Nothing Special   »   [go: up one dir, main page]

CN100518138C - Method for realizing virtual special network - Google Patents

Method for realizing virtual special network Download PDF

Info

Publication number
CN100518138C
CN100518138C CNB2005100642589A CN200510064258A CN100518138C CN 100518138 C CN100518138 C CN 100518138C CN B2005100642589 A CNB2005100642589 A CN B2005100642589A CN 200510064258 A CN200510064258 A CN 200510064258A CN 100518138 C CN100518138 C CN 100518138C
Authority
CN
China
Prior art keywords
vpn
parameter
website
message
private network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2005100642589A
Other languages
Chinese (zh)
Other versions
CN1848799A (en
Inventor
金涛
李建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2005100642589A priority Critical patent/CN100518138C/en
Priority to PCT/CN2006/000572 priority patent/WO2006108344A1/en
Publication of CN1848799A publication Critical patent/CN1848799A/en
Application granted granted Critical
Publication of CN100518138C publication Critical patent/CN100518138C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for realizing virtual special network includes configuring VPN operation parameter, setting up a corresponding relation of said parameter to VPN station, confirming its attribution VPN and recording VPN parameter according to said corresponding relation when special network data is received by VPN device, then retransmitting it according to its attribution VPN parameter, confirming its attribution VPN and user parameter according to said corresponding relation when VPN message is received by VPN device from public network, then sending special network data to its attribution VPN station.

Description

Realize the method for Virtual Private Network
Technical field
The present invention relates to network communications technology field, be specifically related to a kind of method that realizes Virtual Private Network.
Background technology
VPN (Virtual Private Network) is meant by public IP (Internet Protocol) network and sets up the private data transmission channel, a kind of network mode that long-range divisional office, mobile office personnel etc. is coupled together, it has had both many characteristics of public network and private network, with the reliable performance of public network, rich functions and private network flexibly, efficiently combine, can reduce investment outlay for the client, reduce telecommunication fee, obtained at present using rapidly.The public network that is used to make up VPN comprises: Internet (internet), frame relay, ATM (asynchronous transfer mode) etc.
Each node of forming VPN is called the VPN website.When VPN transmission data, business, need each VPN website to collect reached at the information of website inside, find VPN member's (other VPN websites).After mutual discovery and contact between the VPN website, each VPN website need arrive reached at the diffusion of information of inside inner other websites of same VPN, thereby makes intercommunication between each website of VPN, and the forwarding of various data, business is provided for the user.
In the prior art, when obtaining VPN and can reach information, at first need to divide the VPN website, promptly dispose VPN website internal network scope, that is to say that the internal network of dividing the VPN website and user are in the VPN of correspondence.Usually need be according to the user's request and the network planning, go up by specifying certain tag slot to tell the host subscriber of certain VPN website at VPN equipment (usually on the local network of users and IP Access Network position), be linked on the corresponding VPN equipment with equipment or main frame with this VPN website inside.Such as, in L2TP (Level 2 Tunnel Protocol) VPN, port 2VLAN20 user is divided into L2TP group3, then all form a VPN website from the subscriber's main station that port 2VLAN20 inserts, and this website carries out related with L2TP group3, L2TP group3 correspondence the various configurations of L2TP, comprise LNS (L2TP Network Server) address, tunnel keys, number of sessions, encapsulation format, QoS (service quality) mechanism, load-balancing mechanisms etc. are so that control plane, Forwarding plane can be to subscriber host information, VPN website and VPN discern and handle.
According to networking mode, VPN can be divided into four types: VLL (virtual leased line), VPDN (Virtual Private Dialup Network), VPRN (Virtual Private Routed Network) and VPLS (Virtual Private LAN Segment).
General VPN framework as shown in Figure 1, wherein:
Management plane is by CLI (command line interface)/WEB (World Wide Web (WWW))/various configurations modes such as webmaster, according to equipment, interface, the network information, on VPN equipment, pass through physical equipment, logical device, physical port, logic port, the perhaps network segment, subnet, (situation of VPN over VPN) etc., sign as VPN website internal network is divided the VPN website, and forms corresponding information table.
