WO2018000890A1 - 用于实现组合虚拟专用网vpn的方法与装置 - Google Patents

用于实现组合虚拟专用网vpn的方法与装置 Download PDF

Info

Publication number
WO2018000890A1
WO2018000890A1 PCT/CN2017/080090 CN2017080090W WO2018000890A1 WO 2018000890 A1 WO2018000890 A1 WO 2018000890A1 CN 2017080090 W CN2017080090 W CN 2017080090W WO 2018000890 A1 WO2018000890 A1 WO 2018000890A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
service
access point
domain
combined
Prior art date
Application number
PCT/CN2017/080090
Other languages
English (en)
French (fr)
Inventor
张丽雅
陈远山
吕拯
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20151795.0A priority Critical patent/EP3734912B1/en
Priority to EP17818887.6A priority patent/EP3402133B1/en
Publication of WO2018000890A1 publication Critical patent/WO2018000890A1/zh
Priority to US16/122,197 priority patent/US10855530B2/en
Priority to US17/090,403 priority patent/US11558247B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present application relates to the field of communications and, more particularly, to a method and apparatus for implementing a combined VPN.
  • an operator needs to implement a complete VPN service, such as an enterprise private line or an enterprise online service. It needs to span multiple domains and multiple different technology types.
  • the carrier is the tenant's three sites. Site1, Site2, and Site3 create a VPN service between the A domain and the B domain.
  • the service connection mode of the A domain is the virtual leased line (VLL), and the service connection mode of the B domain is L3VPN.
  • L3 Layer 3
  • a network corresponding to the A domain shown in Figure 1
  • B network corresponding to the B domain shown in Figure 1
  • the A network is allowed to be a Synchronous Digital Hierarchy (SDH) network or an Optical Transport Network (OTN) network
  • SDH Synchronous Digital Hierarchy
  • OTN Optical Transport Network
  • L2 Layer 2
  • the B network may be a data network composed of pure routers, and the B network provides a three-layer exchange service.
  • Port 1 and port 2 are the access points of the Layer 3 service; but for the operator, the A network needs to configure the Virtual Leased Line (VLL).
  • Port 1 and port 2 are access points for Layer 2 services.
  • the configuration of the access point of the Layer 2 service is not the same as that of the Layer 3 service.
  • the access point of the Layer 2 service needs to be configured with Layer 2 parameters such as the virtual local area network (VLAN) value. Points need to be configured with three layers of parameters such as IP/route.
  • VLAN virtual local area network
  • the industry lacks a management model and related solutions for end-to-end cross-domain cross-technology VPN services, resulting in operators needing to manage segment by segment.
  • the operator first needs to coordinate A and B network resources (including coordination port resources: ports 1, 2, 3, 4, 5, 6, 7) and deploy VLL 1.1 on the A network.
  • VLL1.2 then deploy L3VPN1.3 on the B network, and ensure that the VLAN value assignments of ports 3, 4, 5, and 6 are matched.
  • the IP addresses and routing protocols assigned by ports 5 and 6 need to be respectively connected to the port of Site1. a corresponds to port b of Site2.
  • the relevant end-to-end VPN service model and management scheme in the industry includes the standard: draft-ltsd-l3sm-l3vpn-service-model of IETF2016/5/2.
  • This standard describes the L3VPN (Layer 3 VPN) boundary characteristics from the perspective of user requirements. Even if the characteristics of a, b, and c in Figure 1 are described, for example, the geographical location of site1 is described, and the IP address of port a is described. 10.1.1.2/24) and the docking IP address (10.1.1.3/24) on the carrier side, but it does not describe which network boundary the carrier IP address should be deployed on, and the user cannot view the VPN from the model. In the specific decomposition of each network, it is impossible to know that the quality of site1 is affected by VLL1.1, port 3, port 5, and L3VPN1.3. Therefore, this model is not suitable for operator maintenance personnel.
  • the present application provides a method and apparatus for implementing a combined VPN, which can automatically complete the creation of a combined VPN service, and release a management model of the combined VPN service to a user, so that the user can identify the correlation of services between different technologies in different domains. , thereby facilitating evaluation of the impact of business changes of the combined VPN service.
  • the first aspect provides a method for implementing a combined virtual private network VPN, including:
  • a combined VPN represents a VPN service that spans multiple domains.
  • the access point corresponding to the tenant site is the access point of the combined VPN that is requested to be implemented.
  • the segmented VPN represents a service connection in each of a plurality of domains in a domain across the domain of the combined VPN.
  • a combined VPN is obtained based on the one or more segmented VPNs.
  • the combined VPN requested by the user is obtained by splicing the one or more segmented VPNs.
  • the access point list and the segmentation VPN list of the combined VPN includes information for describing an access point of the combined VPN, where the combined VPN is connected
  • the ingress point is an access point corresponding to the tenant site
  • the segmented VPN list includes information for describing the one or more segmented VPNs.
  • the VPN basic information of the combined VPN may also be input to the user.
  • one or more segmented VPNs are obtained according to the service type input by the user and the tenant site, and the combined VPN is obtained through one or more segmented VPNs, and the access point list of the combined VPN is output to the user.
  • the segmented VPN list can enable the user to know the correlation between the services of the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN.
  • the determining, by the access point corresponding to the tenant site, the one or more segment VPNs including:
  • the combined VPN model includes a service type option, an access point list, and a segmented VPN list, where the combined VPN model is used to enter a service type according to the service type option and the access point list
  • the input access point determines the segmentation VPN information in the segmented VPN list.
  • the combined VPN model also includes VPN basic information.
  • the combined VPN model by using the following steps, the service type and the connection according to the service type option
  • the access point entered in the inbound list determines the segmentation VPN information in the segmented VPN list:
  • the service policy corresponding to the service type and the primary domain determines, according to the service type library obtained by the service orchestration, the service policy corresponding to the service type and the primary domain, where the service policy of the primary domain is consistent with the service policy corresponding to the service type, where the service policy is in the following service policy Any of the following: a Layer 2 L2VPN, a Layer 3 L3VPN, and a termination point TP, where the service type library includes the service type Correspondence relationship with the business policy and the primary domain.
  • each of the domains through which the service access path passes includes a segmentation VPN.
  • the information of the one or more segmented VPNs is presented in a segmented VPN list of the combined VPN model.
  • a combined VPN model is provided, where the combined VPN model includes a service type option, an access point list, and a segmented VPN list, where the combined VPN model is used to input according to the service type option.
  • the service type and the access point input in the access point list determine segmentation VPN information in the segmentation VPN list. That is, the combined VPN can be obtained by the user through the combined VPN model.
  • the determining, by the access point corresponding to the tenant site, the one or more segment VPNs including:
  • the service policy corresponding to the service type and the primary domain is consistent with the service policy corresponding to the service type, where the service policy is in the following service policy Any one of the following: an L2VPN, an L3VPN, and a TP, where the service type library includes a correspondence between the service type and the service policy and the primary domain.
  • each of the domains through which the service access path passes includes a segmentation VPN.
  • the determining, by the primary domain, The service access path of the access point corresponding to the tenant site includes:
  • the method further includes:
  • the parameter to be modified includes activation or deactivation, a target segment VPN in which the access point of the combined VPN is located, and sending the requirement to a domain controller of a domain in which the target segment VPN is located
  • the modified parameter so that the domain controller modifies the corresponding access point of the target segment VPN according to the parameter that needs to be modified
  • the port on the service access path of the access point corresponding to the tenant site is the same level as the parameter to be modified, and is modified according to the requirement.
  • the parameter performs corresponding modification on the searched port, and the layer parameter includes a layer 2 parameter or a layer 3 parameter.
  • the operator can modify the combined VPN efficiently and flexibly.
  • the method further includes:
  • all objects on a service access path include ports and service connections on the service access path.
  • the operator can modify the combined VPN efficiently and flexibly.
  • the method further includes:
  • the operator can modify the combined VPN efficiently and flexibly.
  • the service policy of the combined VPN is a first service policy
  • the combined VPN access point is The service policy of the segmented VPN where the first access point is located is the second service policy
  • the parameters of the first access point include parameters of the combined VPN layer and parameters of the segmented VPN layer, and parameters of the combined VPN layer
  • the parameter corresponding to the first service policy where the parameter of the segmentation VPN layer includes a parameter corresponding to the second service policy.
  • the parameters of the access point of the combined VPN are hierarchically expressed, and the configuration information at different service levels can be simultaneously expressed.
  • the combination of the access points in the combined VPN access point list includes the combination of the access points.
  • the parameter of the VPN layer, the access point list of the segment VPN where the access point is located includes the parameter of the segmentation VPN layer of the access point.
  • the segmented VPN list includes the access point list of the segmented VPN, so that the operator can not only know the combination VPN connection
  • the parameters of the inbound point at the combined VPN level that is, the level seen by the tenant
  • the parameter corresponding to the service policy includes a Layer 2 parameter and Three-layer parameter;
  • the parameters corresponding to the service policy include only Layer 2 parameters.
  • parameters corresponding to the service policy include broadband service related parameters.
  • the method further includes:
  • the controller After outputting the access point list, the segment VPN list, and the VPN basic information of the combined VPN to the user, in the case of receiving the confirmation response of the user, the domain of the domain in which each segment VPN is located
  • the controller sends the configuration message of each segmented VPN, so that the domain controller notifies the corresponding network element device to create the each segmented VPN.
  • the controller sends a configuration message of the corresponding segmented VPN to the controller, so that the controller notifies the corresponding network element device to create a corresponding segmented VPN, and creates multiple segment VPNs included in the combined VPN. To achieve the creation of the combined VPN.
  • the access point list includes the following information: the PE device configuration information and the CE device configuration information corresponding to the access point of the combined VPN, and the routing configuration information of the access point;
  • the segmented VPN list includes the following information: access point information and basic information of the segmented VPN.
  • a second aspect provides an apparatus for implementing a combined virtual private network VPN, the apparatus for performing the method of any of the first aspect or the first aspect of the first aspect.
  • the apparatus may comprise means for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a third aspect provides an apparatus for implementing a combined virtual private network VPN, the apparatus comprising a memory and a processor for storing instructions for executing instructions stored in the memory and storing the memory Execution of the instructions causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • a packet VPN refers to a service connection deployed within a domain.
  • a combined VPN refers to a service connection deployed within an administrative domain that spans one or more domains.
  • a combined VPN includes one or more segmented VPNs.
  • a segmented VPN included in a combined VPN includes at least one segmented VPN (also referred to as a primary domain VPN) whose service policy is consistent with the combined VPN service policy.
  • the service policy of the combined VPN or the segmented VPN includes an L3VPN, an L2VPN, or a TP.
  • one or more segmented VPNs are obtained according to the service type input by the user and the tenant site, and the combined VPN is obtained through one or more segmented VPNs, and the combined VPN is output to the user.
  • the in-point list and the segmented VPN list enable the user to know the relevance of the services between the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN.
  • FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a combined VPN and a segmented VPN in an embodiment of the present invention.
  • FIG. 3 shows a schematic diagram of a system architecture of an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for implementing a combined VPN according to an embodiment of the present invention.
  • FIG. 5 is another schematic flowchart of a method for implementing a combined VPN according to an embodiment of the present invention.
  • FIG. 6 is another schematic flowchart of a method for implementing a combined VPN according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a combined VPN model provided by an embodiment of the present invention.
  • FIG. 8 is a schematic flowchart of creating a combined VPN according to an embodiment of the present invention.
  • FIG. 9 is a schematic flowchart of modifying a combined VPN provided by an embodiment of the present invention.
  • FIG. 10 is a schematic flowchart of a tenant site of a addition and deletion combined VPN provided by an embodiment of the present invention.
  • FIG. 11 is a schematic flowchart of deleting a combined VPN according to an embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of an apparatus for implementing a combined VPN according to an embodiment of the present invention.
  • FIG. 13 is another schematic block diagram of an apparatus for implementing a combined VPN according to an embodiment of the present invention.
  • FIG. 14 is still another schematic block diagram of an apparatus for implementing a combined VPN according to an embodiment of the present invention.
  • the present application is directed to a management scheme for an end-to-end cross-domain cross-technology VPN service in the industry, and a method, a synergy, and a controller for implementing a combined VPN are provided, which enable a user to know the services between different domains involved in the combined VPN. Correlation, which is beneficial to the user to evaluate the impact of the business changes of the combined VPN.
  • the method provided by the present application can automatically complete resource allocation and service splicing between different subnets, for example, associating VLL1.1, VLL1.2, and L3VPN1.3 in FIG. 1 into the same VPN business.
  • VPN virtual private network
  • a VPN is a virtual private network that an operator provides to users through its public network. That is, a VPN is a private network of users from the perspective of users.
  • the public network includes public backbone networks and public carrier border devices. The geographically separated VPN member sites (Site) are connected to the corresponding carrier border devices through the client device, and form the customer's VPN network through the operator's public network.
  • the basic model of a typical VPN consists of three parts: a CE device, a PE device, and a P device.
  • a CE device refers to a Customer Edge device and is an edge device on the user side.
  • the CE device has an interface directly connected to the Service Provider (SP) network.
  • SP Service Provider
  • a CE device can be a router or a switch, or it can be a host.
  • a CE device "perceives" the existence of a VPN and does not need to have a VPN function.
  • a PE device referred to as a Provider Edge device, is an edge device of a service provider network.
  • the PE device is directly connected to the CE device and is responsible for accessing the VPN service.
  • a PE device can connect to multiple CE devices.
  • a CE device can also connect multiple PE devices belonging to the same or different service provider networks.
  • a P device refers to a backbone device in the service provider network and is not directly connected to the CE device.
  • Site refers to a group of IP systems with IP connectivity between each other, and the IP connectivity of this group of IP systems does not need to be implemented through the service provider network.
  • Sites are classified according to the network topology of the device, not the geographic location. Although the geographical locations of devices in a site are usually adjacent, if two geographically separated IP systems are connected by dedicated lines, they do not need to pass.
  • the service provider network can interoperate, and the two sets of IP systems form a site. Sites are connected to the service provider network through CE devices.
  • L2VPN refers to Layer 2 VPN (Layer 2 VPN)
  • L3VPN refers to Layer 3 VPN.
  • L2VPN has a close relationship with the second layer in the seven-layer structure (that is, the data link layer, L2).
  • L2VPN means that the tunnel encapsulating the VPN is completed at the data link layer, and the client maps its Layer 3 route to the network at the data link layer.
  • MPLS L2VPN after the data packet is connected to the network, the data packet is re-encapsulated at the Layer 2 header, the MPLS header information is added, and the Layer 2 exchange is performed through the tunnel (transport channel) created in advance. One stop is delivered to the destination.
  • Ethernet private line (EPL) and Virtual Leased Line (VLL) are point-to-point virtual private line technologies, which are widely used by operators to provide L2VPN services to customers.
  • L3VPN has a close relationship with the third layer in the seven-layer structure (that is, the network layer, also known as the IP layer, referred to as L3).
  • L3VPN is a routing-based VPN solution that uses IP-like methods for IP routing. The packet is forwarded. After the router receives the IP packet, it searches for the destination address of the IP packet in the forwarding table, and then uses the pre-established Label Switched Path (LSP) to transmit the IP data across the carrier backbone.
  • LSP Label Switched Path
  • cross-domain VPN For a cross-domain VPN, the customer sites that need to deploy the VPN service are located in different autonomous systems (ASs). Therefore, VPNs need to be deployed across multiple AS domains.
  • Cross-domain VPN service Such a cross-domain VPN is referred to as a combined VPN in the embodiment of the present invention.
  • the different terms are not limited to the scope of protection of the embodiments of the present invention in order to facilitate the description and the description of the combination of the VPN and the segmented VPN.
  • Segment VPN refers to a VPN deployed in a segment. It should be noted that “segmentation” mentioned in this document means “domain”, such as an autonomous system (AS) domain. That is, a segmented VPN can be understood as a VPN deployed in an AS domain.
  • AS autonomous system
  • Composed VPN refers to a VPN deployed across one or more segments (for example, an AS domain).
  • a combined VPN includes one or more segmented VPNs.
  • a segmented VPN describes an atomic service instance that a composite VPN decomposes into each domain.
  • the atomic service is the minimum service granularity that the domain controller can identify and manage. That is, the segmented VPN is composed of only one type of service, and is no longer composed of multiple types of services.
  • the combined VPN shown in FIG. 2 is a VPN of geographically separated VPN member sites Site1 and Site2.
  • the combined VPN cross-domain AS1 and AS2.
  • Site 1 is connected to PE 11 in AS 1 through an Access Point (AP) 1
  • Site 2 is connected to PE 22 in AS 2 through AP 4 .
  • the inter-domain connection between AS1 and AS2 is as follows: PE12 in AS1 is connected to PE2 through AP2. It should be understood that AP1 is a port of PE11, AP2 is a port of PE12, AP3 is a port of PE21, and AP4 is a port of PE22.
  • the service connection (AP1-AP2) in AS1 is a segment VPN of the combined VPN
  • the service connection (AP3-AP4) in AS2 is another segment VPN of the combined VPN. That is, in the scenario of FIG. 2, the combined VPN includes a segmented VPN 1 and a segmented VPN 2.
  • Site1 and Site2 are the tenant sites of the combined VPN.
  • the access point of Site1 is AP1
  • the access point of Site2 is AP4.
  • the access points of the combined VPN include AP1 and AP4.
  • the access points of the segment VPN1 include AP1 and AP2.
  • the access points of the segmentation VPN 2 include AP3 and AP4.
  • the combined VPN may be an L2VPN or an L3VPN, that is, the service policy of the combined VPN may be an L2VPN or an L3VPN.
  • the segmented VPN included in the combined VPN may have the same service policy as the combined VPN, and the other segmented VPNs may be different.
  • the segmented VPN1 is an L3VPN
  • the segmented VPN2 is an L2VPN
  • the segmented VPN1 is an L3VPN
  • the segmented VPN2 is an L3VPN
  • the segmented VPN1 is an L3VPN
  • the segmented VPN2 is an L3VPN.
  • the PE 12 is specifically implemented by the Autonomous System Boundary Router (ASBR) of AS1, and PE21 is similar.
  • ASBR Autonomous System Boundary Router
  • a segmented VPN that constitutes a combined VPN must have a primary domain VPN.
  • the primary domain VPN refers to a segmented VPN with the same service policy as the combined VPN.
  • the primary domain VPN refers to a segmented VPN that completes the service characteristics of the combined VPN.
  • the service policy of the combined VPN may be an L2VPN, an L3VPN, or a terminal point.
  • TP refers to a port, and the port can be used to represent an access port of a cross-domain broadband remote access server (BRAS) service.
  • BRAS is a new access gateway for broadband network applications. It is located at the edge layer of the backbone network, which can complete the data access of IP/ATM network of user bandwidth, realize broadband Internet access of commercial buildings and community residents, and based on Internet protocol. Applications such as IP Protocol services for Internet Protocol Security (IPSec).
  • the service policy of the combined VPN is TP, which means that the service policy of the combined VPN is a broadband service type, for example, a service based on a Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the service policy of the at least one segmented VPN of the segmented VPN included in the combined VPN is L3VPN
  • the service policy of the other segmented VPNs may be any one of L3VPN, L2VPN, and TP.
  • the service policy of the at least one segmented VPN of the segmented VPN included in the combined VPN is L2VPN
  • the service policy of the other segmented VPNs may be any one of L3VPN, L2VPN, and TP.
  • the service policy of the at least one segmented VPN of the segmented VPN included in the combined VPN is TP
  • the service policy of the other segmented VPN may be any one of L3VPN, L2VPN, and TP.
  • L3 indicates the third layer (Layer 3) in the seven-layer network, that is, the network layer, and may also be described as an IP layer. Therefore, the L3, the network layer, and the network layer mentioned herein
  • the IP layer refers to one meaning.
  • L2 indicates the second layer (Layer 2) in the seven-layer network, that is, the data link layer, and can also be described as the Ethernet layer. Therefore, the L2, the data link layer, and the Ethernet layer mentioned herein all mean one meaning. .
  • FIG. 3 is a schematic diagram showing a system architecture diagram of an embodiment of the present invention.
  • the entire network consists of three layers: a synchronizer, a controller layer, and a forwarding plane.
  • the forwarding plane can be a router network or an optical transport network (OTN).
  • OTN optical transport network
  • the synchronizer and the controller are connected through the Restful/Netconf interface, and the controller and router layers communicate with each other through the Netconf/Cli/Snmp interface.
  • the collaborator provides a service orchestration interface and a service ordering interface through the Restful protocol.
  • the companion includes an orchestration module, configured to perform service orchestration according to the information input by the service planner (corresponding to the user in FIG. 3) through the service orchestration interface, obtain a service type template, and store the obtained service type template into the service type library.
  • the key account manager (corresponding to the user in Figure 3) selects the business type name (or identification) that needs to be ordered through the service ordering interface.
  • the operator can also enter information about the tenant site from the service ordering interface.
  • the coordinator determines the access point corresponding to the tenant site according to the tenant site input by the user (the user referred to herein as the operator), and then determines the user request according to the access point corresponding to the tenant site and the service type input by the user.
  • the combined VPN includes multiple segmented VPNs.
  • the tenant site is Site1 and Site2 as shown in Figure 3, and the combined VPN cross-domain A domain, B domain, and C domain determined by the coordinator.
  • the service policy in the A domain is EPL
  • the service policy in the B domain is L3VPN, C.
  • the intra-domain business policy is VLL.
  • the combined VPN includes three segmented VPNs: EPL, L3VPN, and VLL.
  • the synchronizer sends a segment VPN configuration message to the controller through the Restful/Netconf interface.
