispositif de réseau. Selon ledit procédé, un dispositif de réseau : reçoit une première demande d'accès envoyée par un premier dispositif de périphérie, cette première demande d'accès servant à demander qu'un premier site Web utilisateur connecté au premier dispositif de périphérie ait accès à un service VPN ; détermine qu'un second site Web utilisateur demande à accéder au service VPN ; et configure le premier dispositif de périphérie et un second dispositif de périphérie connecté au second site Web utilisateur de façon à ce que le premier et le second site Web utilisateur accèdent au service VPN. Grâce à la présente invention, lorsqu'il est déterminé que le premier site Web utilisateur peut échanger des données avec le second site Web utilisateur après avoir accédé au service VPN, le premier et le second site Web utilisateur peuvent accéder au service VPN, ce qui permet d'éviter autant que possible que les ressources du premier dispositif de périphérie soient occupées mais que le premier site Web utilisateur ne puisse pas échanger de données, et, par conséquent, le gaspillage des ressources est réduit.
PCT/CN2015/093091 2014-12-31 2015-10-28 Procédé d'accès à un service vpn et dispositif de réseau WO2016107261A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410850003.4A CN104601431B (zh) 2014-12-31 2014-12-31 一种vpn业务的接入方法及网络设备
CN201410850003.4 2014-12-31

Publications (1)

Publication Number Publication Date
WO2016107261A1 true WO2016107261A1 (fr) 2016-07-07

Family

ID=53126952

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/093091 WO2016107261A1 (fr) 2014-12-31 2015-10-28 Procédé d'accès à un service vpn et dispositif de réseau

Country Status (2)

Country Link
CN (1) CN104601431B (fr)
WO (1) WO2016107261A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601431B (zh) * 2014-12-31 2018-04-20 华为技术有限公司 一种vpn业务的接入方法及网络设备
US10938599B2 (en) 2017-05-22 2021-03-02 Futurewei Technologies, Inc. Elastic VPN that bridges remote islands
CN113778463B (zh) * 2020-06-09 2023-01-06 华为技术有限公司 一种业务服务部署方法及装置
CN111884903B (zh) * 2020-07-15 2022-02-01 迈普通信技术股份有限公司 一种业务隔离方法、装置、sdn网络系统及路由设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912232B1 (en) * 1998-10-19 2005-06-28 At&T Corp. Virtual private network
EP1580939A1 (fr) * 2004-03-26 2005-09-28 Nortel Networks Limited Procédé et dispositif pour déterminer et attribuer des ressources de réseau à couche 1 réseaux privés virtuels
CN1708172A (zh) * 2004-06-10 2005-12-14 华为技术有限公司 一种私密呼叫的建立方法
CN102457421A (zh) * 2010-10-15 2012-05-16 凤凰接触股份有限及两合公司 在两个网络间建立vpn连接的方法
CN103780467A (zh) * 2012-10-19 2014-05-07 华为技术有限公司 通信连接方法、通信装置及通信系统
CN104601431A (zh) * 2014-12-31 2015-05-06 华为技术有限公司 一种vpn业务的接入方法及网络设备

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100414907C (zh) * 2005-03-01 2008-08-27 信息产业部电信研究院 Ip电信网系统中基于信令机制的资源管理方法
ATE357805T1 (de) * 2004-09-30 2007-04-15 Cit Alcatel Mobile authentifizierung für den netzwerkzugang
CN101114972B (zh) * 2006-07-26 2011-01-26 成都迈普产业集团有限公司 Ip电信网系统中建立虚拟专网的方法
JP5223376B2 (ja) * 2008-02-29 2013-06-26 日本電気株式会社 リモートアクセスシステム、方法及びプログラム
CN101330459B (zh) * 2008-07-31 2011-09-21 电子科技大学 一种基于Hose软管VPN的用户宽带控制方法
CN102055639A (zh) * 2009-11-10 2011-05-11 杭州华三通信技术有限公司 建立远程访问虚拟专用网连接的方法和访问集中器
CN103001872B (zh) * 2011-09-13 2016-03-30 华为技术有限公司 一种标签分配方法及聚合设备

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912232B1 (en) * 1998-10-19 2005-06-28 At&T Corp. Virtual private network
EP1580939A1 (fr) * 2004-03-26 2005-09-28 Nortel Networks Limited Procédé et dispositif pour déterminer et attribuer des ressources de réseau à couche 1 réseaux privés virtuels
CN1708172A (zh) * 2004-06-10 2005-12-14 华为技术有限公司 一种私密呼叫的建立方法
CN102457421A (zh) * 2010-10-15 2012-05-16 凤凰接触股份有限及两合公司 在两个网络间建立vpn连接的方法
CN103780467A (zh) * 2012-10-19 2014-05-07 华为技术有限公司 通信连接方法、通信装置及通信系统
CN104601431A (zh) * 2014-12-31 2015-05-06 华为技术有限公司 一种vpn业务的接入方法及网络设备

Also Published As

Publication number Publication date
CN104601431A (zh) 2015-05-06
CN104601431B (zh) 2018-04-20

Similar Documents

Publication Publication Date Title
EP3668011B1 (fr) Procédé, appareils, produit de programme d'ordinateur et système pour la mise en uvre d'un réseau défini par logiciel (sdn)
EP3300317B1 (fr) Procédé, dispositif et système pour réaliser une liaison de service
CN106302320B (zh) 用于对用户的业务进行授权的方法、装置及系统
CN103580980B (zh) 虚拟网络自动发现和自动配置的方法及其装置
WO2019001350A1 (fr) Procédé de génération d'entrée de table de transfert, dispositif de commande et dispositif de réseau
EP3580897B1 (fr) Procédé et appareil de chaînage de service dynamique avec routage de segment pour bng
EP2040431A1 (fr) Système et procédé pour accès multiservice
EP2840743A1 (fr) Procédé et système permettant de créer un réseau virtuel
WO2016107261A1 (fr) Procédé d'accès à un service vpn et dispositif de réseau
CN108270690B (zh) 控制报文流量的方法和装置
CN107666419B (zh) 一种虚拟宽带接入方法、控制器和系统
EP4170939A1 (fr) Procédé et appareil de traitement de service, ainsi que dispositif et système
WO2016192608A2 (fr) Procédé d'authentification, système d'authentification et dispositif associé
WO2015062354A1 (fr) Procédé et appareil de configuration de données de station de base
WO2017166936A1 (fr) Procédé et dispositif pour mettre en œuvre une gestion d'adresse, et serveur aaa et dispositif de commande de sdn
WO2010048874A1 (fr) Procédé, dispositif et système d'identification de session ip
WO2019091088A1 (fr) Procédé, dispositif et système de configuration vxlan
CN107547665B (zh) 一种dhcp地址分配的方法、设备及系统
US20230269139A1 (en) Software defined access fabric without subnet restriction to a virtual network
WO2022060914A1 (fr) Systèmes et procédés de provisionnement sans intervention humaine d'un commutateur dans des répartiteurs intermédiaires et des répartiteurs principaux
WO2013159694A1 (fr) Procédé, dispositif et système de distribution d'étiquettes
EP3300300B1 (fr) Procédé, dispositif et système permettant de configurer une table de transfert d'équipement utilisateur
WO2011147334A1 (fr) Procédé, dispositif et système pour fournir un service de réseau privé virtuel
WO2024000975A1 (fr) Système et procédé d'établissement de session, dispositif électronique et support de stockage
TW201517654A (zh) 傳輸路徑控制系統

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15874946

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15874946

Country of ref document: EP

Kind code of ref document: A1