Control plane by respective protocol (such as, private network agreement, two layer conversation related protocols, label protocol etc.) set up private network route, session information etc., judge whether it is VPN and corresponding VPN information by equipment, interface, the network information then, the VPN module is set up corresponding tunnel (also can be to set up by management plane is manual) according to VPN information, and the public network agreement includes but not limited to that Routing Protocol, label protocol provide corresponding route, label, forwarding, packaging information simultaneously.
Forwarding plane (being also referred to as datum plane) uses the VPN forwarding process of standard, receive the user data message, be judged as the private network data message according to equipment, interface, the network information, table look-up and encapsulate according to the private network session, search corresponding VPN information and encapsulation, search corresponding public network route, forwarding, packaging information and encapsulation, the message that includes the private network data that final formation can be transmitted on public network, be forwarded to the vpn tunneling opposite end of appointment then by public network, tabling look-up of correspondence and decapsulation etc. are carried out according to agreement in the vpn tunneling opposite end.
At present, along with developing rapidly of network and professional carrying out on a large scale, quality of service guaranteed qos (service quality) more and more comes into one's own, need be with the user of different QoS, delineation of activities in different VPN.And in the prior art, can only divide VPN as sign according to physics, logical network information, thereby make the use of VPN be subjected to the restriction of network, need adjustment or planning network could adapt to the requirement of VPN, promptly user, service parameter to be adjusted into consistently, realize user, professional division indirectly according to the division of network parameter with network parameter.
Summary of the invention
The purpose of this invention is to provide the method that realizes Virtual Private Network, can only divide VPN as sign according to physics, logical network information and make the use of VPN be subjected to the shortcoming of network limits to overcome in the prior art, on the basis that does not influence the network planning, carry out vpn service, make vpn service can satisfy the demand of various different application.
For this reason, the invention provides following technical scheme:
A kind of method that realizes Virtual Private Network, described method comprises step:
A, configuration virtual private network operation parameter information;
B, set up the corresponding relation of described operation parameter and VPN website according to following at least a mode:
Set up the corresponding relation of user account, territory and customer group and described VPN website;
Set up the corresponding relation of message parameter and described VPN website;
Set up the corresponding relation of service parameter and described VPN website;
C, after VPN equipment receives the private network data from the VPN website, determine the VPN and the corresponding VPN parameter of record of its ownership according to the described operation parameter and the corresponding relation of VPN website, by the VPN parameter of its ownership it is transmitted;
D, when VPN equipment when public network receives the VPN message, determine VPN, user account, territory and the customer group of its ownership according to the corresponding relation of described operation parameter and VPN website, and transmit the private network data to the VPN of its ownership website.
Alternatively, described steps A is specially: by the described VPN operation of command line interface/WEB/ webmaster static configuration parameter.
Alternatively, described steps A is specially: by authentication, mandate, the described VPN operation of charging/tactful dynamic-configuration parameter.
Preferably, described message parameter comprises: the parameter that comprises in physical layer message, Layer 2 data link layer message, three-layer network layer message, four layers of transport layer message and the higher layer applications layer message.
Preferably, described service parameter comprises: business in data, video, voice, the specified session and session information.
VPN parameter by the private network attribution data among the described step C comprises its process of transmitting:
The VPN website that VPN parameter and the described private network data of record are corresponding carries out related;
Set up corresponding tunnel according to described VPN parameter, provide corresponding route, label, forwarding, packaging information by the public network agreement simultaneously;
Route, label, forwarding, the packaging information that provides according to the VPN parameter and the described public network agreement of correspondence encapsulates described private network data respectively;
Private network data after the encapsulation are transmitted by public network.
The process that the VPN website that belongs to the VPN message among the described step D sends the private network data comprises:
According to the VPN message information that receives from public network, obtain the VPN site information of VPN operation information and ownership thereof;
Peel off all VPN encapsulation in the VPN message, deblocking takes on VPN private network data;
According to described VPN site information the private network data that deblocking takes on are encapsulated;
Private network data after the encapsulation are sent to the VPN website of VPN message ownership.