  • the controller notifies the forwarding plane to create a corresponding segment VPN through the Netconf/Cli/Snmp interface.
  • the synthesizer delivers a segment VPN: EPL configuration message to the controller 1, and the controller 1 notifies the network element in the A domain to create a segment VPN: EPL; the coordinator delivers the segment VPN to the controller 2: L3VPN configuration
  • the controller 2 notifies the network element in the B domain to create a segmented VPN: L3VPN; the coordinator sends a segmented VPN: VLL configuration message to the controller 3, and the controller 3 notifies the network element in the C domain to create a segmented VPN: VLL .
  • controller 1 is a domain controller of the A domain, and is controlled.
  • 2 is a domain controller of the B domain
  • controller 3 is a domain controller of the C domain.
  • FIG. 4 is a schematic flowchart of a method 100 for implementing a combined VPN according to an embodiment of the present invention.
  • the method 100 may be performed by the coordinator shown in FIG. 3.
  • the method 100 includes:
  • the service type of the combined VPN implemented by the user input request and the tenant site are obtained, and the combined VPN represents the VPN service across multiple domains.
  • the access point corresponding to the tenant site refers to the access point corresponding to the tenant site accessing the combined VPN network.
  • the access point of Site1 is port 1; as shown in Figure 2, the site 1 is connected.
  • the entry point is AP1.
  • the access point corresponding to the tenant site may also be referred to as an access point of the combined VPN that the user requests to implement.
  • S130 Determine one or more segment VPNs according to the service point and the access point corresponding to the tenant site.
  • a segmented VPN represents a service connection within each domain in multiple domains spanned by a combined VPN.
  • the VPN basic information of the combined VPN may also be input to the user.
  • the access point list includes the following information: the PE device configuration information and the CE device configuration information corresponding to the access point of the combined VPN, and the routing configuration information of the access point;
  • the segment VPN list includes The following information: access point information and basic information of the segmented VPN of the combined VPN;
  • the basic information of the VPN includes the following information: a VPN identifier, a VPN name, and a service policy of the combined VPN service, where the service policy includes L2VPN or L3VPN or broadband business.
  • the user can be informed by outputting the access point list, the segmentation VPN list, and the VPN basic information of the combined VPN according to the service type of the combined VPN to be implemented by the user and the tenant site.
  • the correlation of services between different domains involved in the combined VPN thereby facilitating users to evaluate the impact range of the service changes of the combined VPN.
  • FIG. 5 Another schematic flowchart of the method for implementing the combined VPN provided by the embodiment of the present invention, as shown in FIG. 5, in the embodiment of the present invention, S130, corresponding to the tenant site according to the service type.
  • An access point that determines one or more segmented VPNs including:
  • S131 Determine, according to the service type library obtained by the service orchestration, a service policy corresponding to the service type and the primary domain, where the service policy of the primary domain is consistent with the service policy corresponding to the service type, where the service policy is any one of the following service policies.
  • the L2VPN, the L3VPN, and the TP, the service type library includes the correspondence between the service type and the service policy and the primary domain.
  • the domain where the primary domain VPN resides is called the primary domain. It is specified by the service type when the service is scheduled. Different service types can have different primary domains.
  • the primary domain VPN refers to a single domain service that carries the service characteristics of the combined VPN.
  • the primary domain VPN is also referred to as the primary domain service policy.
  • the single domain service policy is specified as the primary domain service policy, and the domain in which the primary domain service policy is located is the primary domain.
  • Figure 6 depicts a Fullmesh L3VPN enterprise leased line service.
  • the service definition phase when the single-domain service policy is decomposed into a single-domain service policy, the A-domain is the primary domain, and the atomic service of the A-domain is Fullmesh L3VPN. .
  • business orchestration refers to the business as a resource, the attributes of the resource (ie the attributes of the business) and The instantiation policy (such as the resource selection policy) is scheduled to be delivered as a template.
  • the service type template obtained by the service orchestration includes the information of the service policy, and specifically includes the combined service policy and the single-domain service policy (one or more), wherein the single-domain service policy must include a service policy and the combined service policy.
  • a single-domain service policy is configured as a primary domain service policy.
  • the primary domain is the primary domain, which is the primary domain of the service type corresponding to the service type template.
  • Each service type template obtained by the service orchestration has a one-to-one correspondence with a unique service type identifier, that is, each service type template corresponds to one service type. That is, the service type library that saves the service type template includes the correspondence between the service type identifier and the service type template. If a service type is given, the corresponding service type template can be determined.
  • the service orchestration has been completed.
  • the service policy of the A domain is L3VPN
  • the service policies of the B domain, the C domain, and the D domain are known as VLL.
  • the service policy for the combined VPN is L3VPN
  • the A domain is designated as the primary domain of the combined VPN.
  • the service policy of the combined VPN is an L3VPN
  • the A domain is the primary domain of the combined VPN.
  • the primary domain is targeted, and the path of the tenant node to the tenant site is not directly searched.
  • S132 Targeting the primary domain, determining a service access path of the access point corresponding to the tenant site, where the destination node of the service access path is a boundary node of the primary domain.
  • the service access path indicates the inter-domain path from the tenant site to the primary domain.
  • the S132 determines, according to the primary domain, the primary access domain, and determines the service access path of the access point corresponding to the tenant site, including:
  • the service access path of the access point corresponding to the tenant site is determined according to the port resources allocated for the respective domains and the service connection between the allocated ports of the respective domains.
  • the service access path of the access point 1 of the tenant site Site1 first determine the access domain B of the access point 1, and then perform the access domain B to the primary domain.
  • A-domain pathfinding (BA), assigning port 3 to domain B, defining service connection VLl1.1 between port 1 and port 3, assigning port 3 to A domain, and establishing inter-domain connection policy for port 2 to port 3.
  • the service connection L3VPN is defined on the A domain allocation port 3, and the service access path of the access point 1 is determined to be 1-VLL1.1-2-3.
  • the service access path of the access point 4 of the tenant site Site 2 can be determined: 4-VLL 1.2-8-7; the service access path of the access point 5 of the tenant site Site 3: 5-VLL 1.3 -9-10; service access path of access point 6 of tenant site Site4: 6.
  • the service access path of the access point of the tenant site may also be referred to as the service access path of the tenant site.
  • the service access path of the tenant site that appears below refers to the service access path of the access point of the tenant site.
  • S133 Determine the one or more segment VPNs according to the domain through which the service access path passes.
  • the segment VPN indicates a service connection in a domain through which the service access path passes, in other words, the Each domain through which the service access path passes includes at least one segmented VPN.
  • the service access path (1-VLL1.1-2-3) of the access point 1 of the tenant site Site1 passes through the B domain, and the service connection in the B domain is VLL1.1.
  • a segmented VPN of the combined VPN is a segmented VPN: VLL1.1.
  • the service access path (4-VLL1.2-8-7) of the access point 4 of the tenant site Site2 passes through the C domain, and the service connection in the C domain is VLL1.2, and another segment VPN of the combined VPN For segmented VPN: VLL1.2.
  • the service access path (5-VLL1.3-9-10) of the access point 5 of the tenant site Site3 passes through the D domain, and the service connection in the D domain is VLL1.3, and then another segmented VPN of the combined VPN For segmented VPN: VLL1.2.
  • the access point 6 of the tenant site Site4 is directly connected to the primary domain A, and its service access path does not pass through other domains.
  • the L3VPN in the primary domain A is also a segmented VPN of the combined VPN. At this point, the four segmented VPNs of the combined VPN are obtained: L4VPN, VLL1.1, VLL1.2, VLL1.3.
  • the primary domain VPN of the combined VPN can also be understood as a segmented VPN that completes the service characteristics of the combined VPN.
  • the primary domain of the combined VPN is determined according to the service type of the combined VPN to be implemented by the user; and then, according to the primary domain, the service access path of the access point of the combined VPN is obtained; The domain through which the service path passes determines the segmentation VPN of the combined VPN.
  • the access point list, the segmentation VPN list, and the VPN basic information of the combined VPN are output to the user, where the access point list of the combined VPN includes information for describing an access point of the combined VPN, the combination
  • the access point of the VPN is an access point corresponding to the tenant site, and the segment VPN list includes information for describing the one or more segment VPNs.
  • the access point list includes the following information: the PE device configuration information and the CE device configuration information corresponding to the access point of the combined VPN, and the routing configuration information of the access point;
  • the segment VPN list includes The following information: access point information and basic information of the segmented VPN of the combined VPN;
  • the basic information of the VPN includes the following information: a VPN identifier, a VPN name, and a service policy of the combined VPN service, where the service policy includes L2VPN or L3VPN or broadband business.
  • the access point list of the combined VPN output to the user includes: CE device and PE device corresponding to port 1 and routing information of port 1; CE device and PE device corresponding to port 4, and Routing information of port 4; CE device and PE device corresponding to port 5, and routing information of port 5; CE device and PE device corresponding to port 6, and routing information of port 6.
  • the segmented VPN list of the combined VPN output to the user includes: segmented VPN: access point list of VLL1.1 (related information of ports 1 and 2) and basic information; segmented VPN: access point of VLL 1.2 List (related information of ports 4 and 8) and basic information; segmented VPN: access point list of VLL1.3 (related information of ports 5 and 9) and basic information; segmented VPN: list of access points of L3VPN ( Information about ports 3, 6, 7 and 10) and basic information.
  • the VPN basic information of the combined VPN output to the user includes: a VPN ID of the combined VPN (VPN ID), a VPN name of the combined VPN, and a service policy L3VPN of the combined VPN.
  • VPN ID a VPN ID of the combined VPN
  • VPN name a VPN name of the combined VPN
  • service policy L3VPN a service policy L3VPN of the combined VPN.
  • the S130 determines one or more segment VPNs according to the service point and the access point corresponding to the tenant site, including:
  • Obtaining a combined VPN model 200 the combined VPN model 200 including a service type option, an access point list, and a segmented VPN list, the combined VPN model being used for the service type entered according to the service type option and the access point
  • the access point entered in the list determines the segmentation VPN information in the segmented VPN list.
  • the combined VPN model 200 also includes VPN basic information.
  • the combined VPN model 200 determines, according to the service type entered by the service type option and the access point entered in the access point list, by using the following steps: Segmented VPN information:
  • the business policy corresponding to the service type and the primary domain are determined, and the business policy of the primary domain is consistent with the business policy corresponding to the service type, and the business policy is any one of the following business policies: A Layer 2 L2VPN, a Layer 3 L3VPN, and a terminal point TP, where the service type library includes a correspondence between the service type and the service policy and the primary domain;
  • the information of the one or more segmented VPNs is presented in a segmented VPN list of the combined VPN model.
  • the combined VPN model 200 includes a service type (not shown in FIG. 7), VPN basic information, a segment VPN list, and access. Point List (Access Point List).
  • the service type is used to associate the combined VPN to a service type template (obtained through service orchestration).
  • VPN basic information including information describing the basic attributes of the combined VPN.
  • the VPN basic information includes: a VPN identifier (VPN ID) for uniquely identifying the combined VPN, a VPN name of the combined VPN, a service policy of the combined VPN (L3VPN/L2VPN/TP), and the like.
  • VPN ID VPN identifier
  • L3VPN/L2VPN/TP service policy of the combined VPN
  • a list of access points including information describing the access points of the combined VPN.
  • the access point list here refers to the list of access points of the combined VPN, which is different from the list of access points of the segmented VPN mentioned later.
  • the VPN access point is combined.
  • the list includes information describing ports 1, 2, and 7.
  • the information used to describe the access point of the combined VPN includes the following information: configuration information of the PE device corresponding to the access point (for example, VLAN, IP), and CE device corresponding to the access point.
  • Configuration information such as physical address, IP, CE device name
  • routing configuration information of the access point for example, BGP, AS number).
  • a segmented VPN list that includes basic VPN information and a list of access points.
  • the basic VPN information is used to describe what the segmented VPN looks like, and how the segmented VPN communicates with devices outside the segmented VPN.
  • the access point list in the segmented VPN list is used to describe the access point where the segmented VPN is connected to the tenant site, or the access point where the segmented VPN is connected to other segmented VPNs.
  • the combined VPN model also includes some global information (not shown in Figure 7), specifically, for example, a tenant identification (combination ID) for associating a combined VPN with a dedicated tenant, or a topology or service type of the combined VPN And other information.
  • a tenant identification for associating a combined VPN with a dedicated tenant
  • a topology or service type of the combined VPN And other information.
  • the coordinator determines the access point of the combined VPN according to the tenant site input by the user, and may also be referred to as the top boundary point of the combined VPN.
  • the top layer here refers to the combined VPN layer.
  • the parameter of the access point of the combined VPN is input to the access point list of the combined VPN model (combined VPN level), and the parameter of the access point of the combined VPN may also be referred to as a combined VPN top-level boundary parameter.
  • the collaborator enters the type of service entered by the user into the business type of the VPN model (option).
  • the combined VPN model calculates the service access path of all the access points of the combined VPN according to the top-level boundary parameters of the combined VPN and the input service type, and is decomposed according to the domain through which the service access path passes.
  • a segmented VPN that combines VPNs. The basic information of the segmented VPN and the list of access points are then presented in the segmented VPN list.
  • a combined VPN model is provided, and the combined VPN model can output segmented VPN information and VPN basic information of the combined VPN according to the input service type and access point information of the combined VPN.
  • the user outputs the access point list, the segmentation VPN list, and the VPN basic information of the combined VPN, so that the user can know the correlation of the services between the different domains involved in the combined VPN, thereby facilitating the user to evaluate the service change of the combined VPN.
  • Sphere of influence is provided, and the combined VPN model can output segmented VPN information and VPN basic information of the combined VPN according to the input service type and access point information of the combined VPN.
  • the user outputs the access point list, the segmentation VPN list, and the VPN basic information of the combined VPN, so that the user can know the correlation of the services between the different domains involved in the combined VPN, thereby facilitating the user to evaluate the service change of the combined VPN.
  • Sphere of influence is provided, and the combined VPN model can output segmented VPN information and VPN basic information of the combined VPN according to the input service type and access
  • the service policy of the combined VPN is a first service policy
  • the service policy of the segment VPN in which the first access point of the combined VPN access point is the second service policy
  • the parameter of the first access point includes a parameter of the combined VPN layer and a parameter of the segmented VPN layer, where the parameter of the combined VPN layer includes a parameter corresponding to the first service policy, and the parameter of the segment VPN layer includes The parameter corresponding to the second business policy.
  • the parameters corresponding to the service policy include a Layer 2 parameter and a Layer 3 parameter.
  • the parameters corresponding to the service policy include only Layer 2 parameters.
  • parameters corresponding to the service policy include broadband service related parameters, such as DHCP parameters.
  • broadband service related parameters such as DHCP parameters.
  • IP layer parameters include parameters such as a routing protocol, an IP address, and the like.
  • Ethernet layer parameters include parameters such as MAC address and VLAN.
  • the access point of the combined VPN adopts a layered representation.
  • the access point 1 ie, port 1 needs to be configured with Layer 2 parameters (VLANs) and Layer 3 parameters (routing protocols, IP addresses, etc.) at the combined VPN level, but due to the combination.
  • the service decomposition policy of the VPN in the domain A is VLL. Therefore, the access point 1 can only be configured with Layer 2 parameters in the segmented VPN (that is, the VLL1.1) layer.
  • the Layer 3 parameters need to be connected along the access point 1.
  • the inbound path 1-VLL1.1-3-5 finds the interface of the single-domain service policy as L3VPN, that is, port 5, and then the Layer 3 parameter of the access point 1 is along the service access path 1-VLL1 of the access point 1. .1-3-5, configured on port 5.
  • ports 1 and 3 are Layer 2 ports
  • port 5 is Layer 3 ports.
  • the parameters of the access point of the combined VPN are hierarchically expressed, and the configuration information at different service levels can be simultaneously expressed.
  • the combination of the access points in the combined VPN access point list includes the combination of the access points.
  • the parameter of the VPN layer, the access point list of the segment VPN where the access point is located includes the parameter of the segmentation VPN layer of the access point.
  • the segmented VPN list includes the access point list of the segmented VPN, so that the operator can not only know the combination VPN connection
  • the parameters of the inbound point at the combined VPN level that is, the level seen by the tenant
  • the method 100 further includes:
  • the controller sends a configuration message of the corresponding segmented VPN to the controller, so that the controller notifies the corresponding network element device to create a corresponding segmented VPN, and creates multiple segmented VPNs included in the combined VPN. To achieve the creation of the combined VPN.
  • the embodiment of the present invention provides a method for implementing a combined VPN, which can implement an end-to-end cross-domain cross-technology VPN service efficiently, and proposes that the combined VPN includes one or more segmented VPN concepts.
  • the user releases the segmented VPN of the combined VPN, which enables the user to know the correlation of the services between the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN.
  • the embodiment of the present invention also proposes a concept of a combined VPN model, which is more advantageous for the operator to automatically manage the combined VPN.
  • the operator needs to delete the branch site Site1 in the process of maintaining the cross-domain cross-technology VPN, as shown in FIG. 1, the operator needs to first find the service connection VLL1.1 corresponding to the site1 corresponding to the network A. To delete it, you need to apply to the B network to modify the relevant parameters. In this case, the administrator of the B network needs to check which port in the B network is the Site1 service, that is, port 5, and then delete the port 5.
  • the above process of deleting the site includes many process steps and manual processing, which leads to error in service delivery and management.
  • the CRUD operations of the tenant site of the combined VPN are performed based on the service access path of the access point of the tenant site, and the CRUD refers to the Create, Retrieve, and Update (Retrieve). Update) and delete (Delete).
  • the efficiency of the operator management combined VPN can be improved, and the management cost can be reduced.
  • FIG. 8 is a schematic flowchart of a method 300 for creating a combined VPN according to an embodiment of the present invention.
  • the method 300 may be performed by the coordinator shown in FIG. 3.
  • the method 300 includes:
  • the service orchestration refers to the service as a resource, and the attributes of the resource (ie, the service attribute) and the instantiation policy (such as the resource selection policy) are arranged as a template for delivery.
  • the service planner (corresponding to the user in FIG. 3) performs service orchestration through the information input by the service orchestration interface, obtains a service type template, and stores the obtained service type template into the service type library of the collaborator.
  • the service type template obtained by the service orchestration includes the information of the service policy, and specifically includes the combined service policy and the single-domain service policy (one or more), wherein the single-domain service policy must include a service policy and the combined service policy.
  • a single-domain service policy is configured as a primary domain service policy.
  • the primary domain is the primary domain, which is the primary domain of the service type corresponding to the service type template.
  • Each service type template obtained by the service orchestration has a one-to-one correspondence with a unique service type identifier, that is, each service type template corresponds to one service type. That is, the service type library that saves the service type template includes the correspondence between the service type identifier and the service type template. If a service type is given, the corresponding service type template can be determined.
  • S302. Receive a service type input by the user and a tenant site, and determine an access point corresponding to the tenant site, that is, determine an access point of the combined VPN, and determine a parameter of the access point according to the service type.
  • the service type library obtained by the S301 service orchestration determines the service type input by the user.
  • the service type template determines the business policy of the combined VPN according to the service type template.
  • the parameters of the access point of the combined VPN are determined.
  • the parameters of the combined VPN access point include the IP layer parameters and the Ethernet layer parameters.
  • the parameters of the combined VPN access point include only the Ethernet layer parameters.
  • the user input may be a service type identifier
  • the collaborator determines the service type selected by the user according to the service type identifier.
  • the service type library corresponding to the service type input by the user is determined based on the service type library obtained by the service organization of the S301.
  • the service type template includes a combined service policy and a single domain service policy, and an end-to-end "routing strategy" is obtained from the combined service policy.
  • the end-to-end “routing strategy” describes cross-domain end-to-end basic pathfinding algorithm strategies, such as shortest path algorithm, minimum delay algorithm, and so on.
  • the primary domain of the service type is defined in the service type template corresponding to each service type.
  • the service type template is obtained according to the service type in S302, where the service type template includes a combined service policy and a single domain service policy.
  • a single-domain service policy configured as a primary domain service policy is found in all the single-domain service policies in the service type template, and the domain corresponding to the primary domain service policy is the primary domain of the combined VPN.
  • the service access path of an access point is an inter-domain path of the primary domain of the combined VPN obtained by the access point to S304.