A kind of method that realizes Virtual Private Network, described method comprises step:
A, configuration virtual private network operation parameter information;
B, set up the corresponding relation of described operation parameter and VPN website in the following manner:
Set up user account, territory and customer group and described VPN website corresponding relation, set up message parameter and described VPN website corresponding relation, set up at least a mode in the corresponding relation of service parameter and described VPN website and set up network parameter and the corresponding relation of described VPN website;
C, after VPN equipment receives the private network data from the VPN website, determine the VPN and the corresponding VPN parameter of record of its ownership according to the described operation parameter and the corresponding relation of VPN website, by the VPN parameter of its ownership it is transmitted;
D, when VPN equipment when public network receives the VPN message, determine VPN, user account, territory and the customer group of its ownership according to the corresponding relation of described operation parameter and VPN website, and transmit the private network data to the VPN of its ownership website.
By above technical scheme provided by the invention as can be seen, the present invention is on the basis of existing division VPN Network Based, employing realizes VPN based on the mode of divisions such as user, message, business, perhaps adopt traditional based on network mode and realize the applied in any combination of multiple VPN based on multitude of different ways such as message, user, business, thereby according to actual needs, realize various VPN neatly, make VPN on the basis that does not influence the network planning, to carry out various vpn services, satisfy different business, demands of applications better.
Description of drawings
Fig. 1 is general VPN block architecture diagram;
Fig. 2 is the realization flow figure of the inventive method;
Fig. 3 is based on user's VPN networking schematic diagram among the present invention;
Fig. 4 is the realization flow figure of the VPN based on the user shown in Figure 3;
Fig. 5 be among the present invention its in the VPN of message networking schematic diagram;
Fig. 6 is the realization flow figure of the VPN based on message shown in Figure 5;
Fig. 7 be among the present invention its in the VPN of business networking schematic diagram;
Fig. 8 is the realization flow figure of the VPN based on business shown in Figure 7;
Fig. 9 is the realization flow figure of the VPN that makes up based on multiple mode among the present invention.
Embodiment
Core of the present invention is to set up the corresponding relation that user and/or message and/or business etc. are runed parameter and VPN website, after VPN equipment receives the private network data from the VPN website, determine the VPN of its ownership according to the corresponding relation of described operation parameter and VPN website, and it is transmitted by the VPN parameter of its ownership; When VPN equipment receives VPN message from private network, determine the VPN and the customer parameter of its ownership according to the corresponding relation of described operation parameter and VPN website, and send the private network data to the VPN of its ownership.According to actual needs, realize various VPN neatly: based on user's VPN, based on the VPN of message, based on the VPN of business, perhaps based on various different information with realize the VPN of different application based on multiple various combinations such as existing equipment, interface, networks, thereby satisfy various application demand better.
In order to make those skilled in the art person understand the present invention program better, the present invention is described in further detail below in conjunction with drawings and embodiments.
Realization flow figure with reference to the inventive method shown in Figure 2:
At first, in step 201: configuration VPN operation parameter information, described VPN operation parameter comprises: customer parameter, message parameter, service parameter, network parameter etc.According to actual needs, can dispose separately a kind of, also can be several configuration simultaneously.Configuration mode can have multiple, such as:
By static configuration such as CLI (command line interface)/WEB/ webmaster, configuration files, also can be by passing through AAA (authentication, mandate, charging)/these parameters of dynamic-configuration such as strategy.
Step 202: set up the corresponding relation of operation parameter and VPN website, comprising: the corresponding relation of customer parameter and VPN website; And/or the corresponding relation of message parameter and VPN website; And/or the corresponding relation of service parameter and VPN website; And/or the corresponding relation of network parameter and VPN website.
Wherein, customer parameter can be user, territory, ISP/ICP/ASP (ISP, ICP, application service provider), customer group etc.The message parameter can be all parameters that comprise in physical layer message, two layer message, three-tier message, the four layers of message.Service parameter can be business and the session information in data, video, voice, the specified session.
Step 203: after VPN equipment receives the private network data from the VPN website, determine the VPN of its ownership and write down corresponding VPN parameter, it is transmitted by the VPN parameter of its ownership according to the described operation parameter and the corresponding relation of VPN website.Concrete repeating process is as follows:
The VPN website that VPN parameter and the private network data of record are corresponding carries out related, promptly set up in the VPN configuration parameter corresponding relation between each of VPN website of each and private network data correspondence, make and to retrieve the item of private network data VPN website correspondence from each of VPN configuration parameter, also can retrieve the respective items of VPN configuration parameter, thereby determine the corresponding relation between the VPN parameter VPN website corresponding with the private network data from each of private network data VPN website.