  • the access domain where the access point is located may be obtained according to the domain where the network element corresponding to the access point is located.
  • the domain is abstracted into points, and the inter-domain connections are abstracted into lines.
  • the inter-domain path between the access domain and the primary domain is calculated according to the basic pathfinding strategy, that is, the service access path of the access point of the combined VPN.
  • a single-domain boundary resource of a domain that the service access path determined in S305 passes and the single-domain boundary resource includes a port, a VLAN, an IP, an RD/RT address, and the like.
  • the single domain resource pool is obtained according to the single domain service policy acquired in S306.
  • the inter-domain connection port also the segmentation VPN access port
  • the VLAN the virtual local area network
  • the IP address the RD/RT address
  • the RD/RT address between the domains may also be selected according to the single domain resource pool.
  • the collaborator may not allocate the RD/RT address between the domains.
  • the service connection in the single domain through which the service access path passes such as VLL or L3VPN, is determined, thereby obtaining the segment VPN corresponding to the service access path.
  • the default parameter in the single-domain service policy is the basic information of the segment VPN.
  • boundary information of the segmented VPN can be sent to the controller to request a detailed route in the corresponding domain. Thereby obtaining more specific information of the segmentation VPN.
  • S309. Determine whether the single domain that has passed the service access path of each access point of the combined VPN calculated by S305 is processed. If yes, go to S3010. If not, go to S307.
  • the segment VPN1 and the segment VPN2 are obtained, and then the segment VPN1 and the segment VPN2 are spliced into a combined VPN.
  • the management model of the combined VPN may be released to the user.
  • the management model of the combined VPN issued to the user is, for example, the combined VPN model shown in FIG. 7.
  • the combined VPN model includes: VPN basic information, an access point list, and a segmented VPN list.
  • the basic VPN information includes: network topology, service type, and management status.
  • the network topology is, for example, Fullmesh or Hub-Spoke.
  • the service type is, for example, an enterprise private network or a corporate online service.
  • Management status includes activation and deactivation.
  • the access point list includes parameters for describing an access point of the combined VPN.
  • the access point list includes the following parameters of the access point of the combined VPN: an identifier (ID), a working layer (Working Layer), a layer parameter list (Type Spec List), and a served CE side port.
  • the identifier (ID) is used to uniquely identify the access port.
  • the working level is used to indicate the working level of the access port, such as the Ethernet layer (L2 layer) or the IP layer (L3 layer).
  • the layer parameter list includes the layer parameters of the access port. When the working level is the Ethernet layer, the layer parameter list includes the Ethernet parameter; when the working level is the IP layer, the layer parameter list includes IP parameters.
  • the layer parameters of the access point of the combined VPN are determined according to the service policy of the combined VPN. For details, refer to the related description above, and details are not described herein.
  • a segmented VPN list also known as a single-domain VPN service list.
  • the segmented VPN list includes multiple single-domain VPN services, and there is only one primary domain VPN service.
  • the segmented VPN list includes the following information: a port ID, a VPN type, a VPN Role, and a VPN Info.
  • Port ID refers to the ID of the port of the segmented VPN.
  • the type of the segmented VPN is used to indicate the service connection type of the segmented VPN.
  • the type of the segmented VPN includes the VPN and the port (TP).
  • TP port
  • the type of the segmented VPN is a port (TP) when the service connection type of the segmented VPN is a broadband service.
  • the role of the segmented VPN is used to indicate whether the segmented VPN is the primary domain VPN.
  • Segmented VPN information when the type of the segmented VPN is VPN, the segmented VPN information is a VPN structure; when the type of the segmented VPN is a port, the segmented VPN information is a TP structure.
  • the VPN structure includes an Access Point List of the segment VPN.
  • the combined VPN model further includes an identification (ID) of the VPN that can be used to uniquely identify the combined VPN, and a service type identifier (Business Type ID) of the combined VPN to identify the service identifier of the combined VPN. .
  • ID an identification of the VPN that can be used to uniquely identify the combined VPN
  • Business Type ID a service type identifier of the combined VPN to identify the service identifier of the combined VPN.
  • the unidirectional VPN is delivered to the domain controller of the domain where each segment VPN is located.
  • the configuration information is such that the domain controller notifies the network element in the forwarding plane to create a corresponding segment VPN.
  • the method 100 further includes:
  • the parameter to be modified includes activation or deactivation, determining a target segmentation VPN where the access point of the combined VPN is located, and sending the parameter to be modified to the domain controller of the domain in which the target segmentation VPN is located, Modifying, by the domain controller, the corresponding access point of the target segment VPN according to the parameter that needs to be modified;
  • the port on the service access path of the access point corresponding to the tenant site is the same as the parameter to be modified, and the parameter is modified according to the parameter to be modified.
  • the corresponding port is modified.
  • the layer parameters include Layer 2 parameters or Layer 3 parameters.
  • FIG. 9 is a schematic flowchart of a method 400 for modifying a combined VPN provided by an embodiment of the present invention.
  • the method 400 may be performed by the coordinator shown in FIG. include:
  • the parameter that needs to be modified is considered to be valid for the access point; if the parameter to be modified is a layer parameter, such as an Ethernet layer parameter or an IP layer parameter, it is considered to be modified.
  • the parameters are valid for the service access path.
  • determining the segment VPN where the access point of the combined VPN is located and searching for the peer access point of the access point in the segmented VPN according to the access point list of the segmented VPN; obtaining peer access Direct port in the point.
  • the segment VPN where the direct connection port is located is the next segment VPN on the service access path. Loop this step until the discovered segmented VPN is the primary domain VPN. All the passed ports and segmented VPNs in the above process are the service access paths of the access point to the primary domain VPN.
  • the port on the access path obtained by the S405 is checked from the neighboring port of the access point, and it is determined whether the working rate level of the currently checked port is in the same layer as the parameter to be modified, and if so, according to the modification.
  • the parameter modifies the corresponding attribute of the currently checked port, and if not, continues to determine the next port on the service access path until the last port of the service access path.
  • the service access path of the tenant site to be deleted is found, and the segmentation VPN passing through the service path is deleted one by one.
  • the method 100 further includes:
  • the service access path of the access point corresponding to the target tenant site is searched, and all objects on the service access path of the access point corresponding to the target tenant site are deleted.
  • all objects on the service access path include ports and service connections on the service access path.
  • FIG. 10 shows a tenant station of the addition and deletion combined VPN provided by the embodiment of the present invention.
  • a method 500 of a point method the method 500 can be performed by the synergizer shown in FIG. 3, the method 500 comprising:
  • the tenant site 1 is a CE side site of the combined VPN.
  • the access point of the combined VPN includes the peerCeTp.
  • the peerCeTP is equal to the input CE side site
  • the local port is the access point corresponding to the CE.
  • the port on the service access path acquired by S503 and the segment VPN are created.
  • the method 100 further includes:
  • FIG. 11 is a schematic flowchart of a method 600 for deleting a combined VPN according to an embodiment of the present invention.
  • the method 600 may be performed by a coordinator shown in FIG. include:
  • S602. Determine a network element corresponding to the access point of the segment VPN, and determine a domain where the network element is located, and send a command to delete the segment VPN to the domain controller of the domain.
  • the state of the combined VPN is set to the out-of-step state, and the manual processing flow is entered, and the manual processing process forcibly deletes.
  • the embodiments of the present invention can implement the functions of automatically creating, modifying, and deleting a combined VPN, thereby avoiding the maintenance of cross-domain and cross-technology VPN services in the prior art. There is a need to involve multi-sectoral coordination leading to higher management costs.
  • the service policy of the combined VPN is used as an example for the L3VPN.
  • the embodiment of the present invention is not limited thereto, and the service policy of the combined VPN may also be an L2VPN or a TP.
  • the service policy of the combined VPN is L2VPN or TP
  • the corresponding method for implementing the VPN and the combined VPN for implementing the service policy for the L3VPN The method is similar to those skilled in the art, and can be derived from the teachings herein, but this part also falls within the scope of the present invention.
  • one or more segmented VPNs are obtained according to the service type input by the user and the tenant site, and the combined VPN is obtained through one or more segmented VPNs, and the combined VPN is output to the user.
  • the access point list and the segmented VPN list enable the user to know the correlation of the services between the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN. .
  • FIG. 12 is a schematic block diagram of an apparatus 700 for implementing a combined virtual private network VPN, such as the companion shown in FIG. 3, provided by an embodiment of the present invention.
  • the device 300 includes:
  • the obtaining module 710 is configured to obtain a service type and a tenant site input by the user;
  • the processing module 720 is configured to determine an access point corresponding to the tenant site acquired by the acquiring module.
  • the processing module 720 is further configured to: determine, according to the service type, an access point corresponding to the tenant site, one or more segment VPNs, where the segment VPN indicates that each domain in the multiple domains spanned by the combined VPN Business connection
  • the processing module 720 is further configured to obtain a combined VPN according to the one or more segmented VPNs;
  • the output module 730 is configured to output, to the user, an access point list and a segment VPN list of the combined VPN, where the access point list of the combined VPN includes information for describing an access point of the combined VPN, where the combined VPN
  • the access point is an access point corresponding to the tenant site
  • the segment VPN list includes information for describing the one or more segment VPNs.
  • one or more segmented VPNs are obtained according to the service type input by the user and the tenant site, and the combined VPN is obtained through one or more segmented VPNs, and the access point list of the combined VPN is output to the user.
  • the segmented VPN list can enable the user to know the correlation between the services of the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN.
  • the processing module 720 includes: a combined VPN model, where the combined VPN model includes a service type option, an access point list, and a segmented VPN list, and the combined VPN model Determining segmentation VPN information in the segmentation VPN list by using a service type entered according to the service type option and an access point input in the access point list; the processing module 720 is configured to: correspond to the tenant site The access point inputs the access point list of the combined VPN model, inputs the service type into the service type option of the combined VPN model, and obtains the one or more segmented VPNs from the segmented VPN list of the combined VPN model. .
  • the combined VPN model is used,
  • the business policy corresponding to the service type and the primary domain are determined, and the business policy of the primary domain is consistent with the business policy corresponding to the service type, and the business policy is any one of the following business policies: A Layer 2 L2VPN, a Layer 3 L3VPN, and a terminal point TP, where the service type library includes a correspondence between the service type and the service policy and the primary domain;
  • the information of the one or more segmented VPNs is presented in a segmented VPN list of the combined VPN model.
  • the processing module 720 is configured to determine, according to the service type library obtained by the service orchestration, a service policy corresponding to the service type and a primary domain, where the service policy of the primary domain corresponds to the service type.
  • the business policy is consistent.
  • the business strategy is any of the following business strategies: L2VPN, L3VPN, and TP.
  • the type library includes a correspondence between the service type and the service policy and the primary domain.
  • the primary domain is targeted to determine a service access path of the access point corresponding to the tenant site, and the destination node of the service access path A border node of the primary domain; determining, according to the domain through which the service access path passes, the one or more segmented VPNs, where the segmented VPN indicates a service connection in a domain through which the service access path passes.
  • the processing module 720 is configured to determine an access domain of an access point corresponding to the tenant site, where the access domain is a domain where the access point is located, and determine the access from the access point.
  • An inter-domain pathfinding path from the domain to the primary domain; allocating port resources for each domain through which the pathfinding path passes, and determining service connections between the assigned ports of the respective domains; The service connection between the port resource and the allocated port of the respective domain determines the service access path of the access point corresponding to the tenant site.
  • the acquiring module 710 is further configured to: acquire parameters that need to be modified by the combined VPN;
  • the processing module 720 is configured to: when the parameter to be modified includes activation or deactivation, determine a target segment VPN where the access point of the combined VPN is located, and domain controller of the domain where the target segmentation VPN is located Sending the parameter to be modified, so that the domain controller modifies the corresponding access point of the target segment VPN according to the parameter that needs to be modified;
  • the processing module 720 is further configured to: when the parameter to be modified includes a layer parameter, search for a port on the service access path of the access point corresponding to the tenant site, and the parameter that needs to be modified is the same level, and according to the The parameter to be modified is correspondingly modified to the found port, and the layer parameter includes a layer 2 parameter or a layer 3 parameter.
  • the acquiring module 710 is further configured to: determine, that the target tenant site of the combined VPN needs to be deleted;
  • the processing module 720 is configured to search for a service access path of the access point corresponding to the target tenant site, and delete all objects on the service access path of the access point corresponding to the target tenant site.
  • the acquiring module 710 is further configured to: determine that the combined VPN needs to be deleted;
  • the processing module 720 is configured to delete all the segment VPNs of the combined VPN.
  • the service policy of the combined VPN is a first service policy
  • the service policy of the segment VPN in which the first access point of the combined VPN access point is the second service policy
  • the parameter of the first access point includes a parameter of the combined VPN layer and a parameter of the segmented VPN layer, where the parameter of the combined VPN layer includes a parameter corresponding to the first service policy, and the parameter of the segment VPN layer includes The parameter corresponding to the second business policy.
  • the parameters corresponding to the service policy include a Layer 2 parameter and a Layer 3 parameter.
  • the parameters corresponding to the service policy include only Layer 2 parameters.
  • the parameters corresponding to the service policy include broadband service related parameters.
  • the apparatus 700 further includes:
  • a receiving module configured to receive an acknowledgment response of the user after the output module outputs the access point list, the segment VPN list, and the VPN basic information of the combined VPN to the user;
  • a sending module configured to send, to the domain controller of the domain where each segment VPN is located, the configuration message of each segmented VPN, so that the domain controller notifies the corresponding network element device to create the segmented VPN.
  • the access point list includes the following information: the PE device configuration information and the CE device configuration information corresponding to the access point of the combined VPN, and the routing configuration information of the access point.
  • the segmented VPN list includes the following information: access point information and basic information of the segmented VPN.
  • apparatus 700 in accordance with an embodiment of the present invention may correspond to a composer in a method for implementing a combined VPN in accordance with an embodiment of the present invention, and that the above and other operations and/or functions of the various modules in apparatus 700 are implemented separately for The corresponding processes of the respective methods in FIG. 4 to FIG. 11 are not described herein again for the sake of brevity.
  • an embodiment of the present invention further provides an apparatus 800 for implementing a combined VPN, where the apparatus 800 includes a processor 810, a memory 820, a receiver 840, and a transmitter 850.
  • the processor 810, the memory 820, the receiver 840, and the transmitter 850 communicate through an internal communication link, the memory 820 is configured to store instructions, and the processor 810 is configured to execute instructions stored in the memory 820 to control the receiver.
  • 840 receives the signal and controls the transmitter 850 to transmit the signal.
  • the processor 810 is configured to acquire a service type and a tenant site input by the user;
  • Determining an access point corresponding to the tenant site determining one or more segment VPNs according to the access point corresponding to the tenant site, the segment VPN indicating each of the multiple domains spanned by the combined VPN a service connection in the domain; obtaining a combined VPN according to the one or more segmented VPNs; outputting, to the user, an access point list and a segmented VPN list of the combined VPN, where the list of access points of the combined VPN includes The information of the access point of the combined VPN, the access point of the combined VPN is an access point corresponding to the tenant site, and the segmented VPN list includes information for describing the one or more segmented VPNs.
  • one or more segmented VPNs are obtained according to the service type input by the user and the tenant site, and the combined VPN is obtained through one or more segmented VPNs, and the access point list of the combined VPN is output to the user.
  • the segmented VPN list can enable the user to know the correlation between the services of the different domains involved in the combined VPN, thereby facilitating the user to evaluate the impact range of the service change of the combined VPN.
  • the processor 810 is configured to determine, according to the service type library obtained by the service orchestration, a service policy corresponding to the service type and a primary domain, where the service policy of the primary domain corresponds to the service type.
  • the service policy is consistent.
  • the service policy is any one of the following service policies: L2VPN, L3VPN, and TP.
  • the service type library includes the correspondence between the service type and the service policy and the primary domain.
  • the processor 810 is configured to determine an access domain of the access point corresponding to the tenant site, where the access domain is a domain where the access point is located, and determine the access domain from the access domain.
  • An inter-domain pathfinding path to the primary domain allocating port resources for each domain through which the inter-domain pathfinding path passes, and determining service connections between the assigned ports of the respective domains; according to ports assigned to the respective domains
  • the service connection between the resource and the assigned port of the respective domain determines the service access path of the access point corresponding to the tenant site.
  • the processor 810 is configured to obtain a parameter that needs to be modified by the combined VPN, and determine, where the parameter to be modified includes activation or deactivation, where the access point of the combined VPN is located.
  • the target segmentation VPN and sending the parameter to be modified to the domain controller of the domain in which the target segmentation VPN is located, so that the domain controller modifies the corresponding access point of the target segmentation VPN according to the parameter that needs to be modified; If the parameter to be modified includes the layer parameter, the port on the service access path of the access point corresponding to the tenant site is the same as the parameter to be modified, and the parameter is modified according to the parameter to be modified.
  • the corresponding port is modified.
  • the layer parameters include Layer 2 parameters or Layer 3 parameters.
  • the processor 810 is configured to: determine a target tenant site that needs to delete the combined VPN; search for a service access path of the access point corresponding to the target tenant site, and delete the target tenant site. All objects on the service access path of the corresponding access point.
  • the processor 810 is configured to determine that the combined VPN needs to be deleted; and delete all the segmented VPNs of the combined VPN.
  • the service policy of the combined VPN is a first service policy
  • the service policy of the segment VPN in which the first access point of the combined VPN access point is the second service policy
  • the parameter of the first access point includes a parameter of the combined VPN layer and a parameter of the segmented VPN layer, where the parameter of the combined VPN layer includes a parameter corresponding to the first service policy, and the parameter of the segment VPN layer includes The parameter corresponding to the second business policy.
  • the parameters corresponding to the service policy include a Layer 2 parameter and a Layer 3 parameter.
  • the parameters corresponding to the service policy include only Layer 2 parameters.
  • the parameters corresponding to the service policy include broadband service related parameters.
  • the receiver 840 is configured to: after outputting the access point list, the segment VPN list, and the VPN basic information of the combined VPN to the user, receiving the confirmation response of the user;
  • the transmitter 850 is configured to send, to the domain controller of the domain in which the segmentation VPN is located, the configuration message of each segmentation VPN, so that the domain controller notifies the corresponding network element device to create the segmentation VPN.
  • the access point list includes the following information: the PE device configuration information and the CE device configuration information corresponding to the access point of the combined VPN, and the routing configuration information of the access point.
  • the segmented VPN list includes the following information: access point information and basic information of the segmented VPN.
  • the processor 810 may be a central processing unit (“CPU"), and the processor 810 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 820 can include read only memory and random access memory and provides instructions and data to the processor 810. A portion of the memory 820 may also include a non-volatile random access memory. For example, the memory 820 can also store information of the device type.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 810 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 820, and the processor 810 reads the information in the memory 820 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the apparatus 800 for implementing a combined VPN according to an embodiment of the present invention may correspond to a collaborator in a method for implementing a combined VPN according to an embodiment of the present invention, and may correspond to the apparatus 700 according to an embodiment of the present invention.
  • the above and other operations and/or functions of the respective modules in the device 800 are respectively implemented in order to implement the respective processes of the respective methods in FIG. 4 to FIG. 11 , and are not described herein again for brevity.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be taken by the embodiment of the present invention.
  • the implementation process constitutes any qualification.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present application which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提供一种用于实现组合VPN的方法与装置,该方法包括获取用户输入的业务类型与租户站点;确定该租户站点对应的接入点;根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN;根据该一个或多个分段VPN,获得组合VPN;向该用户输出该组合VPN的接入点列表与分段VPN列表。本申请提供的方案能够使得用户获知组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估组合VPN的业务变更的影响范围。