Set up corresponding tunnel according to the VPN parameter, provide corresponding route, label, forwarding, packaging information by the public network agreement simultaneously;
Route, label, forwarding, the packaging information that provides according to the VPN parameter and the public network agreement of correspondence encapsulates described private network data respectively;
Private network data after the encapsulation are transmitted by public network.
Step 204: when VPN equipment when public network receives the VPN message, determine the VPN and the customer parameter of its ownership according to the operation parameter and the corresponding relation of VPN website, and to the VPN of its ownership website transmission private network data.Concrete process of transmitting is as follows:
VPN message information according to receiving from public network finds parameters such as vpn tunneling, session or sign wherein;
According to parameters such as vpn tunneling, session or signs, and the incidence relation of the VPN parameter VPN website corresponding with described private network data of record, VPN operation information and VPN site information obtained;
Peel off all VPN encapsulation in the VPN message, deblocking takes on VPN private network data;
According to described VPN operation information this VPN being carried out legitimacy judges, judge whether this VPN message allows, simultaneously find its corresponding VPN VPN route, label, forwarding, packaging information etc. according to described VPN site information, the private network data that described deblocking is taken on encapsulate then;
Private network data after the encapsulation by VPN operation information and VPN site information, are carried out private network and transmitted.
Fig. 3 is that the VPN based on the user divides the networking schematic diagram among the present invention:
By mode based on user, territory, ISP/ICP/ASP, customer group etc., distinguish the VPN website, the dividing mode and the application that are independent of network parameter can be provided.When network parameter is different, also can on client layer, be divided among the identical VPN; When network parameter is the same, also can on client layer, be divided among the different VPN.
Two VPN are arranged in network shown in Figure 3, be respectively VPN A and VPN B, VPN A and VPN B have two websites respectively.In order to determine each VPN website internal network scope (being the network range at VPN internal unit and/or main frame place), the customer group that defines according to user, territory, ISP/ICP/ASP and other modes on VPN equipment (is divided such as a certain generic attribute according to the user, identical is same customer group, typical as: the modes such as access user of all ADSL (ADSL (Asymmetric Digital Subscriber Line) (ring) road) or WLAN (WLAN (wireless local area network)) access user, all identical SLA (Service Level Agreement) are divided.
Such as, according to user account number " Zhang San @123.com ", this user is divided into VPN B website 2, according to operator X operator is divided into VPN B website 1, according to territory 168 user in all 168 territories is divided into VPN A website 1, certain Y ISP/ICP/ASP is divided into VPN A website 2 according to ISP/ICP/ASP.
Based on the flow process of user's VPN implementation method as shown in Figure 4:
Management plane is by CLI (command line interface)/multiple static configuration modes such as WEB/ webmaster, perhaps AAA (authentication)/multiple dynamic-configuration modes such as strategy, set up the corresponding relation of user, territory, ISP/ICP/ASP, customer group etc. and VPN website, form information such as user message table (comprising user, territory, ISP information etc.), VPN allocation list.The corresponding relation that what is called is set up user, territory, ISP/ICP/ASP, customer group etc. and VPN website that is to say main frames all under certain user, territory, ISP/ICP/ASP and the customer group is divided among the VPN of appointment, main frame in all appointment VPN becomes the domestic site member all, the inner member of all VPN all uses the VPN mechanism of the correspondence that configures, use corresponding VPN function, such as certain corresponding tunnel and interactive function etc.
Such as, a territory 168 is divided among the L2TP Group1, the user in then every 168 territories is such as the user " xx@168; yy@168; cw@168 " by name of when authentication band etc., all be divided into a VPN website and (an inner index or title arranged generally, perhaps VPN ID) in, and this VPN website and L2TPGroup1 (the corresponding various configurations of L2TP, include but not limited to LNS (L2TP Network Server) address, tunnel keys, number of sessions, encapsulation format, QoS mechanism, load-balancing mechanism etc.) carry out association, make control plane, Forwarding plane can be to subscriber host information, VPN website and VPN discern and handle.