Description

用于实现组合虚拟专用网VPN的方法与装置
本申请要求于2016年6月29日提交中国专利局、申请号为201610493803.4、发明名称为“用于实现组合虚拟专用网VPN的方法与装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信领域,并且更具体地,涉及一种用于实现组合VPN的方法与装置。
背景技术
当前技术中,运营商要实现一条完整的VPN业务,例如企业专线或者企业上网业务,需要跨越多个域且多个不同技术种类的网络,如图1所示,运营商为租户的三个站点Site1、Site2、Site3创建了跨域A域与B域的VPN业务,其中A域的业务连接方式为虚拟租用线路(Virtual Leased Line,VLL),B域的业务连接方式为L3VPN。
对于租户而言,其所购买的是一条端到端三层(Layer 3,L3)专网业务,这条业务连接三个分支机构:Site1、Site2,Site3。如图1所示,这条业务实际上经过运营商的两张网络:A网络(对应图1所示的A域)和B网络(对应图1所示的B域)(当然,允许经过更多的网络)。其中,A网络允许是同步数据系统(Synchronous Digital Hierarchy,SDH)网络或光传送网(Optical Transport Network,OTN)网络,且A网络提供二层(Layer2,L2)接入服务。B网络可能是纯路由器组成的数据网络,且B网络提供三层交换服务。
因此,在图1所示场景中,对于租户而言,端口1和端口2是三层业务的接入点;但对运营商而言,A网络要配置虚拟租用线路(Virtual Leased Line,VLL),则端口1和端口2是二层业务的接入点。二层业务与三层业务的接入点的配置并不相同,二层业务的接入点需要配置的是虚拟局域网(Virtual Local Area Network,VLAN)值等二层参数,三层业务的接入点需要配置IP/路由等三层参数。
目前,业内缺少端到端跨域跨技术的VPN业务的管理模型和相关方案,导致运营商需要逐段管理。例如,在图1所示场景中,运营商首先需要协调A、B网络资源(包括协调端口资源:端口1,2,3,4,5,6,7),并在A网络部署VLL1.1和VLL1.2,然后再在B网络部署L3VPN1.3,并确保端口3,4,5,6的VLAN值分配是匹配的,5,6端口分配的IP地址、路由协议需要分别和Site1的端口a与Site2的端口b对应上。
因此,需要一个有利于运营商管理的端到端跨域跨技术的VPN业务模型和相应的管理方案。
目前业内相关端到端的VPN业务模型和管理方案的包括标准:IETF2016/5/2的草案“draft-ltsd-l3sm-l3vpn-service-model”。该标准描述从用户需求角度出发描述了L3VPN(三层VPN)边界特性,即使描述了图1中a,b,c的特性,例如描述了site1的所在地理位置,描述了端口a的IP地址(10.1.1.2/24)以及运营商侧的对接IP地址(10.1.1.3/24),但没有描述运营商侧的对接IP地址应该部署在哪个网络的边界,使用者也无法从模型中查看该VPN在各个网络的具体分解情况,也就无法知道site1业务质量的好坏是受VLL1.1、端口3、端口5以及L3VPN1.3的影响。因此,该模型并不适合运营商维护人员使用。
发明内容
本申请提供一种用于实现组合VPN的方法与装置,能够自动完成组合VPN业务的创建,并向用户发布该组合VPN业务的管理模型,使得用户能够识别不同域不同技术之间业务的相关性,从而有利于评估该组合VPN业务的业务变更的影响范围。
第一方面提供了一种用于实现组合虚拟专用网络VPN的方法,包括:
获取用户输入的业务类型与租户站点。
具体地,用户输入的是请求实现的组合VPN的业务类型与租户站点。组合VPN表示跨越多个域的VPN业务。
确定所述租户站点对应的接入点。
所述租户站点对应的接入点即请求实现的组合VPN的接入点。
根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN。
所述分段VPN表示所述组合VPN所跨域的多个域中每个域内的业务连接。
根据所述一个或多个分段VPN,获得组合VPN。
具体地,通过拼接所述一个或多个分段VPN,获得所述用户请求的组合VPN。
向所述用户输出所述组合VPN的接入点列表与分段VPN列表,所述组合VPN的接入点列表包括用于描述所述组合VPN的接入点的信息,所述组合VPN的接入点为所述租户站点对应的接入点,所述分段VPN列表包括用于描述所述一个或多个分段VPN的信息。
还可以向所述用户输入所述组合VPN的VPN基本信息。
在本申请技术方案中,根据用户输入的业务类型与租户站点,获得一个或多个分段VPN,通过一个或多个分段VPN获得组合VPN,向该用户输出该组合VPN的接入点列表与分段VPN列表,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
结合第一方面,在第一方面的第一种可能的实现方式中,所述根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN,包括:
获取组合VPN模型,所述组合VPN模型包括业务类型选项、接入点列表与分段VPN列表,所述组合VPN模型用于根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息。
所述组合VPN模型还包括VPN基本信息。
将所述租户站点对应的接入点输入所述组合VPN模型的接入点列表中,将所述业务类型输入所述组合VPN模型的业务类型选项中,从所述组合VPN模型的分段VPN列表中获取所述一个或多个分段VPN。
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述组合VPN模型通过以下步骤,根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息:
基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:二层L2VPN、三层L3VPN与终端点TP,所述业务类型库包括所述业务类型 与所述业务策略以及所述主域之间的对应关系。
以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点。
根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接。
具体地,所述业务接入路径经过的每个域内包括一个分段VPN。
将所述一个或多个分段VPN的信息呈现在所述组合VPN模型的分段VPN列表中。
在本申请技术方案中,提供了一种组合VPN模型,所述组合VPN模型包括业务类型选项、接入点列表与分段VPN列表,所述组合VPN模型用于根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息。即通过该组合VPN模型能够获得用户请求的组合VPN。
结合第一方面,在第一方面的第三种可能的实现方式中,所述根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN,包括:
基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,所述业务类型库包括所述业务类型与所述业务策略以及所述主域之间的对应关系。
以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点。
根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接。
具体地,所述业务接入路径经过的每个域内包括一个分段VPN。
结合第一方面的第二种或第三种可能的实现方式,在第一方面的第四种可能的实现方式中,所述根据所述主域,所述以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,包括:
确定所述租户站点对应的接入点的接入域,所述接入域为所述接入点所在的域;
确定从所述接入域到所述主域的域间寻路路径;
为所述域间寻路路径经过的各个域分配端口资源,并确定所述各个域的所分配的端口之间的业务连接;
根据为所述各个域分配的端口资源以及所述各个域的所分配端口之间的业务连接,确定所述租户站点对应的接入点的业务接入路径。
结合第一方面的第二种至第四种可能的实现方式,在第一方面的第五种可能的实现方式中,所述方法还包括:
获取所述组合VPN需要修改的参数;
在所述需要修改的参数包括激活或去激活的情况下,确定所述组合VPN的接入点所在的目标分段VPN,并向所述目标分段VPN所在域的域控制器发送所述需要修改的参数,以使得所述域控制器按照所述需要修改的参数修改所述目标分段VPN的对应接入点;
在所述需要修改的参数包括层参数的情况下,查找所述租户站点对应的接入点的业务接入路径上与所述需要修改的参数为同层次的端口,并根据所述需要修改的参数对所述查找到的端口进行对应的修改,所述层参数包括二层参数或三层参数。
通过本发明技术方案,能够使得运营商高效、灵活地修改组合VPN。
结合第一方面的第二种至第五种可能的实现方式,在第一方面的第六种可能的实现方式中,所述方法还包括:
确定需要删除所述组合VPN的目标租户站点;
查找所述目标租户站点对应的接入点的业务接入路径,并删除所述目标租户站点对应的接入点的业务接入路径上的全部对象。
具体地,一条业务接入路径上的全部对象包括该条业务接入路径上的端口与业务连接。
通过本申请技术方案,能够使得运营商高效、灵活地修改组合VPN。
结合第一方面的第二种至第六种可能的实现方式,在第一方面的第七种可能的实现方式中,所述方法还包括:
确定需要删除所述组合VPN;
删除所述组合VPN的所有分段VPN。
通过本申请技术方案,能够使得运营商高效、灵活地修改组合VPN。
结合第一方面及其上述各种可能的实现方式,在第一方面的第八种可能的实现方式中,所述组合VPN的业务策略为第一业务策略,所述组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,所述第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,所述组合VPN层面的参数包括与所述第一业务策略对应的参数,所述分段VPN层面的参数包括与所述第二业务策略对应的参数。
在本申请技术方案中,组合VPN的接入点的参数采用分层表达方式,可以同时表达在不同业务层次的配置信息,具体地,组合VPN的接入点列表中包括该接入点的组合VPN层面的参数,该接入点所在的分段VPN的接入点列表中包括该接入点的分段VPN层面的参数。通过向用户(运营商)输出该组合VPN的接入点列表与分段VPN列表,该分段VPN列表中包括分段VPN的接入点列表,因此,使得运营商不但能够获知组合VPN的接入点在组合VPN层面(即租户看到的层面)的参数,还获知组合VPN的接入点在分段VPN层面的参数,从而有利于运营商管理该组合VPN。
结合第一方面的第八种可能的实现方式,在第一方面的第九种可能的实现方式中,当所述业务策略为L3VPN时,与所述业务策略对应的参数包括以二层参数与三层参数;
当所述业务策略为L2VPN时,与所述业务策略对应的参数只包括二层参数;
当所述业务策略为TP时,与所述业务策略对应的参数包括宽带业务相关参数。
结合第一方面及其上述各种可能的实现方式,在第一方面的第十种可能的实现方式中,所述方法还包括:
在向所述用户输出所述组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,在接收到所述用户的确认响应的情况下,向每个分段VPN所在的域的域控制器发送所述每个分段VPN的配置消息,以使得所述域控制器通知对应网元设备创建所述每个分段VPN。
在本申请技术方案中,通过向控制器下发对应的分段VPN的配置消息,使得该控制器通知对应的网元设备创建对应的分段VPN,通过创建组合VPN包括的多个分段VPN,从而实现该组合VPN的创建。
结合第一方面及其上述各种可能的实现方式,在第一方面的第十一种可能的实现方 式中,所述接入点列表中包括以下信息:所述组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括所述接入点的路由配置信息;
所述分段VPN列表中包括以下信息:所述分段VPN的接入点信息与基本信息。
第二方面提供了一种用于实现组合虚拟专用网络VPN的装置,该装置用于执行上述第一方面或第一方面的任一可能的实现方式中的方法。
具体地,该装置可以包括用于执行第一方面或第一方面的任一可能的实现方式中的方法的模块。
第三方面提供了一种用于实现组合虚拟专用网络VPN的装置,该装置包括存储器和处理器,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,并且对该存储器中存储的指令的执行使得该处理器执行第一方面或第一方面的任一可能的实现方式中的方法。
在上述各个实现方式中,分组VPN指的是部署在一个域内的业务连接。
在上述各个实现方式中,组合VPN指的是部署在跨越一个或多个域的管理域内的业务连接。一个组合VPN包括一个或多个分段VPN。一个组合VPN包括的分段VPN中至少包括一个业务策略与组合VPN的业务策略一致的分段VPN(也称为主域VPN)。
在上述各个实现方式中,组合VPN或者分段VPN的业务策略包括L3VPN、L2VPN或TP。
基于上述技术方案,在本申请中,根据用户输入的业务类型与租户站点,获得一个或多个分段VPN,通过一个或多个分段VPN获得组合VPN,向该用户输出该组合VPN的接入点列表与分段VPN列表,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
附图说明
图1示出了本发明实施例的应用场景的示意图。
图2示出了本发明实施例中的组合VPN与分段VPN的示意图。
图3示出了本发明实施例的系统架构的示意图。
图4示出了本发明实施例提供的用于实现组合VPN的方法的示意性流程图。
图5示出了本发明实施例提供的用于实现组合VPN的方法的另一示意性流程图。
图6示出了本发明实施例提供的用于实现组合VPN的方法的另一示意性流程图。
图7示出了本发明实施例提供的组合VPN模型的示意图。
图8示出了本发明实施例提供的创建组合VPN的示意性流程图。
图9示出了本发明实施例提供的修改组合VPN的示意性流程图。
图10示出了本发明实施例提供的增删组合VPN的租户站点的示意性流程图。
图11示出了本发明实施例提供的删除组合VPN的示意性流程图。
图12示出了本发明实施例提供的用于实现组合VPN的装置的示意性框图。
图13示出了本发明实施例提供的用于实现组合VPN的装置的另一示意性框图。
图14示出了本发明实施例提供的用于实现组合VPN的装置的再一示意性框图。
具体实施方式
下面将结合附图,对本发明实施例进行描述。
本申请针对业界缺少端到端跨域跨技术VPN业务的管理方案,提出一种用于实现组合VPN的方法、协同器和控制器,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。例如,在图1所示场景中,本申请提供的方法能够自动完成不同子网间资源分配、和业务拼接,例如将图1中的VLL1.1、VLL1.2与L3VPN1.3关联为同一个VPN业务。
为了便于理解与描述本发明实施例提供的方法,下面首先介绍一下本发明实施例可能涉及到的概念。
有时一个很大的机构有许多部门分布在相距较远的一些地点,而在每一个地点都有自己的专用网。假定这些分布在不同地点的专用网需要经常进行通信,可以利用因特网(即公用互联网)来实现本机构的专用网,因此这样的专用网称为虚拟专用网(Virtual Private Network,VPN)。VPN是运营商通过其公网向用户提供的虚拟专有网络,即在用户的角度VPN是用户的一个专有网络。对于运营商来说公网包括公共的骨干网和公共的运营商边界设备。地理上彼此分离的VPN成员站点(Site)通过客户端设备连接到对应的运营商边界设备,通过运营商的公网组成客户的VPN网络。
目前典型的VPN的基本模型由CE设备、PE设备和P设备三部分组成。
CE设备,指的是用户边缘(Customer Edge)设备,是用户侧的边缘设备。CE设备具有直接与服务提供商(Service Provider,SP)网络相连的接口。CE设备可以是路由器或交换机,也可以是一台主机。通常情况下,CE设备“感知”不到VPN的存在,也无需具备VPN功能。
PE设备,指的是提供商边缘(Provider Edge)设备,是服务提供商网络的边缘设备。PE设备与CE设备直接相连,负责接入VPN业务。一个PE设备可以连接多个CE设备。一个CE设备也可以连接属于相同或不同服务提供商网络的多个PE设备。
P设备,指的是服务提供商网络中的骨干设备,不与CE设备直接相连。
站点(Site),指的是相互之间具备IP连通性的一组IP系统,且这组IP系统的IP连通性不需通过服务提供商网络实现。Site是根据设备的网络拓扑关系而非地理位置划分的,尽管通常情况下一个Site中的设备的地理位置均相邻,如果地理位置相隔离的两组IP系统之间使用专线互联,而无需通过服务提供商网络就可以互通,则这两组IP系统构成一个Site。Site通过CE设备与服务提供商网络相连。
VPN诞生后,在通讯领域又区分出了L2VPN和L3VPN两个分支。L2VPN指的是二层VPN(Layer 2 VPN),L3VPN指的是三层VPN(Layer 3 VPN)。
L2VPN与七层结构中的第二层(即数据链路层,L2)有着密切的关系。L2VPN指的是,构成VPN的隧道封装在数据链路层完成,客户将其三层路由映射到数据链路层的网络。对于MPLS L2VPN来说,数据包接入到该网络后,对数据报文进行二层头部的重封装,增加MPLS头部信息,通过事先创建的隧道(传递通道)进行二层交换,一站一站的传递到目的地。
以太网专线业务(Ethernet Private Line,EPL)与虚拟租用线路(Virtual Leased Line,VLL)作为点到点的虚拟专线技术,被运营商广泛应用,用于为客户提供L2VPN服务。
L3VPN与七层结构中的第三层(即网络层,也称为IP层,简称为L3)有着密切的关系。L3VPN是一种基于路由方式的VPN解决方案,使用类似传统路由的方式进行IP 分组的转发,在路由器接收到IP数据包以后,通过在转发表查找IP数据包的目的地址,然后使用预先建立的标签交换路径(Label Switched Path,LSP)进行IP数据跨运营商骨干的传送。
跨域VPN,需要部署VPN服务的租户站点(Customer Sites)位于不同的自治系统(Autonomous System,AS)内,因此,需要在跨多个AS域来部署VPN,这种跨域建立的VPN称为跨域VPN业务。在本发明实施例中将这种跨域VPN称为组合VPN。在本发明实施例中,为了便于区分与描述采用组合VPN与分段VPN的描述,不同的称谓对本发明实施例保护范围不造成限定。
分段VPN(Segment VPN,SegVPN),指的是部署在一个分段的VPN。需要说明的是,本文中提及的“分段”表示的是“域”,例如自治系统(Autonomous System,AS)域。即分段VPN可以理解为是部署在一个AS域内的VPN。
组合VPN(Composed VPN),指的是部署在跨一个或多个分段(例如AS域)的VPN。组合VPN包括一个或多个分段VPN。
分段VPN描述的是组合VPN分解到每个域的原子业务实例。该原子业务是域控制器可以识别和管理的最小业务颗粒度,即分段VPN只由一个类型的业务组合,而不再由多个类型的业务组合而成。
为了便于本领域人员理解组合VPN与分段VPN,以及二者之间的关系,下面结合图2进行相关描述。
图2中所示的组合VPN为地理上彼此分离的VPN成员站点Site1与Site2的VPN。该组合VPN跨域AS1与AS2。其中,Site1通过接入点(Access Point,AP)1与AS1中的PE11连接,Site2通过AP4与AS2内的PE22连接。AS1与AS2的域间连接方式为:AS1中的PE12通过AP2与AS3与PE21连接。应理解,AP1为PE11的一个端口,AP2为PE12的一个端口,AP3为PE21的一个端口,AP4为PE22的一个端口。
AS1内的业务连接(AP1-AP2)为该组合VPN的一个分段VPN,AS2内的业务连接(AP3-AP4)为该组合VPN的另一个分段VPN。即在图2场景中,组合VPN包括分段VPN1与分段VPN2。
在图2中,Site1与Site2为该组合VPN的租户站点。Site1的接入点为AP1,Site2的接入点为AP4。该组合VPN的接入点包括AP1与AP4。分段VPN1的接入点包括AP1与AP2。分段VPN2的接入点包括AP3与AP4。
在图2中,具体地,在租户看来,该组合VPN可以为L2VPN或L3VPN,即组合VPN的业务策略可以为L2VPN或L3VPN。该组合VPN包括的分段VPN中只要有一个与该组合VPN的业务策略相同即可,其余分段VPN可以不同。例如,该组合VPN为L3VPN时,分段VPN1为L3VPN,且分段VPN2为L2VPN,或者,分段VPN1为L3VPN,且分段VPN2为L3VPN。
应理解,在图2中,PE12具体地由AS1的自治系统边界路由器(Autonomous System Boundary Router,ASBR)实现,PE21同理。
构成一个组合VPN的分段VPN中必须有一个主域VPN,主域VPN指的是业务策略与组合VPN的业务策略一致的分段VPN。换句话说,主域VPN是指完成组合VPN的业务特征的分段VPN。
在本发明实施例中,组合VPN的业务策略可以是L2VPN、L3VPN或终端点 (Termination Point,TP)。在本发明实施例中,TP指端口,这个端口可以用于表示跨域宽带远程接入服务器(Broadband Remote Access Server,BRAS)业务的接入端口。应理解,BRAS是面向宽带网络应用的新型接入网关,它位于骨干网的边缘层,可以完成用户带宽的IP/ATM网的数据接入,实现商业楼宇及小区住户的宽带上网、基于Internet协议安全性(Internet Protocol Security,IPSec)的IP VPN服务等应用。组合VPN的业务策略为TP,指的是该组合VPN的业务策略为宽带业务类型,例如为基于动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)的业务。
当组合VPN的业务策略为L3VPN时,该组合VPN包括的分段VPN的至少一个分段VPN的业务策略为L3VPN,其余分段VPN的业务策略可以是L3VPN、L2VPN、TP中的任一种。
当组合VPN的业务策略为L2VPN时,该组合VPN包括的分段VPN的至少一个分段VPN的业务策略为L2VPN,其余分段VPN的业务策略可以是L3VPN、L2VPN、TP中的任一种。
当组合VPN的业务策略为TP时,该组合VPN包括的分段VPN的至少一个分段VPN的业务策略为TP,其余分段VPN的业务策略可以是L3VPN、L2VPN、TP中的任一种。