Equally, according to the user, a plurality of users can be divided according to account number, can be that clocklike account number is a spcial character etc. such as a certain section, some or several character, also can be that random account number is carried out exhaustive.
According to corresponding identification such as ISP/ICP/ASP, customer groups,, also can carry out corresponding division such as ISP title, customer group numbering or the like.
The customer group that can also define according to other modes (divide such as a certain generic attribute according to the user, identical is same customer group, the access user of typical as all ADSL or WLAN access user, all identical SLA etc.) is divided.
Control plane need be safeguarded VPN website inner route, label, transmit; Safeguard VPN website tunnel, conversational list; Safeguard public network route, label, transmit.Pass through private network agreement, such as, Routing Protocol (Routing Protocol of dynamic routing protocol or static configuration), two layer conversation related protocols, label protocol etc. are set up private network route, session information etc., search the corresponding relation of foundation then by user profile, judge whether it is VPN, the VPN information (the IP address of user's correspondence, MAC Address, physical port, logic port etc.) that record is corresponding with its sign as subscriber's main station, and should write down and carry out related with the VPN website; The VPN module is set up corresponding tunnel (also can be to set up by management plane is manual) according to VPN information, provides corresponding route, label, forwarding, packaging information by public network agreement (including but not limited to Routing Protocol, label protocol) simultaneously.
Forwarding plane uses the VPN forwarding process of standard, receive the user data message, be judged as the private network data message according to user message table (comprising user, territory, ISP information etc.), table look-up and encapsulate according to the private network session, search corresponding VPN information and encapsulation, search corresponding public network route, forwarding, packaging information and encapsulation, the message that includes the private network data that final formation can be transmitted on public network, be forwarded to the vpn tunneling opposite end of appointment then by public network, tabling look-up of correspondence and decapsulation etc. are carried out according to agreement in the vpn tunneling opposite end.
After VPN equipment receives VPN message from public network, judge the VPN and the corresponding customer parameter of its ownership according to the corresponding relation of user and VPN website, the VPN message is carried out decapsulation obtain the private network data, then, send the private network data to the VPN of correspondence website.
Fig. 5 is that the VPN based on the user divides the networking schematic diagram among the present invention:
Distinguish the VPN website by message classification, different messages uses different classification, can be divided among the corresponding VPN, thereby dividing mode and the application that is independent of network parameter, user can be provided.
Two VPN are arranged in network shown in Figure 5, be divided into and be VPN A and VPN B, VPN A and VPN B have two websites respectively.In order to determine each VPN website internal network scope (being the network range at VPN internal unit and/or main frame place), the various parameters of on VPN equipment, setting up network message with and the corresponding relation of combination and VPN website.
Such as, identify (such as 802.1p, TOS/DSCP (COS/differentiated service encoded point), the MPLS EXP (experimental field among the MPLS according to QoS (service quality), general mark)) as QoS, the user of " CoS (grade of service)=6 or ToS (COS)=6 or DSCP=6 " is divided into VPN A website 1, the user of " MPLS EXP=6 " is divided into VPN A website 2, the user of correspondence is divided into VPN B website 1 and VPN B website 2 according to " Ethernet triplet rules, IP five-tuple rule, IPv6 agreement ".
The network message parameter comprises the parameter that comprises in all messages such as various physical layer messages, two layer message, three-tier message, four layers of message and high-rise message, the common variety of protocol that identifies in Ethernet tlv triple, IP five-tuple, QoS mark (CoS, TOS/DSCP, MPLS EXP), IP version type (IPv4/IPv6) and the diverse network message parameter that comprises.
Based on the flow process of the VPN implementation method of message as shown in Figure 6:
Management plane is by multiple static configuration modes such as CLI/WEB/ webmasters, perhaps multiple dynamic-configuration mode such as AAA/ strategy, the various parameters of setting up network message with and the corresponding relation of combination and each VPN website, form the message information table (comprise various network parameters with and the rule that combines etc., the network message parameter comprises various physical layer messages, two layer message, three-tier message, the parameter that comprises in all messages such as four layers of message and high-rise message, the common Ethernet tlv triple that comprises, the IP five-tuple, QoS mark (CoS, TOS/DSCP, MPLS EXP), the variety of protocol that identifies in IP version type (IPv4/IPv6) and the diverse network message parameter, rule of combination uses one or more independent assortment for setting up demand according to VPN), information such as VPN allocation list.During concrete configuration, can divide the VPN website, also can divide the VPN website according to the combination of certain or some or certain several rule according to certain or certain several message parameters.In some cases, same subscriber's main station can use multiple message simultaneously, every kind of corresponding different VPN website of message possibility, at this moment, still can with this subscriber's main station according to logic rules be divided into a plurality of logic main frames, thereby can think that different logic main frames is divided in the different VPN websites.The inner member of all VPN all uses the VPN mechanism of the correspondence that configures such as certain corresponding tunnel and session etc.The host subscriber of VPN website can use corresponding VPN function, be that 6 messages correspond among the L2TP Group1 typically such as DSCP in the QoS mark, DSCP is that 6 usefulness is divided into a VPN website per family and (an inner index or title is arranged generally in then every QoS mark, perhaps VPN ID) in, and this VPN website and L2TP Group1 (the corresponding various configurations of L2TP, include but not limited to the LNS address, tunnel keys, number of sessions, encapsulation format, QoS mechanism, load-balancing mechanism etc.) carry out association, make control plane, Forwarding plane can be to subscriber host information, VPN website and VPN discern and handle.Equally, according to the Ethernet tlv triple, the IP five-tuple, QoS mark (CoS, TOS/DSCP, MPLSEXP), the variety of protocol that identifies in IP version type (IPv4/IPv6) and the diverse network message parameter, multiple message can be divided, source MAC such as the Ethernet tlv triple, target MAC (Media Access Control) address, agreement, and the source IP address of IP five-tuple, the source protocol port, purpose IP address, the purpose protocol port, protocol type, and QoS mark (CoS, TOS/DSCP, MPLS EXP), the variety of protocol that identifies in IP version type (Pv4/IPv6) and the diverse network message parameter, by message analysis, promptly traffic classification carries out the VPN division.
Control plane need be safeguarded VPN website inner route, label, transmit; Safeguard VPN website tunnel, conversational list; Safeguard public network route, label, transmit.Pass through private network agreement, such as, Routing Protocol (Routing Protocol of dynamic routing protocol or static configuration), two layer conversation related protocols, label protocol etc., set up the private network route, session information etc., judge whether it is VPN and corresponding VPN information by message information then, be about in the control plane according to VPN website division principle, according to the Ethernet tlv triple, the IP five-tuple, QoS mark (CoS, TOS/DSCP, MPLS EXP), the mode of the variety of protocol that identifies in IP version type (IPv4/IPv6) and the diverse network message parameter etc., analyze and traffic classification with user's message, rule according to coupling is judged, if meet certain rule, then it is designated related corresponding VPN site users data message.The VPN module is set up corresponding tunnel (also can be to set up by management plane is manual) according to VPN information, simultaneously according to the public network agreement, such as, Routing Protocol, label protocol etc. provide corresponding route, label, forwarding, packaging information.
Forwarding plane uses the VPN forwarding process of standard, be judged as the private network data message according to the message information table after receiving the user data message, table look-up and encapsulate according to the private network session, search corresponding VPN information and encapsulation, search corresponding public network route, forwarding, packaging information and encapsulation, the message that includes the private network data that final formation can be transmitted on public network, be forwarded to the vpn tunneling opposite end of appointment then by public network, tabling look-up of correspondence and decapsulation etc. are carried out according to agreement in the vpn tunneling opposite end.
After VPN equipment receives VPN message from public network, judge the VPN and the corresponding customer parameter of its ownership according to the corresponding relation of message and VPN website, promptly find corresponding tunnel, session or sign by the VPN parameter in the message, obtain corresponding VPN operation parameter and VPN site information by corresponding incidence relation then, obtain corresponding customer parameter according to VPN operation parameter this moment, the VPN message is carried out decapsulation obtain the private network data, then, send the private network data to the VPN of correspondence website.