需要说明的是,在本发明实施例中,L3指示七层网络中的第三层(Layer 3),即网络层,也可描述为IP层,因此,本文中提及的L3、网络层以及IP层均指一个意思。L2指示七层网络中的第二层(Layer 2),即数据链路层,也可描述为以太网层,因此,本文中提及的L2、数据链路层以及以太网层均指一个意思。
图3示出了本发明实施例的系统架构图的示意图。全网由协同器、控制器层和转发面三层组成,其中转发面可以是路由器网络或者光传送网络(Optical Transport Network,OTN)。协同器与控制器之间通过Restful/Netconf接口对接,控制器和路由器层之间通过Netconf/Cli/Snmp接口相互通信。
协同器通过Restful协议提供业务编排接口和业务订购接口。协同器包括编排模块,用于根据业务规划人员(对应于图3中的用户)通过业务编排接口输入的信息进行业务编排,得到业务类型模板,并将得到的业务类型模板存入业务类型库。大客户经理(对应于图3中的用户)通过业务订购接口选择需要订购的业务类型名称(或标识)。运营商还可以由业务订购接口输入租户站点的信息。协同器根据用户(本文中提及的用户均指运营商)输入的租户站点,确定该租户站点对应的接入点,然后根据租户站点对应的接入点、用户输入的业务类型,确定用户要求的组合VPN,该组合VPN包括多个分段VPN。例如,租户站点为如图3所示的Site1与Site2,协同器确定的组合VPN跨域A域、B域与C域,其中A域内的业务策略为EPL,B域内的业务策略为L3VPN,C域内业务策略为VLL。则该组合VPN包括三个分段VPN:EPL、L3VPN与VLL。
协同器通过Restful/Netconf接口向控制器下发分段VPN的配置消息,控制器通过Netconf/Cli/Snmp接口通知转发面创建对应的分段VPN。例如,协同器向控制器1下发分段VPN:EPL的配置消息,控制器1通知A域内的网元创建分段VPN:EPL;协同器向控制器2下发分段VPN:L3VPN的配置消息,控制器2通知B域内的网元创建分段VPN:L3VPN;协同器向控制器3下发分段VPN:VLL的配置消息,控制器3通知C域内的网元创建分段VPN:VLL。应理解,在图3中,控制器1为A域的域控制器,控制 器2为B域的域控制器,控制器3为C域的域控制器。
图4示出了本发明实施例提供的用于实现组合VPN的方法100的示意性流程图,该方法100可以由图3所示的协同器执行,该方法100包括:
S110,获取用户输入的业务类型与租户站点。
具体地,获取用户输入的请求实现的组合VPN的业务类型与租户站点,该组合VPN表示跨多个域的VPN业务。
S120,确定该租户站点对应的接入点。
具体地,该租户站点对应的接入点指的是租户站点接入组合VPN网络所对应的接入点,如图1中,Site1的接入点为端口1;如图2中,Site1的接入点为AP1。
该租户站点对应的接入点也可称为用户请求实现的组合VPN的接入点。
S130,根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN。
分段VPN表示组合VPN所跨的多个域中每个域内的业务连接。
S140,根据该一个或多个分段VPN,获得组合VPN。
S150,向该用户输出该组合VPN的接入点列表与分段VPN列表,该组合VPN的接入点列表包括用于描述该组合VPN的接入点的信息,该组合VPN的接入点为该租户站点对应的接入点,该分段VPN列表包括用于描述该一个或多个分段VPN的信息。
具体地,还可以向用户输入该组合VPN的VPN基本信息。
具体地,该接入点列表中包括以下信息:该组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括该接入点的路由配置信息;该分段VPN列表中包括以下信息:该组合VPN的分段VPN的接入点信息与基本信息;该VPN基本信息包括以下信息:该组合VPN业务的VPN标识、VPN名称、业务策略,该业务策略包括L2VPN或L3VPN或宽带业务。
在本发明实施例中,通过根据用户输入的待实现的组合VPN的业务类型与租户站点,向该用户输出该组合VPN的接入点列表、分段VPN列表以及VPN基本信息,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
可选地,如图5所示的本发明实施例提供的用于实现组合VPN的方法的另一示意性流程图,在本发明实施例中,S130,根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN,包括:
S131,基于业务编排得到的业务类型库,确定该业务类型对应的业务策略与主域,该主域的业务策略与该业务类型对应的业务策略一致,该业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,该业务类型库包括该业务类型与该业务策略以及该主域之间的对应关系。
主域VPN所在的域称为主域,由业务编排时按照业务类型来指定,不同业务类型可以有不同的主域。主域VPN指承载组合VPN的业务特性的单域业务。主域VPN也称为主域业务策略,由业务定义阶段(即业务编排阶段)在单域业务策略中指定哪个单域业务策略是主域业务策略,主域业务策略所在的域为主域。如图6所示,图6描述了一个Fullmesh的L3VPN企业专线业务,在业务定义阶段,分解为单域业务策略时,需要指定A域是主域,且A域的原子业务形态为Fullmesh的L3VPN。
应理解,业务编排指的是将业务作为一种资源,将资源的属性(即业务的属性)和 实例化策略(例如资源选择策略)编排为模板进行下发。
业务编排得到的业务类型模板中包括业务策略的信息,具体包括组合业务策略和单域业务策略(一个或多个),其中,在单域业务策略中一定包括一个业务策略与组合业务策略一致的单域业务策略,这个单域业务策略被配置为主域业务策略。该主域业务策略所在的域称为主域,即该业务类型模板所对应的业务类型的主域。
业务编排得到的每个业务类型模板都与唯一一个业务类型标识一一对应,即每个业务类型模板对应一种业务类型。即保存业务类型模板的业务类型库中包括业务类型标识与业务类型模板之间的对应关系。如果给定业务类型,就能确定与之对应的业务类型模板。
需要说明的是,在本发明实施例中,认为已经完成业务编排。例如,在图6所示场景中,无论是否接收到用户输入的租户站点和业务类型,A域的业务策略L3VPN,B域、C域与D域的业务策略为VLL都是已知的了,而且针对组合VPN的业务策略为L3VPN,已经指定A域为该组合VPN的主域。
具体地,如图6所示,假设组合VPN的业务策略为L3VPN,则图6所示的A、B、C、D域中,A域为该组合VPN的主域。
在本发明实施例中,在确定租户站点的业务接入路径时,均是以主域为目标进行,而不直接寻找租户节点到租户站点的路径。
S132,以该主域为目标,确定该租户站点对应的接入点的业务接入路径,该业务接入路径的目的节点为该主域的边界节点。
该业务接入路径指示租户站点到主域的域间路径。
具体地,S132根据该主域,该以该主域为目标,确定该租户站点对应的接入点的业务接入路径,包括:
确定该租户站点对应的接入点的接入域,该接入域为该接入点所在的域;
确定从该接入域到该主域的域间寻路路径;
为该域间寻路路径经过的各个域分配端口资源,并确定该各个域的所分配的端口之间的业务连接;
根据为该各个域分配的端口资源以及该各个域的所分配端口之间的业务连接,确定该租户站点对应的接入点的业务接入路径。
具体地,还以图6所示为例,例如要确定租户站点Site1的接入点1的业务接入路径,首先确定接入点1的接入域B,然后进行接入域B到主域A的域间寻路(B-A),为域B分配端口3,在端口1与端口3之间定义业务连接VLl1.1,为A域分配端口3,建立端口2到端口3的域间连接策略,在A域分配端口3上定义业务连接L3VPN,至此确定出接入点1的业务接入路径:1-VLL1.1-2-3。基于类似的方法,可以确定租户站点Site2的接入点4的业务接入路径:4-VLL1.2-8-7;租户站点Site3的接入点5的业务接入路径:5-VLL1.3-9-10;租户站点Site4的接入点6的业务接入路径:6。
需要说明的是,在本发明实施例中,租户站点的接入点的业务接入路径也可以称为是该租户站点的业务接入路径。下文出现的租户站点的业务接入路径指的是该租户站点的接入点的业务接入路径。
S133,根据该业务接入路径经过的域,确定该一个或多个分段VPN。
具体地,该分段VPN表示该业务接入路径经过的域内的业务连接,换句话说,该 业务接入路径所经过的每个域内均包括至少一个分段VPN。
可以形象地理解为:将接入点的业务接入路径所经过的域分解为分段VPN。
具体地,如图6所示,租户站点Site1的接入点1的业务接入路径(1-VLL1.1-2-3)经过B域,其在B域内的业务连接为VLL1.1,则该组合VPN的一个分段VPN为分段VPN:VLL1.1。租户站点Site2的接入点4的业务接入路径(4-VLL1.2-8-7)经过C域,其在C域内的业务连接为VLL1.2,则该组合VPN的另一个分段VPN为分段VPN:VLL1.2。租户站点Site3的接入点5的业务接入路径(5-VLL1.3-9-10)经过D域,其在D域内的业务连接为VLL1.3,则该组合VPN的再一个分段VPN为分段VPN:VLL1.2。租户站点Site4的接入点6直接连接主域A,其业务接入路径没有经过其他域。主域A内的L3VPN也为该组合VPN的一个分段VPN。至此,得到该组合VPN的四个分段VPN:L4VPN、VLL1.1、VLL1.2、VLL1.3。
上述可知,组合VPN的主域VPN也可以理解为是完成组合VPN的业务特征的分段VPN。
在本发明实施例中,根据用户输入的待实现的组合VPN的业务类型,确定该组合VPN的主域;然后根据该主域,获得该组合VPN的接入点的业务接入路径;根据该业务路径所经过的域,确定该组合VPN的分段VPN。
在S150中,向该用户输出该组合VPN的接入点列表、分段VPN列表与VPN基本信息,该组合VPN的接入点列表包括用于描述该组合VPN的接入点的信息,该组合VPN的接入点为该租户站点对应的接入点,该分段VPN列表包括用于描述该一个或多个分段VPN的信息。
具体地,该接入点列表中包括以下信息:该组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括该接入点的路由配置信息;该分段VPN列表中包括以下信息:该组合VPN的分段VPN的接入点信息与基本信息;该VPN基本信息包括以下信息:该组合VPN业务的VPN标识、VPN名称、业务策略,该业务策略包括L2VPN或L3VPN或宽带业务。
还以图6为例,则向用户输出的该组合VPN的接入点列表包括:端口1对应的CE设备与PE设备,以及端口1的路由信息;端口4对应的CE设备与PE设备,以及端口4的路由信息;端口5对应的CE设备与PE设备,以及端口5的路由信息;端口6对应的CE设备与PE设备,以及端口6的路由信息。
向用户输出的该组合VPN的分段VPN列表包括:分段VPN:VLL1.1的接入点列表(端口1与2的相关信息)与基本信息;分段VPN:VLL1.2的接入点列表(端口4与8的相关信息)与基本信息;分段VPN:VLL1.3的接入点列表(端口5与9的相关信息)与基本信息;分段VPN:L3VPN的接入点列表(端口3、6、7与10的相关信息)与基本信息。
向用户输出的该组合VPN的VPN基本信息包括:该组合VPN的VPN标识(VPN ID)、该组合VPN的VPN名称、该组合VPN的业务策略L3VPN。
基于上述实施例,可选地,作为一个实施例,S130根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN,包括:
获取组合VPN模型200,该组合VPN模型200包括业务类型选项、接入点列表与分段VPN列表,该组合VPN模型用于根据该业务类型选项输入的业务类型与该接入点 列表中输入的接入点,确定该分段VPN列表中的分段VPN信息。
具体地,该组合VPN模型200还包括VPN基本信息。
将该租户站点对应的接入点输入该组合VPN模型的接入点列表中,将该业务类型输入该组合VPN模型的业务类型选项中,从该组合VPN模型的分段VPN列表中获取该一个或多个分段VPN。
可选地,在本发明实施例中,该组合VPN模型200通过以下步骤,根据该业务类型选项输入的业务类型与该接入点列表中输入的接入点,确定该分段VPN列表中的分段VPN信息:
基于业务编排得到的业务类型库,确定该业务类型对应的业务策略与主域,该主域的业务策略与该业务类型对应的业务策略一致,该业务策略为下列业务策略中的任一种:二层L2VPN、三层L3VPN与终端点TP,该业务类型库包括该业务类型与该业务策略以及该主域之间的对应关系;
以该主域为目标,确定该租户站点对应的接入点的业务接入路径,该业务接入路径的目的节点为该主域的边界节点;
根据该业务接入路径经过的域,确定该一个或多个分段VPN,该分段VPN表示该业务接入路径经过的域内的业务连接;
将该一个或多个分段VPN的信息呈现在该组合VPN模型的分段VPN列表中。
具体描述参见上文S133的描述,这里不再赘述。
具体地,如图7所示,组合VPN模型200包括业务类型(Business Type)(图7中未示出)、VPN基本信息(VPN Basic Information)、分段VPN列表(Segment VPN List)、接入点列表(Access Point List)。
其中,业务类型(Business Type),用于将组合VPN关联到一个业务类型模板(通过业务编排得到的)。
VPN基本信息,包括用于描述该组合VPN基本属性的信息。例如,该VPN基本信息包括:用于唯一标识该组合VPN的VPN标识(VPN ID)、该组合VPN的VPN名称(VPN Name)、该组合VPN的业务策略(L3VPN/L2VPN/TP)等。
接入点列表,包括用于描述组合VPN的接入点的信息。首先,这里的接入点列表指的是组合VPN的接入点列表,不同于后面提到的分段VPN的接入点列表,例如,在图7所示网络中,组合VPN的接入点列表包括用于描述端口1、2与7的信息。其次,具体地,如图7所示,用于描述组合VPN的接入点的信息包括以下信息:接入点对应的PE设备的配置信息(例如VLAN、IP)、接入点对应的CE设备的配置信息(例如物理地址、IP、CE设备名称)、以及接入点的路由配置信息(例如BGP、AS号)。
分段VPN列表,包括基本VPN信息和接入点列表。该基本VPN信息用于描述分段VPN看起来是什么样子的,分段VPN如何与该分段VPN之外的设备通信。分段VPN列表中的接入点列表用于描述该分段VPN与租户站点连接的接入点,或者是该分段VPN与其他分段VPN连接的接入点。
组合VPN模型还包括一些全局信息(图7中未示出),具体地,例如用于将组合VPN与专门的租户关联在一起的租户标识(组合ID)、或者该组合VPN的拓扑或服务类型等信息。
作为示例而非限定,下面结合图7描述一下该组合VPN模型的工作原理。
协同器根据用户输入的租户站点确定组合VPN的接入点,也可以称为组合VPN的顶层边界点,这里的顶层其实指组合VPN层。然后向该组合VPN模型的接入点列表(组合VPN层面的)中输入该组合VPN的接入点的参数,该组合VPN的接入点的参数也可以称为组合VPN顶层边界参数。协同器将用户输入的业务类型输入组合VPN模型的业务类型(选项中)。该组合VPN模型根据接入点列表中输入的组合VPN的顶层边界参数以及输入的业务类型,计算组合VPN的所有接入点的业务接入路径,并按照业务接入路径所经过的域分解出组合VPN的分段VPN。然后在分段VPN列表中呈现分段VPN的基本信息和接入点列表。
在本发明实施例中,提供了一种组合VPN模型,该组合VPN模型能够根据输入的组合VPN的业务类型与接入点信息,输出该组合VPN的分段VPN信息与VPN基本信息,通过向用户输出该组合VPN的接入点列表、分段VPN列表以及VPN基本信息,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
可选地,在本发明实施例中,该组合VPN的业务策略为第一业务策略,该组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,该第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,该组合VPN层面的参数包括与该第一业务策略对应的参数,该分段VPN层面的参数包括与该第二业务策略对应的参数。
当该业务策略为L3VPN时,与该业务策略对应的参数包括以二层参数与三层参数;
当该业务策略为L2VPN时,与该业务策略对应的参数只包括二层参数;
当该业务策略为TP时,与该业务策略对应的参数包括宽带业务相关参数,例如DHCP参数。上述描述适用于组合VPN的业务策略与分段VPN的业务策略。
应理解,IP层参数包括路由协议、IP地址等参数。以太网层参数包括MAC地址、VLAN等参数。
具体地,在本发明实施例中,组合VPN的接入点采用分层表述。例如在图7中,由于组合VPN是L3VPN,因此接入点1(即端口1)在组合VPN层面需要配置二层参数(VLAN)和三层参数(路由协议、IP地址等),但由于组合VPN在域A中的业务分解策略为VLL,因此接入点1在分段VPN(即VLL1.1)层面中只能配置二层参数,其三层参数需要沿着接入点1的业务接入路径1-VLL1.1-3-5找到单域业务策略为L3VPN的接口,即端口5,然后,该接入点1的三层参数沿着接入点1的业务接入路径1-VLL1.1-3-5,配置在端口5上。在分段VPN层面,端口1和3为二层端口,端口5为三层端口。
在本发明实施例中,组合VPN的接入点的参数采用分层表达方式,可以同时表达在不同业务层次的配置信息,具体地,组合VPN的接入点列表中包括该接入点的组合VPN层面的参数,该接入点所在的分段VPN的接入点列表中包括该接入点的分段VPN层面的参数。通过向用户(运营商)输出该组合VPN的接入点列表与分段VPN列表,该分段VPN列表中包括分段VPN的接入点列表,因此,使得运营商不但能够获知组合VPN的接入点在组合VPN层面(即租户看到的层面)的参数,还获知组合VPN的接入点在分段VPN层面的参数,从而有利于运营商管理该组合VPN。
基于上述实施例,在本实施例中,该方法100还包括:
在向该用户输出该组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,在接收到该用户的确认响应的情况下,向每个分段VPN所在的域的域控制器发送该每个 分段VPN的配置消息,以使得该域控制器通知对应网元设备创建该每个分段VPN。
具体地描述请参见上文结合图3的关于协同器通知控制器创建分段VPN的描述,这里不再赘述。
在本发明实施例中,通过向控制器下发对应的分段VPN的配置消息,使得该控制器通知对应的网元设备创建对应的分段VPN,通过创建组合VPN包括的多个分段VPN,从而实现该组合VPN的创建。
综上所述,本发明实施例提供了一种实现组合VPN的方法,能够高效地实现端到端的跨域跨技术的VPN业务,并提出组合VPN包括一个或多个分段VPN概念,通过向用户发布组合VPN的分段VPN,能够能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。此外,本发明实施例还提出了组合VPN模型的概念,从而更有利于运营商对组合VPN的自动化管理。
现有技术中,运营商在维护例如图1所示的跨域跨技术的VPN的过程中,如果需要删除分支机构Site1,运营商需要先找到Site1对应在网络A中分配的业务连接VLL1.1,将其删除,同时需要向B网络申请修改相关参数,这时需要B网络的管理人员核查B网络中哪个端口为Site1服务,即端口5,然后删除端口5。以上在删除Site的过程包括的流程环节多、人工处理多,导致业务发放和管理易出错。
在本发明实施例中,对组合VPN的租户站点的CRUD操作均基于该租户站点的接入点的业务接入路径进行,CRUD指的是增加(Create)、重新取得数据(Retrieve)、更新(Update)和删除(Delete)。相对于现有技术,能够提高运营商管理组合VPN的效率,并可以降低管理成本。
下面结合图8-11描述本发明实施例中对组合VPN进行CRUD操作的流程。
图8示出了本发明实施例提供的创建组合VPN的方法300的示意性流程图,该方法300可以由图3所示的协同器执行,该方法300包括:
S301,完成业务编排,得到业务类型模型。
应理解,业务编排指的是将业务作为一种资源,将资源的属性(即业务属性)和实例化策略(例如资源选择策略)编排为模板进行下发。
具体地,协同器通过Restful接口完成业务编排。根据业务规划人员(对应于图3中的用户)通过业务编排接口输入的信息进行业务编排,得到业务类型模板,并将得到的业务类型模板存入协同器的业务类型库。
业务编排得到的业务类型模板中包括业务策略的信息,具体包括组合业务策略和单域业务策略(一个或多个),其中,在单域业务策略中一定包括一个业务策略与组合业务策略一致的单域业务策略,这个单域业务策略被配置为主域业务策略。该主域业务策略所在的域称为主域,即该业务类型模板所对应的业务类型的主域。
业务编排得到的每个业务类型模板都与唯一一个业务类型标识一一对应,即每个业务类型模板对应一种业务类型。即保存业务类型模板的业务类型库中包括业务类型标识与业务类型模板之间的对应关系。如果给定业务类型,就能确定与之对应的业务类型模板。
S302,接收用户输入的业务类型以及租户站点,并确定租户站点对应的接入点,即确定组合VPN的接入点,还根据业务类型确定接入点的参数。
具体地,基于S301业务编排所得的业务类型库,确定用户输入的业务类型所对应 的业务类型模板,根据该业务类型模板确定组合VPN的业务策略。
根据组合VPN的业务策略,确定组合VPN的接入点的参数。例如,当组合VPN的业务策略为L3VPN时,组合VPN的接入点(速率层次为L3层)的参数包括IP层参数与以太网层参数。当组合VPN的业务策略为L2VPN时,组合VPN的接入点(速率层次为L2层)的参数仅包括以太网层参数。
应理解,用户输入的可以是业务类型标识,协同器根据该业务类型标识确定用户所选的业务类型。
S303,确定S302中的业务类型所对应的业务类型模板,并确定该业务类型模板包括的组合业务策略中的基础寻路策略。
基于S301业务编排所得的业务类型库,确定用户输入的业务类型所对应的业务类型模板,该业务类型模板包括组合业务策略和单域业务策略,从组合业务策略中获取端到端的“路由策略”,该端到端的“路由策略”描述了跨域端到端的基础寻路算法策略,例如最短路径算法,最小时延算法等。
S304,确定组合VPN的主域。
上述可知,在业务编排时,每个业务类型对应的业务类型模板中都定义了该业务类型的主域。
具体地,根据S302中的业务类型,获取业务类型模板,该业务类型模板包括组合业务策略与单域业务策略。从该业务类型模板中的所有单域业务策略中找到配置为主域业务策略的单域业务策略,该主域业务策略对应的域为该组合VPN的主域。
S305,按照S303获取的基础寻路策略,计算组合VPN的每个接入点的业务接入路径。