Fig. 7 is that the VPN based on business divides the networking schematic diagram among the present invention:
By traffic differentiation VPN website, set up the corresponding relation of different business and VPN website, thereby dividing mode and the application that is independent of network parameter, user, message can be provided.
Two VPN are arranged in network shown in Figure 7, be divided into and be VPN A and VPN B, VPN A and VPN B have two websites respectively.In order to determine each VPN website internal network scope (being the network range at VPN internal unit and/or main frame place), on VPN equipment, divide according to data, video, voice, the modes such as business in certain session of specifying.Such as, the speech business user is divided into VPN A website 1, voice, video traffic user are divided into VPN A website 2, the data service user is divided into VPN B website 1, VPN B website 2 is arrived in the delineation of activities in the specified session.
Based on the flow process of the VPN implementation method of business as shown in Figure 8:
Management plane is set up corresponding relation professional and the VPN website by multiple dynamic-configuration modes such as multiple static configuration mode such as CLI/WEB/ webmaster or AAA/ strategies.Wherein, professional division comprises data, video, voice, specify business in certain session etc. and session information etc., generally need to follow the tracks of service call and set up process, divide VPN according to the business information of setting up then, thereby perhaps specify the data flow of segmenting out again in certain session or certain session to be certain professional VPN of division by manual configuration, at this moment, set up the information of intercepting in the process according to business and judge its type of service, listen to the user in the process and set up voice such as following the tracks of H.323/H.248/MGCP/SIP, information such as video, and the general data type etc., perhaps data flow and the type of service of segmenting out again in certain session of manual configuration or certain session thereof, thus this session is corresponded in the VPN website of formulation.Form information such as service information list, VPN allocation list.During concrete configuration, can divide the VPN website according to certain or certain several business.Because a lot of business comprise one or more agreement, the partial service message does not possess fixing message rule simultaneously, therefore adopts the professional needs that VPN more helps satisfying different business of dividing.
Control plane need be safeguarded VPN website inner route, label, transmit; Safeguard VPN website tunnel, conversational list; Safeguard public network route, label, transmit.Pass through private network agreement, set up private network route, session information etc. such as Routing Protocol (Routing Protocol of dynamic routing protocol or static configuration), two layer conversation related protocols, label protocol etc., simultaneously, owing to need identification services, need provide Service tracing and analytic function this moment in private network agreement, with the business that comprises in the identification session.Certainly, also can be or dynamically specify in certain session what business of use by static configuration.Judge whether it is VPN and corresponding VPN information by business information then, the VPN module is set up corresponding tunnel (also can be to set up by management plane is manual) according to VPN information, simultaneously according to the public network agreement, such as Routing Protocol, label protocol, provide corresponding route, label, forwarding, packaging information.
Forwarding plane uses the VPN forwarding process of standard, receive the user data message, (comprise data according to service information list, video, voice, specify business in certain session etc.) be judged as the private network data message, table look-up and encapsulate according to the private network session, search corresponding VPN information and encapsulation, search corresponding public network route, transmit, packaging information and encapsulation, the message that includes the private network data that final formation can be transmitted on public network, be forwarded to the vpn tunneling opposite end of appointment then by public network, tabling look-up of correspondence and decapsulation etc. are carried out according to agreement in the vpn tunneling opposite end.
After VPN equipment receives VPN message from public network, judge the VPN and the corresponding customer parameter of its ownership according to the corresponding relation of message and VPN website, the VPN message is carried out decapsulation obtain the private network data, then, send the private network data to the VPN of correspondence website.
In the actual use of VPN, generally can simply only not use existing based on network VPN, perhaps simple only the use based on the user, based on message, based on the VPN of business, and use according to different users, different business, different application combination often, distinguish the VPN website neatly, set up VPN.