具体地,一个接入点的业务接入路径为该接入点到S304获取的该组合VPN的主域的域间路径。
可选地,在本发明实施例中,可以根据接入点对应的网元所在的域,获得接入点所在的接入域。根据单域业务策略中定义的域,将域抽象为点,域间连接抽象为线。根据基础寻路策略计算接入域到主域之间的域间路径,即组合VPN的接入点的业务接入路径。
S306,确定S302中的业务类型对应的业务类型模板中的单域业务策略。
S307,按照S306中获取的单域业务策略计算S305中确定的业务接入路径所经过的域的单域边界资源,该单域边界资源包括端口、VLAN、IP、RD/RT地址等。
具体地,按照S306获取的单域业务策略,获取单域资源池。根据单域资源池选择域间的对接端口(也是分段VPN的接入端口)、VLAN、IP、RD/RT地址,从而获取到S305中确定的业务接入路径所经过的域的单域边界资源。
可选地,也可以根据单域资源池,选择域间的RD/RT地址。当单域的域控制器能够自动分配本域的RD/RT时,则协同器可以不分配域间的RD/RT地址。
S308,根据S307确定的业务接入路径所经过的域的单域边界资源以及S306确定的单域业务策略,生成分段VPN。
具体地,根据单域业务策略,确定业务接入路径所经过的单域中的业务连接,例如VLL或者L3VPN等,从而得到该业务接入路径对应的分段VPN。且对应单域业务策略中的默认参数即为该分段VPN的基本信息中。
应理解,可以将分段VPN的边界信息向控制器下发,请求对应域内的详细路由, 从而获取该分段VPN更具体的信息。
S309,判断S305计算的组合VPN的每个接入点的业务接入路径所经过的单域是否都处理完毕,如果是转S3010,如果不是,则转S307。
S310,通过拼接S308中获得的分段VPN,组成组合VPN。
具体地,如图2所示,通过S301-S309,得到分段VPN1和分段VPN2,然后将该分段VPN1和分段VPN2拼接成组合VPN。
在本发明实施例中,完成创建组合VPN后,可以向用户发布该组合VPN的管理模型。
具体地,向用户发布的该组合VPN的管理模型例如为图7所示的组合VPN模型。
具体地,该组合VPN模型包括:VPN基本信息、接入点列表和分段VPN列表。
其中,VPN基本信息包括:网络拓扑、业务类型与管理状态。网络拓扑例如为全网状(Fullmesh)或Hub-Spoke等。业务类型例如为企业专网或企业上网业务。管理状态包括激活与去激活。
接入点列表包括:用于描述组合VPN的接入点的参数。
具体地,接入点列表中包括组合VPN的接入点的以下参数:标识(ID)、工作层次(Working Layer)、层参数列表(Type Spec List)以及所服务的CE侧端口。其中,标识(ID),用于唯一标识该接入端口。工作层次,用于指示该接入端口的工作层次,例如以太网层(L2层)或IP层(L3层)。层参数列表,包括该接入端口的层参数,当工作层次为以太网层时,该层参数列表中包括的是以太网参数;当工作层次为IP层时,该层参数列表中包括的是IP参数。
根据组合VPN的业务策略,确定组合VPN的接入点的层参数,具体内容请参见上文相关描述,这里不再赘述。
分段VPN列表,也称为单域VPN业务列表。该分段VPN列表包括多个单域VPN业务,其中有且只有一个主域VPN业务。
具体地,该分段VPN列表包括以下信息:端口ID、分段VPN的类型(VPN Type)、分段VPN的角色(VPN Role)、分段VPN信息(VPN Info)。其中:端口ID,指的是分段VPN的端口的ID。分段VPN的类型,用于指示该分段VPN的业务连接类型,分段VPN的类型包括VPN和端口(TP),例如当分段VPN的业务连接类型为L3VPN或L2VPN时,认为分段VPN的类型为VPN;当分段VPN的业务连接类型为宽带业务时,认为分段VPN的类型为端口(TP)。分段VPN的角色,用于指示该分段VPN是否为主域VPN。分段VPN信息,当分段VPN的类型为VPN时,分段VPN信息为VPN结构;当分段VPN的类型为端口,分段VPN信息为TP结构。当分段VPN信息为VPN结构时,该VPN结构中包括该分段VPN的接入点列表(Access Point List)。
该组合VPN模型还包括可以组合VPN的标识(Identification,ID),用于唯一标识该组合VPN,还包括该足组合VPN的业务类型标识(Business Type ID),用于标识该组合VPN的业务标识。
基于上述实施例,在本实施例中,在向用户发布的该组合VPN的管理模型之后,接收到用户的确认响应后,向各个分段VPN所在域的域控制器下发对应的分段VPN的配置信息,使得域控制器通知转发面内的网元创建对应的分段VPN。具体描述请参见上文结合图7的描述,这里不再赘述。
基于上述实施例,在本实施例中,该方法100还包括:
获取该组合VPN需要修改的参数;
在该需要修改的参数包括激活或去激活的情况下,确定该组合VPN的接入点所在的目标分段VPN,并向该目标分段VPN所在域的域控制器发送该需要修改的参数,以使得该域控制器按照该需要修改的参数修改该目标分段VPN的对应接入点;
在该需要修改的参数包括层参数的情况下,查找该租户站点对应的接入点的业务接入路径上与该需要修改的参数为同层次的端口,并根据该需要修改的参数对该查找到的端口进行对应的修改,该层参数包括二层参数或三层参数。
具体地,如图9所示,图9示出了本发明实施例提供的修改组合VPN的方法400的示意性流程图,该方法400可以由图3中所示的协同器执行,该方法400包括:
S401,获取需要修改的组合VPN接入点参数。
S402,判断需要修改的参数是针对接入点有效,还是针对业务接入路径有效,如果是对接入点有效的参数,若针对接入点有效,转到S403,若针对业务接入路径有效,转到S403。
具体地,如果需要修改的参数为激活或去激活,则认为需要修改的参数针对接入点有效;如果需要修改的参数为层参数,例如以太网层参数或IP层参数,则认为需要修改的参数针对业务接入路径有效。
S403,获取组合VPN的接入点所在的目标分段VPN,向目标分段VPN所在域的域控制器下发该要修改的参数,使得该域控制器通知转发面网元修改目标分段VPN的对应接入点的参数。
S404,查找组合VPN的接入点到主域VPN的业务接入路径。
具体地,确定组合VPN的接入点所在的分段VPN,并根据该分段VPN的接入点列表,查找该分段VPN中该接入点的对端接入点;获取对端接入点中的直连端口。直连端口所在的分段VPN为业务接入路径上的下一条分段VPN。循环本步骤一直到查找到的分段VPN为主域VPN。上述过程所有经过的端口和分段VPN为该接入点到主域VPN的业务接入路径。
S405,将S404获取的业务接入路径上的所有分段VPN的接入点作为该接入路径上的端口。
S406,基于S405获得的该接入路径上的端口,从该接入点的邻居端口开始检查,判断当前检查的端口的工作速率层次是否与要修改的参数为同层,若是,则根据要修改的参数修改当前检查的端口的对应属性,若否,继续判断该业务接入路径上的下一个端口,直到该业务接入路径的最后一个端口为止。
基于上述实施例,在本发明实施例中,在删减租户站点时,是通过找到待删减的租户站点的业务接入路径,并按照业务路径经过的分段VPN逐段删减。
基于上述实施例,在本实施例中,该方法100还包括:
确定需要删除该组合VPN的目标租户站点;
查找该目标租户站点对应的接入点的业务接入路径,并删除该目标租户站点对应的接入点的业务接入路径上的全部对象。
具体地,业务接入路径上的全部对象包括业务接入路径上的端口与业务连接。
具体地,如图10所示,图10示出了本发明实施例提供的增删组合VPN的租户站 点的方法500示意性流程图,该方法500可以由图3所示的协同器执行,该方法500包括:
S501,获取要增加的租户站点1。
该租户站点1为组合VPN的CE侧站点。
S502,确定租户站点1对应的组合VPN的接入点。
组合VPN的接入点中包含peerCeTp,当peerCeTP等于输入的CE侧站点时,本端口为CE对应的接入点。
S503,获取租户站点1的接入点到组合VPN的主域VPN的业务接入路径。
S504,创建S503获取的业务接入路径上的全部对象。
具体地,创建S503获取的业务接入路径上的端口与分段VPN。
S505,获取要删减的租户站点2。
S506,确定租户站点2对应的组合VPN的接入点。
S507,查找租户站点2的接入点到组合VPN的主域VPN的业务接入路径。
具体内容请参见S404的描述,为了简洁,这里不再赘述。
S508,删除S507查找的业务接入路径上的全部对象。
具体地,如图7所示,如果要删除Site1,Site1的业务接入路径为1-VLL1.1-3-5,因此需要删除端口1和3,以及端口1和3之间的业务连接VLL1.1,同时需要删除主域B中的端口5,但是不删除主域B内的业务连接L3VPN。
基于上述实施例,在本实施例中,该方法100还包括:
确定需要删除该组合VPN;
删除该组合VPN的所有分段VPN。
具体地,如图11所示,图11示出了本发明实施例提供的删除组合VPN的方法600的示意性流程图,该方法600可以由图3中所示的协同器执行,该方法600包括:
S601,确定组合VPN中未删除的分段VPN。
S602,确定该分段VPN的接入点对应的网元,并确定该网元所在的域,向该域的域控制器下发删除该分段VPN的命令。
S603,判断该分段VPN是否删除成功,若是,转到S604,若否,转到S605。
S604,判断该组合VPN中的所有分段VPN是否都已删除,若是,则转到S606,若否,转到S601。
S605,进行单域VPN异常处理,至此,结束删除组合VPN的流程。
具体地,将该组合VPN的状态置为失步态,进入人工处理流程,由人工处理流程强制删除。
S606,清空该组合VPN的分段VPN列表,并删除该组合VPN。至此,结束删除组合VPN的流程。
基于上述结合图8至图11的描述的实施例可知,本发明实施例能够实现组合VPN的自动化创建、修改、删除功能,从而避免了现有技术中存在的在维护跨域跨技术VPN业务时需要涉及多部门协调导致管理成本较高的问题。
本发明实施例均以组合VPN的业务策略为L3VPN为例进行描述,但本发明实施例并非限定于此,组合VPN的业务策略也可以为L2VPN或TP。当组合VPN的业务策略为L2VPN或TP时,对应的实现VPN的方法与实现业务策略为L3VPN的组合VPN的 方法类似,本领域技术人员可以根据本文的教导推到得到,但这部分内容也落入本发明的保护范围。
综上所述,在本发明实施例中,根据用户输入的业务类型与租户站点,获得一个或多个分段VPN,通过一个或多个分段VPN获得组合VPN,向该用户输出该组合VPN的接入点列表与分段VPN列表,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。。
图12示出了本发明实施例提供的用于实现组合虚拟专用网络VPN的装置700的示意性框图,该装置700例如为图3中所示协同器。该装置300包括:
获取模块710,用于获取用户输入的业务类型与租户站点;
处理模块720,用于确定该获取模块获取的该租户站点对应的接入点;
该处理模块720还用于,根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN,该分段VPN表示该组合VPN所跨的多个域中每个域内的业务连接;
该处理模块720还用于,根据该一个或多个分段VPN,获得组合VPN;
输出模块730,用于向该用户输出该组合VPN的接入点列表与分段VPN列表,该组合VPN的接入点列表包括用于描述该组合VPN的接入点的信息,该组合VPN的接入点为该租户站点对应的接入点,该分段VPN列表包括用于描述该一个或多个分段VPN的信息。
在本发明实施例中,根据用户输入的业务类型与租户站点,获得一个或多个分段VPN,通过一个或多个分段VPN获得组合VPN,向该用户输出该组合VPN的接入点列表与分段VPN列表,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
可选地,在本发明实施例中,如图13所示,该处理模块720包括:组合VPN模型,该组合VPN模型包括业务类型选项、接入点列表与分段VPN列表,该组合VPN模型用于根据该业务类型选项输入的业务类型与该接入点列表中输入的接入点,确定该分段VPN列表中的分段VPN信息;该处理模块720用于,将该租户站点对应的接入点输入该组合VPN模型的接入点列表中,将该业务类型输入该组合VPN模型的业务类型选项中,从该组合VPN模型的分段VPN列表中获取该一个或多个分段VPN。
可选地,在本发明实施例中,该组合VPN模型用于,
基于业务编排得到的业务类型库,确定该业务类型对应的业务策略与主域,该主域的业务策略与该业务类型对应的业务策略一致,该业务策略为下列业务策略中的任一种:二层L2VPN、三层L3VPN与终端点TP,该业务类型库包括该业务类型与该业务策略以及该主域之间的对应关系;
以该主域为目标,确定该租户站点对应的接入点的业务接入路径,该业务接入路径的目的节点为该主域的边界节点;
根据该业务接入路径经过的域,确定该一个或多个分段VPN,该分段VPN表示该业务接入路径经过的域内的业务连接;
将该一个或多个分段VPN的信息呈现在该组合VPN模型的分段VPN列表中。
可选地,在本发明实施例中,该处理模块720用于,基于业务编排得到的业务类型库,确定该业务类型对应的业务策略与主域,该主域的业务策略与该业务类型对应的业务策略一致,该业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,该业务 类型库包括该业务类型与该业务策略以及该主域之间的对应关系;以该主域为目标,确定该租户站点对应的接入点的业务接入路径,该业务接入路径的目的节点为该主域的边界节点;根据该业务接入路径经过的域,确定该一个或多个分段VPN,该分段VPN表示该业务接入路径经过的域内的业务连接。
可选地,在本发明实施例中,该处理模块720用于,确定该租户站点对应的接入点的接入域,该接入域为该接入点所在的域;确定从该接入域到该主域的域间寻路路径;为该域间寻路路径经过的各个域分配端口资源,并确定该各个域的所分配的端口之间的业务连接;根据为该各个域分配的端口资源以及该各个域的所分配端口之间的业务连接,确定该租户站点对应的接入点的业务接入路径。
可选地,在本发明实施例中,该获取模块710还用于,获取该组合VPN需要修改的参数;
该处理模块720用于,在该需要修改的参数包括激活或去激活的情况下,确定该组合VPN的接入点所在的目标分段VPN,并向该目标分段VPN所在域的域控制器发送该需要修改的参数,以使得该域控制器按照该需要修改的参数修改该目标分段VPN的对应接入点;
该处理模块720还用于,在该需要修改的参数包括层参数的情况下,查找该租户站点对应的接入点的业务接入路径上与该需要修改的参数为同层次的端口,并根据该需要修改的参数对该查找到的端口进行对应的修改,该层参数包括二层参数或三层参数。
可选地,在本发明实施例中,该获取模块710还用于,确定需要删除该组合VPN的目标租户站点;
该处理模块720用于,查找该目标租户站点对应的接入点的业务接入路径,并删除该目标租户站点对应的接入点的业务接入路径上的全部对象。
可选地,在本发明实施例中,该获取模块710还用于,确定需要删除该组合VPN;
该处理模块720用于,删除该组合VPN的所有分段VPN。
可选地,在本发明实施例中,该组合VPN的业务策略为第一业务策略,该组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,该第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,该组合VPN层面的参数包括与该第一业务策略对应的参数,该分段VPN层面的参数包括与该第二业务策略对应的参数。
具体地,当该业务策略为L3VPN时,与该业务策略对应的参数包括以二层参数与三层参数;
当该业务策略为L2VPN时,与该业务策略对应的参数只包括二层参数;
当该业务策略为TP时,与该业务策略对应的参数包括宽带业务相关参数。
可选地,在本发明实施例中,该装置700还包括:
接收模块,用于在该输出模块向该用户输出该组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,接收该用户的确认响应;
发送模块,用于向每个分段VPN所在的域的域控制器发送该每个分段VPN的配置消息,以使得该域控制器通知对应网元设备创建该每个分段VPN。
可选地,在本发明实施例中,该接入点列表中包括以下信息:该组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括该接入点的路由配置信息;该分段VPN列表中包括以下信息:该分段VPN的接入点信息与基本信息。
应理解,根据本发明实施例的装置700可对应于本发明实施例的用于实现组合VPN的方法中的协同器,并且装置700中的各个模块的上述和其它操作和/或功能分别为了实现图4至图11中的各个方法的相应流程,为了简洁,在此不再赘述。
如图14所示,本发明实施例还提供了一种用于实现组合VPN的装置800,该装置800包括处理器810、存储器820、接收器840和发送器850。其中,处理器810、存储器820、接收器840和发送器850通过内部通信链路进行通信,该存储器820用于存储指令,该处理器810用于执行该存储器820存储的指令,以控制接收器840接收信号,并控制发送器850发送信号。其中,该处理器810用于,获取用户输入的业务类型与租户站点;
确定该租户站点对应的接入点;根据该业务类型与该租户站点对应的接入点,确定一个或多个分段VPN,该分段VPN表示该组合VPN所跨的多个域中每个域内的业务连接;根据该一个或多个分段VPN,获得组合VPN;向该用户输出该组合VPN的接入点列表与分段VPN列表,该组合VPN的接入点列表包括用于描述该组合VPN的接入点的信息,该组合VPN的接入点为该租户站点对应的接入点,该分段VPN列表包括用于描述该一个或多个分段VPN的信息。
在本发明实施例中,根据用户输入的业务类型与租户站点,获得一个或多个分段VPN,通过一个或多个分段VPN获得组合VPN,向该用户输出该组合VPN的接入点列表与分段VPN列表,能够使得用户获知该组合VPN涉及的不同域之间业务的相关性,从而有利于用户评估该组合VPN的业务变更的影响范围。
可选地,在本发明实施例中,处理器810用于,基于业务编排得到的业务类型库,确定该业务类型对应的业务策略与主域,该主域的业务策略与该业务类型对应的业务策略一致,该业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,该业务类型库包括该业务类型与该业务策略以及该主域之间的对应关系;以该主域为目标,确定该租户站点对应的接入点的业务接入路径,该业务接入路径的目的节点为该主域的边界节点;根据该业务接入路径经过的域,确定该一个或多个分段VPN,该分段VPN表示该业务接入路径经过的域内的业务连接。
可选地,在本发明实施例中,处理器810用于,确定该租户站点对应的接入点的接入域,该接入域为该接入点所在的域;确定从该接入域到该主域的域间寻路路径;为该域间寻路路径经过的各个域分配端口资源,并确定该各个域的所分配的端口之间的业务连接;根据为该各个域分配的端口资源以及该各个域的所分配端口之间的业务连接,确定该租户站点对应的接入点的业务接入路径。
可选地,在本发明实施例中,处理器810用于,获取该组合VPN需要修改的参数;在该需要修改的参数包括激活或去激活的情况下,确定该组合VPN的接入点所在的目标分段VPN,并向该目标分段VPN所在域的域控制器发送该需要修改的参数,以使得该域控制器按照该需要修改的参数修改该目标分段VPN的对应接入点;在该需要修改的参数包括层参数的情况下,查找该租户站点对应的接入点的业务接入路径上与该需要修改的参数为同层次的端口,并根据该需要修改的参数对该查找到的端口进行对应的修改,该层参数包括二层参数或三层参数。
可选地,在本发明实施例中,处理器810用于,确定需要删除该组合VPN的目标租户站点;查找该目标租户站点对应的接入点的业务接入路径,并删除该目标租户站点对应的接入点的业务接入路径上的全部对象。
可选地,在本发明实施例中,处理器810用于,确定需要删除该组合VPN;删除该组合VPN的所有分段VPN。
可选地,在本发明实施例中,该组合VPN的业务策略为第一业务策略,该组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,该第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,该组合VPN层面的参数包括与该第一业务策略对应的参数,该分段VPN层面的参数包括与该第二业务策略对应的参数。
具体地,当该业务策略为L3VPN时,与该业务策略对应的参数包括以二层参数与三层参数;
当该业务策略为L2VPN时,与该业务策略对应的参数只包括二层参数;
当该业务策略为TP时,与该业务策略对应的参数包括宽带业务相关参数。
可选地,在本发明实施例中,接收器840用于,在向该用户输出该组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,接收该用户的确认响应;
发送器850用于,向每个分段VPN所在的域的域控制器发送该每个分段VPN的配置消息,以使得该域控制器通知对应网元设备创建该每个分段VPN。
可选地,在本发明实施例中,该接入点列表中包括以下信息:该组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括该接入点的路由配置信息;该分段VPN列表中包括以下信息:该分段VPN的接入点信息与基本信息。
应理解,在本发明实施例中,该处理器810可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器810还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器820可以包括只读存储器和随机存取存储器,并向处理器810提供指令和数据。存储器820的一部分还可以包括非易失性随机存取存储器。例如,存储器820还可以存储设备类型的信息。
在实现过程中,上述方法的各步骤可以通过处理器810中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器820,处理器810读取存储器820中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
应理解,根据本发明实施例的用于实现组合VPN的装置800可对应于本发明实施例的用于实现组合VPN的方法中的协同器,以及可以对应于根据本发明实施例的装置700,并且装置800中的各个模块的上述和其它操作和/或功能分别为了实现图4至图11中的各个方法的相应流程,为了简洁,在此不再赘述。
应理解,在本发明各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究 竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (24)

  1. 一种用于实现组合虚拟专用网络VPN的方法,其特征在于,包括:
    获取用户输入的业务类型与租户站点;
    确定所述租户站点对应的接入点;
    根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN;
    根据所述一个或多个分段VPN,获得组合VPN;
    向所述用户输出所述组合VPN的接入点列表与分段VPN列表,所述组合VPN的接入点列表包括用于描述所述组合VPN的接入点的信息,所述组合VPN的接入点为所述租户站点对应的接入点,所述分段VPN列表包括用于描述所述一个或多个分段VPN的信息。
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN,包括:
    获取组合VPN模型,所述组合VPN模型包括业务类型选项、接入点列表与分段VPN列表,所述组合VPN模型用于根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息;
    将所述租户站点对应的接入点输入所述组合VPN模型的接入点列表中,将所述业务类型输入所述组合VPN模型的业务类型选项中,从所述组合VPN模型的分段VPN列表中获取所述一个或多个分段VPN。
  3. 根据权利要求2所述的方法,其特征在于,所述组合VPN模型通过以下步骤,根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息:
    基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:二层L2VPN、三层L3VPN与终端点TP,所述业务类型库包括所述业务类型与所述业务策略以及所述主域之间的对应关系;
    以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点;
    根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接;
    将所述一个或多个分段VPN的信息呈现在所述组合VPN模型的分段VPN列表中。
  4. 根据权利要求1所述的方法,其特征在于,所述根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN,包括:
    基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,所述业务类型库包括所述业务类型与所述业务策略以及所述主域之间的对应关系;
    以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点;
    根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接。
  5. 根据权利要求3或4所述的方法,其特征在于,所述根据所述主域,所述以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,包括:
    确定所述租户站点对应的接入点的接入域,所述接入域为所述接入点所在的域;
    确定从所述接入域到所述主域的域间寻路路径;
    为所述域间寻路路径经过的各个域分配端口资源,并确定所述各个域的所分配的端口之间的业务连接;
    根据为所述各个域分配的端口资源以及所述各个域的所分配端口之间的业务连接,确定所述租户站点对应的接入点的业务接入路径。
  6. 根据权利要求3至5中任一项所述的方法,其特征在于,所述方法还包括:
    获取所述组合VPN需要修改的参数;
    在所述需要修改的参数包括激活或去激活的情况下,确定所述组合VPN的接入点所在的目标分段VPN,并向所述目标分段VPN所在域的域控制器发送所述需要修改的参数,以使得所述域控制器按照所述需要修改的参数修改所述目标分段VPN的对应接入点;
    在所述需要修改的参数包括层参数的情况下,查找所述租户站点对应的接入点的业务接入路径上与所述需要修改的参数为同层次的端口,并根据所述需要修改的参数对所述查找到的端口进行对应的修改,所述层参数包括二层参数或三层参数。
  7. 根据权利要求3至6中任一项所述的方法,其特征在于,所述方法还包括:
    确定需要删除所述组合VPN的目标租户站点;
    查找所述目标租户站点对应的接入点的业务接入路径,并删除所述目标租户站点对应的接入点的业务接入路径上的全部对象。
  8. 根据权利要求3至7中任一项所述的方法,其特征在于,所述方法还包括:
    确定需要删除所述组合VPN;
    删除所述组合VPN的所有分段VPN。
  9. 根据权利要求1至8中任一项所述的方法,其特征在于,
    所述组合VPN的业务策略为第一业务策略,所述组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,所述第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,所述组合VPN层面的参数包括与所述第一业务策略对应的参数,所述分段VPN层面的参数包括与所述第二业务策略对应的参数。
  10. 根据权利要求9所述的方法,其特征在于,
    当所述业务策略为L3VPN时,与所述业务策略对应的参数包括以二层参数与三层参数;
    当所述业务策略为L2VPN时,与所述业务策略对应的参数只包括二层参数;
    当所述业务策略为TP时,与所述业务策略对应的参数包括宽带业务相关参数。
  11. 根据权利要求1至10中任一项所述的方法,其特征在于,所述方法还包括:
    在向所述用户输出所述组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,在接收到所述用户的确认响应的情况下,向每个分段VPN所在的域的域控制器发送所述每个分段VPN的配置消息,以使得所述域控制器通知对应网元设备创建所述每个分段VPN。
  12. 根据权利要求1至11中任一项所述的方法,其特征在于,所述接入点列表中包括以下信息:所述组合VPN的接入点对应的PE设备配置信息与CE设备配置信息, 还包括所述接入点的路由配置信息;
    所述分段VPN列表中包括以下信息:所述分段VPN的接入点信息与基本信息。
  13. 一种用于实现组合虚拟专用网络VPN的装置,其特征在于,包括:
    获取模块,用于获取用户输入的业务类型与租户站点;
    处理模块,用于确定所述获取模块获取的所述租户站点对应的接入点;
    所述处理模块还用于,根据所述业务类型与所述租户站点对应的接入点,确定一个或多个分段VPN,所述分段VPN表示所述组合VPN所跨的多个域中每个域内的业务连接;
    所述处理模块还用于,根据所述一个或多个分段VPN,获得组合VPN;
    输出模块,用于向所述用户输出所述组合VPN的接入点列表与分段VPN列表,所述组合VPN的接入点列表包括用于描述所述组合VPN的接入点的信息,所述组合VPN的接入点为所述租户站点对应的接入点,所述分段VPN列表包括用于描述所述一个或多个分段VPN的信息。
  14. 根据权利要求13所述的装置,其特征在于,所述处理模块用于,获取组合VPN模型,所述组合VPN模型包括业务类型选项、接入点列表与分段VPN列表,所述组合VPN模型用于根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息;将所述租户站点对应的接入点输入所述组合VPN模型的接入点列表中,将所述业务类型输入所述组合VPN模型的业务类型选项中,从所述组合VPN模型的分段VPN列表中获取所述一个或多个分段VPN。
  15. 根据权利要求14所述的装置,其特征在于,所述组合VPN模型通过以下步骤,根据所述业务类型选项输入的业务类型与所述接入点列表中输入的接入点,确定所述分段VPN列表中的分段VPN信息:
    基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:二层L2VPN、三层L3VPN与终端点TP,所述业务类型库包括所述业务类型与所述业务策略以及所述主域之间的对应关系;
    以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点;
    根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接;
    将所述一个或多个分段VPN的信息呈现在所述组合VPN模型的分段VPN列表中。
  16. 根据权利要求13所述的装置,其特征在于,所述处理模块用于,
    基于业务编排得到的业务类型库,确定所述业务类型对应的业务策略与主域,所述主域的业务策略与所述业务类型对应的业务策略一致,所述业务策略为下列业务策略中的任一种:L2VPN、L3VPN与TP,所述业务类型库包括所述业务类型与所述业务策略以及所述主域之间的对应关系;以所述主域为目标,确定所述租户站点对应的接入点的业务接入路径,所述业务接入路径的目的节点为所述主域的边界节点;根据所述业务接入路径经过的域,确定所述一个或多个分段VPN,所述分段VPN表示所述业务接入路径经过的域内的业务连接。
  17. 根据权利要求15或16所述的装置,其特征在于,所述处理模块用于,确定所 述租户站点对应的接入点的接入域,所述接入域为所述接入点所在的域;确定从所述接入域到所述主域的域间寻路路径;为所述域间寻路路径经过的各个域分配端口资源,并确定所述各个域的所分配的端口之间的业务连接;根据为所述各个域分配的端口资源以及所述各个域的所分配端口之间的业务连接,确定所述租户站点对应的接入点的业务接入路径。
  18. 根据权利要求15至17中任一项所述的装置,其特征在于,所述获取模块还用于,获取所述组合VPN需要修改的参数;
    所述处理模块用于,在所述需要修改的参数包括激活或去激活的情况下,确定所述组合VPN的接入点所在的目标分段VPN,并向所述目标分段VPN所在域的域控制器发送所述需要修改的参数,以使得所述域控制器按照所述需要修改的参数修改所述目标分段VPN的对应接入点;
    所述处理模块还用于,在所述需要修改的参数包括层参数的情况下,查找所述租户站点对应的接入点的业务接入路径上与所述需要修改的参数为同层次的端口,并根据所述需要修改的参数对所述查找到的端口进行对应的修改,所述层参数包括二层参数或三层参数。
  19. 根据权利要求15至18中任一项所述的装置,其特征在于,所述获取模块还用于,确定需要删除所述组合VPN的目标租户站点;
    所述处理模块用于,查找所述目标租户站点对应的接入点的业务接入路径,并删除所述目标租户站点对应的接入点的业务接入路径上的全部对象。
  20. 根据权利要求15至19中任一项所述的装置,其特征在于,所述获取模块还用于,确定需要删除所述组合VPN;
    所述处理模块用于,删除所述组合VPN的所有分段VPN。
  21. 根据权利要求13至20中任一项所述的装置,其特征在于,
    所述组合VPN的业务策略为第一业务策略,所述组合VPN的接入点中的第一接入点所在的分段VPN的业务策略为第二业务策略,所述第一接入点的参数包括组合VPN层面的参数与分段VPN层面的参数,所述组合VPN层面的参数包括与所述第一业务策略对应的参数,所述分段VPN层面的参数包括与所述第二业务策略对应的参数。
  22. 根据权利要求21所述的装置,其特征在于,
    当所述业务策略为L3VPN时,与所述业务策略对应的参数包括以二层参数与三层参数;
    当所述业务策略为L2VPN时,与所述业务策略对应的参数只包括二层参数;
    当所述业务策略为TP时,与所述业务策略对应的参数包括宽带业务相关参数。
  23. 根据权利要求13至22中任一项所述的装置,其特征在于,所述装置还包括:
    接收模块,用于在所述输出模块向所述用户输出所述组合VPN的接入点列表、分段VPN列表与VPN基本信息之后,接收所述用户的确认响应;
    发送模块,用于向每个分段VPN所在的域的域控制器发送所述每个分段VPN的配置消息,以使得所述域控制器通知对应网元设备创建所述每个分段VPN。
  24. 根据权利要求13至23中任一项所述的装置,其特征在于,所述接入点列表中包括以下信息:所述组合VPN的接入点对应的PE设备配置信息与CE设备配置信息,还包括所述接入点的路由配置信息;
    所述分段VPN列表中包括以下信息:所述分段VPN的接入点信息与基本信息。
PCT/CN2017/080090 2016-06-29 2017-04-11 用于实现组合虚拟专用网vpn的方法与装置 WO2018000890A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP20151795.0A EP3734912B1 (en) 2016-06-29 2017-04-11 Method and apparatus for establishing a composed virtual private network
EP17818887.6A EP3402133B1 (en) 2016-06-29 2017-04-11 Method and device for establishing a composed virtual private network
US16/122,197 US10855530B2 (en) 2016-06-29 2018-09-05 Method and apparatus for implementing composed virtual private network VPN
US17/090,403 US11558247B2 (en) 2016-06-29 2020-11-05 Method and apparatus for implementing composed virtual private network VPN

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610493803.4A CN107547333B (zh) 2016-06-29 2016-06-29 用于实现组合虚拟专用网vpn的方法与装置
CN201610493803.4 2016-06-29

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/122,197 Continuation US10855530B2 (en) 2016-06-29 2018-09-05 Method and apparatus for implementing composed virtual private network VPN

Publications (1)

Publication Number Publication Date
WO2018000890A1 true WO2018000890A1 (zh) 2018-01-04

Family

ID=60785072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/080090 WO2018000890A1 (zh) 2016-06-29 2017-04-11 用于实现组合虚拟专用网vpn的方法与装置

Country Status (4)

Country Link
US (2) US10855530B2 (zh)
EP (2) EP3734912B1 (zh)
CN (3) CN111130980B (zh)
WO (1) WO2018000890A1 (zh)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019220002A1 (en) * 2018-05-18 2019-11-21 Nokia Technologies Oy Authentication in public land mobile networks comprising tenant slices
CN113645078A (zh) * 2021-08-16 2021-11-12 烽火通信科技股份有限公司 一种网管业务自动延展的方法及系统
CN114004600A (zh) * 2021-11-09 2022-02-01 中国联合网络通信集团有限公司 业务变更方法、装置、电子设备及存储介质
WO2024152688A1 (zh) * 2023-01-20 2024-07-25 华为技术有限公司 一种时延圈图形的生成方法和控制器

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6805194B2 (ja) * 2018-02-15 2020-12-23 日本電信電話株式会社 経路情報転送装置、経路情報転送方法および経路情報転送プログラム
CN109379268B (zh) * 2018-11-27 2021-05-07 新华三技术有限公司合肥分公司 虚拟专用网络的创建方法、装置和服务器
CN112187640B (zh) * 2020-09-08 2022-02-18 烽火通信科技股份有限公司 一种基于l3vpn业务点到点路由的查询方法和装置
CN112468325B (zh) * 2020-11-11 2023-07-11 广州鲁邦通物联网科技股份有限公司 一种可复用的vpn架构和vpn调度方法
CN114301736B (zh) * 2021-12-29 2023-08-29 凯通科技股份有限公司 一种混合组网下非对称标签的业务配置方法及相关设备
CN116545909B (zh) * 2023-07-03 2023-09-26 成都数维通信技术有限公司 一种报文转发方法、流量牵引方法、介质、设备及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667969A (zh) * 2009-09-24 2010-03-10 中兴通讯股份有限公司 L2vpn网络接入ip/l3vpn网络的方法和装置
CN103634217A (zh) * 2013-11-13 2014-03-12 华为技术有限公司 路由信息发布的方法、传输报文的方法及装置
US20140294004A1 (en) * 2010-05-19 2014-10-02 Alcatel Lucent Method and apparatus for mpls label allocation for a bgp mac-vpn
US8953590B1 (en) * 2011-03-23 2015-02-10 Juniper Networks, Inc. Layer two virtual private network having control plane address learning supporting multi-homed customer networks
CN105656673A (zh) * 2016-01-08 2016-06-08 烽火通信科技股份有限公司 Potn设备的分组业务模型的配置方法及系统

Family Cites Families (67)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5768271A (en) * 1996-04-12 1998-06-16 Alcatel Data Networks Inc. Virtual private network
US6452915B1 (en) * 1998-07-10 2002-09-17 Malibu Networks, Inc. IP-flow classification in a wireless point to multi-point (PTMP) transmission system
US6693878B1 (en) * 1999-10-15 2004-02-17 Cisco Technology, Inc. Technique and apparatus for using node ID as virtual private network (VPN) identifiers
US6985945B2 (en) * 2000-12-07 2006-01-10 Ipass, Inc. Service quality monitoring process
US7240112B2 (en) * 2000-05-26 2007-07-03 Ipass Inc. Service quality monitoring process
EP1327322A2 (en) * 2000-10-18 2003-07-16 Alcatel Network management
US7301946B2 (en) * 2000-11-22 2007-11-27 Cisco Technology, Inc. System and method for grouping multiple VLANs into a single 802.11 IP multicast domain
EP1331766A1 (en) * 2001-12-20 2003-07-30 Alcatel A telecommunications system employing virtual service network architecture
US8976798B2 (en) * 2002-01-28 2015-03-10 Hughes Network Systems, Llc Method and system for communicating over a segmented virtual private network (VPN)
EP1339198B1 (en) * 2002-02-22 2004-09-08 Alcatel Enhanced transport of ethernet traffic over a transport SDH/SONET network
US7072657B2 (en) * 2002-04-11 2006-07-04 Ntt Docomo, Inc. Method and associated apparatus for pre-authentication, preestablished virtual private network in heterogeneous access networks
US7633909B1 (en) * 2002-12-20 2009-12-15 Sprint Spectrum L.P. Method and system for providing multiple connections from a common wireless access point
US7298702B1 (en) * 2002-12-20 2007-11-20 Sprint Spectrum L.P. Method and system for providing remote telephone service via a wireless local area network
US7849217B2 (en) * 2003-04-30 2010-12-07 Cisco Technology, Inc. Mobile ethernet
FI20030967A (fi) * 2003-06-27 2004-12-28 Nokia Corp Yhteysasetusten valinta
US20050177515A1 (en) * 2004-02-06 2005-08-11 Tatara Systems, Inc. Wi-Fi service delivery platform for retail service providers
US10375023B2 (en) * 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
KR20050090902A (ko) * 2004-03-10 2005-09-14 삼성전자주식회사 무선 통신 시스템에서 패킷데이터 프로토콜에 따른 vpn서비스 방법 및 장치
US7881215B1 (en) * 2004-03-18 2011-02-01 Avaya Inc. Stateful and stateless data processing
CA2467939A1 (en) * 2004-05-20 2005-11-20 Fernando Cuervo Architecture for configuration and management of cross-domain network services
JP4796754B2 (ja) * 2004-06-15 2011-10-19 日本電気株式会社 ネットワーク接続システムおよびネットワーク接続方法
AU2004321282B2 (en) * 2004-06-30 2009-08-13 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for multi-domain virtual private network configuration
JP4731876B2 (ja) * 2004-07-08 2011-07-27 パナソニック株式会社 通信システム、無線lan基地局制御装置および無線lan基地局装置
JP4558454B2 (ja) * 2004-11-12 2010-10-06 パナソニック株式会社 通信システム
US7451479B2 (en) * 2005-02-28 2008-11-11 Zyxel Communications Corporation Network apparatus with secure IPSec mechanism and method for operating the same
WO2006099296A2 (en) * 2005-03-10 2006-09-21 Nexthop Technologies, Inc. Flexible, scalable, wireless data forwarding and mobility for secure wireless networks
US7688829B2 (en) * 2005-09-14 2010-03-30 Cisco Technology, Inc. System and methods for network segmentation
US7818283B1 (en) * 2005-12-22 2010-10-19 At&T Corp. Service assurance automation access diagnostics
JP4754964B2 (ja) * 2005-12-28 2011-08-24 富士通株式会社 無線網制御装置及び無線網制御システム
US20070271606A1 (en) * 2006-05-17 2007-11-22 Amann Keith R Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN
US9137043B2 (en) * 2006-06-27 2015-09-15 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US8451806B2 (en) * 2006-08-21 2013-05-28 Citrix Sysrems, Inc. Systems and methods for pinging a user's intranet IP address
US8631115B2 (en) * 2006-10-16 2014-01-14 Cisco Technology, Inc. Connectivity outage detection: network/IP SLA probes reporting business impact information
US9876749B2 (en) * 2006-12-18 2018-01-23 Cisco Technology, Inc. Dynamic location-specific distribution lists
US8079074B2 (en) * 2007-04-17 2011-12-13 Microsoft Corporation Dynamic security shielding through a network resource
US8483174B2 (en) * 2007-04-20 2013-07-09 Qualcomm Incorporated Method and apparatus for providing gateway relocation
JP4717898B2 (ja) * 2008-01-24 2011-07-06 株式会社エヌ・ティ・ティ・ドコモ 無線基地局装置および無線基地局装置網編入方法
CN101247267B (zh) * 2008-03-19 2010-09-29 中兴通讯股份有限公司 网管系统中三层虚拟专用网络拓扑自动发现的方法及装置
US8687567B2 (en) * 2008-12-29 2014-04-01 Verizon Patent And Licensing Inc. Utilization of multiple access points to support multiple applications and services
US20130121321A1 (en) * 2009-01-26 2013-05-16 Floyd Backes Vlan tagging in wlans
US8477775B2 (en) * 2009-05-14 2013-07-02 Avaya Inc. Unifying local and mobility network identifiers
CN101562807B (zh) * 2009-05-27 2011-04-20 华为技术有限公司 移动虚拟专用网通信的方法、装置及系统
CN101924738A (zh) * 2009-06-11 2010-12-22 华为技术有限公司 实现多点到多点业务的方法、系统和装置
US8464336B2 (en) * 2010-06-30 2013-06-11 Juniper Networks, Inc. VPN network client for mobile device having fast reconnect
US8352620B2 (en) * 2010-07-27 2013-01-08 Hewlett-Packard Development Company, L.P. Displaying a network topology map with a reduced number of objects
US9401975B2 (en) * 2010-11-10 2016-07-26 Panasonic Intellectual Property Corporation Of America Terminal and codec mode selection method
US8443435B1 (en) * 2010-12-02 2013-05-14 Juniper Networks, Inc. VPN resource connectivity in large-scale enterprise networks
CN102025800B (zh) * 2010-12-30 2013-04-24 华为技术有限公司 一种ip地址分配方法及装置
US9276816B1 (en) * 2011-01-17 2016-03-01 Cisco Technology, Inc. Resource management tools to create network containers and virtual machine associations
US9615126B2 (en) * 2011-06-24 2017-04-04 Google Technology Holdings LLC Intelligent buffering of media streams delivered over internet
EP2568672A1 (en) * 2011-08-24 2013-03-13 Alcatel Lucent Method for managing network resources within a plurality of datacenters
CN102377630A (zh) * 2011-10-13 2012-03-14 华为技术有限公司 基于流量工程隧道的虚拟专用网络实现方法及系统
CN102571433B (zh) * 2012-01-11 2014-07-30 华为技术有限公司 呈现网络路径的方法和装置
US8893262B2 (en) * 2012-08-30 2014-11-18 Tropos Networks, Inc. Establishing an IPsec (internet protocol security) VPN (virtual private network) tunnel
US9491001B2 (en) * 2012-11-07 2016-11-08 Cisco Technology, Inc. Work group bridge nomadic roaming
CN103947172B (zh) * 2012-11-19 2018-02-02 华为技术有限公司 一种网络穿越服务的提供方法、装置及系统
US9788188B2 (en) * 2012-12-14 2017-10-10 Ibasis, Inc. Method and system for hub breakout roaming
EP2750349A1 (en) * 2012-12-31 2014-07-02 British Telecommunications public limited company Method and device for secure network access
US9225602B2 (en) * 2013-07-30 2015-12-29 Aruba Networks, Inc. Dynamic grouping and configuration of access points
US20150113123A1 (en) * 2013-10-22 2015-04-23 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for performing network discovery
WO2015103338A1 (en) * 2013-12-31 2015-07-09 Lookout, Inc. Cloud-based network security
US9985799B2 (en) * 2014-09-05 2018-05-29 Alcatel-Lucent Usa Inc. Collaborative software-defined networking (SDN) based virtual private network (VPN)
EP3207670B1 (en) * 2014-10-31 2020-12-09 Huawei Technologies Co., Ltd. Method and apparatus for remote access
US10498764B2 (en) * 2015-12-08 2019-12-03 Jpu.Io Ltd Network routing and security within a mobile radio network
US10659325B2 (en) * 2016-06-15 2020-05-19 Thousandeyes, Inc. Monitoring enterprise networks with endpoint agents
US10938926B2 (en) * 2016-12-30 2021-03-02 Fortinet, Inc. User and IoT (internet of things) apparatus tracking in a log management system
US10516550B2 (en) * 2017-02-27 2019-12-24 Futurewei Technologies, Inc. Traffic engineering service mapping

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667969A (zh) * 2009-09-24 2010-03-10 中兴通讯股份有限公司 L2vpn网络接入ip/l3vpn网络的方法和装置
US20140294004A1 (en) * 2010-05-19 2014-10-02 Alcatel Lucent Method and apparatus for mpls label allocation for a bgp mac-vpn
US8953590B1 (en) * 2011-03-23 2015-02-10 Juniper Networks, Inc. Layer two virtual private network having control plane address learning supporting multi-homed customer networks
CN103634217A (zh) * 2013-11-13 2014-03-12 华为技术有限公司 路由信息发布的方法、传输报文的方法及装置
CN105656673A (zh) * 2016-01-08 2016-06-08 烽火通信科技股份有限公司 Potn设备的分组业务模型的配置方法及系统

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HAO, WEIGUO ET AL.: "Inter-AS Option B Between NV03 and MPLS EVPN Network", IETF, 31 January 2015 (2015-01-31), pages 1 - 14, XP055532545 *
See also references of EP3402133A4 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019220002A1 (en) * 2018-05-18 2019-11-21 Nokia Technologies Oy Authentication in public land mobile networks comprising tenant slices
CN113645078A (zh) * 2021-08-16 2021-11-12 烽火通信科技股份有限公司 一种网管业务自动延展的方法及系统
CN113645078B (zh) * 2021-08-16 2023-10-27 烽火通信科技股份有限公司 一种网管业务自动延展的方法及系统
CN114004600A (zh) * 2021-11-09 2022-02-01 中国联合网络通信集团有限公司 业务变更方法、装置、电子设备及存储介质
WO2024152688A1 (zh) * 2023-01-20 2024-07-25 华为技术有限公司 一种时延圈图形的生成方法和控制器

Also Published As

Publication number Publication date
EP3734912B1 (en) 2023-04-05
EP3734912A1 (en) 2020-11-04
CN111224857B (zh) 2024-09-17
CN111130980B (zh) 2021-06-29
EP3402133B1 (en) 2020-12-16
CN111130980A (zh) 2020-05-08
CN111224857A (zh) 2020-06-02
US20190020539A1 (en) 2019-01-17
EP3402133A1 (en) 2018-11-14
CN107547333B (zh) 2020-02-21
CN107547333A (zh) 2018-01-05
US11558247B2 (en) 2023-01-17
US20210058291A1 (en) 2021-02-25
EP3402133A4 (en) 2019-01-16
US10855530B2 (en) 2020-12-01

Similar Documents

Publication Publication Date Title
WO2018000890A1 (zh) 用于实现组合虚拟专用网vpn的方法与装置
JP7538858B2 (ja) 複数のドメインにまたがるポリシープレーンの統合
JP6491241B2 (ja) クラウドベースのサービス交換
EP3338414B1 (en) Dynamic vpn policy model with encryption and traffic engineering resolution
JP6495949B2 (ja) クラウドベースのサービス交換用のプログラム可能なネットワークプラットフォーム
US9886267B2 (en) Interconnection platform for real-time configuration and management of a cloud-based services exchange
US8892708B2 (en) Placement of service delivery locations of a distributed computing service based on logical topology
WO2015101169A1 (zh) 一种sdn部署业务的方法和sdn控制器
US9344350B2 (en) Virtual service topologies in virtual private networks
US10523631B1 (en) Communities of interest in a cloud exchange
US20130297752A1 (en) Provisioning network segments based on tenant identity
US11218424B1 (en) Remote port for network connectivity for non-colocated customers of a cloud exchange
US11296997B2 (en) SDN-based VPN traffic scheduling method and SDN-based VPN traffic scheduling system
CN116319296A (zh) 一种跨sd-wan融合部署数据中心的方法及装置
WO2013159694A1 (zh) 一种标签分配方法、设备与系统
US11677660B2 (en) Fallback service through a cloud exchange for network service provider connections
US11588731B1 (en) Cloud-to-cloud interface
CN108768861B (zh) 一种发送业务报文的方法及装置

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2017818887

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2017818887

Country of ref document: EP

Effective date: 20180809

NENP Non-entry into the national phase

Ref country code: DE