Therefore, the present invention also provides based on multiple mode and has made up VPN, the flow process of its realization as shown in Figure 9:
Management plane is by multiple dynamic-configuration modes such as multiple static configuration mode such as CLI/WEB/ webmaster or AAA/ strategies, set up corresponding relation with the VPN website according to equipment, interface, network, user, message, professional multiple mode, form information such as corresponding various information tables, VPN allocation list.During concrete configuration, can divide the VPN website to different user, different business, different should being used for according to certain or certain several modes.Typically can be to divide VPN by leased-line interface at certain client, the part subnet is divided VPN according to the subnet or the network segment, the user is inserted according to delineation of activities VPN in the sub-district, according to the message parameter specific user/network is divided VPN according to message, perhaps provide simultaneously based on one or more divisions VPN in the multiple modes such as equipment, interface, network, user, message, business at certain user.
Control plane passes through private network agreement, set up private network route, session information etc. such as Routing Protocol (Routing Protocol of dynamic routing protocol or static configuration), two layer conversation related protocols, label protocol etc., identification services if desired, need provide Service tracing and analytic function this moment in private network agreement, with the business that comprises in the identification session; Certainly, also can be or dynamically specify in certain session what business of use by static configuration.Information by correspondence judges whether it is VPN and corresponding VPN information then, the VPN module is set up corresponding tunnel (also can be to set up by management plane is manual) according to VPN information, according to the public network agreement, provide corresponding route, label, forwarding, packaging information simultaneously such as Routing Protocol, label protocol etc.
Forwarding plane uses the VPN forwarding process of standard, receive the user data message, information table according to correspondence is judged as the private network data message, table look-up and encapsulate according to the private network session, search corresponding VPN information and encapsulation, search corresponding public network route, forwarding, packaging information and encapsulation, the message that includes the private network data that final formation can be transmitted on public network, be forwarded to the vpn tunneling opposite end of appointment then by public network, tabling look-up of correspondence and decapsulation etc. are carried out according to agreement in the vpn tunneling opposite end.
After VPN equipment receives VPN message from public network, judge the VPN and the corresponding customer parameter of its ownership according to the corresponding relation of message and VPN website, the VPN message is carried out decapsulation obtain the private network data, then, send the private network data to the VPN of correspondence website.
VPN is divided in multitude of different ways combination generally dual mode, according to priority or make up multiple network parameter, operation parameter etc. by policy expression VPN is reasonably distinguished and uses.
When priority mode had referred to the different ways combination, every kind of mode disposed a priority, and what priority was high uses the back use that priority is low earlier.Handling process is as follows:
1. at first set up a mode group, wherein dispose variety of way, with and the priority used, the mode that comprises the parameter Network Based of standard, and above-mentioned based on customer parameter, based on the message parameter, based on the priority of modes such as service parameter, the mode that every kind of needs use is distributed a priority; Do not need the mode used, can not dispose.
2. determine the action scope of such mode group then, can act on and include but not limited to some or a plurality of ports, VLAN or sub-interface or entire equipment global application.
3. when user's message was resolved, according to priority order from high to low, the mode of stipulating in the occupation mode group was carried out differentiation and the forwarding of VPN.
Generally speaking, itself does not limit priority, can use multiple priority, includes but not limited to 5 grades, 10 grades, 100 grades, 255 grades or the like.
Typically, can adopt 5 grades of priority, configuration mode group #1 or name are called " mode group 1 ":
Priority 5 is based on the mode of service parameter
Priority 4 is based on the mode of message parameter
Priority 3 is based on the mode of customer parameter
The mode of priority 2 parameter Network Based
Then, the mode group is applied to the connection big customer's of VPN access port.
When message enters, according to the priority of mode configuration set from high to low, reasonably divide, if hit certain mode, promptly use this mode.
Policy expression refers to by the expression formula form, can neatly multiple condition be made up, and meets certain condition and promptly is divided into corresponding VPN.General handling process is as follows:
1. at first set up a strategy group, wherein dispose variety of way, with and combined strategy, comprise the mode of the parameter Network Based of standard, and above-mentioned based on customer parameter, based on the message parameter,
Based on modes such as service parameters, and the strategy that is used in combination, the VPN of every kind of needs division uses a kind of policing rule, can dispose one or more of policing rules.If do not need the mode used, can not dispose.
2. determine the action scope of such strategy group then, can act on and include but not limited to some or a plurality of ports, VLAN or sub-interface or entire equipment global application.
3. when user's message is resolved, mate in proper order, if the match is successful according to tactful configuration set, then divide according to the VPN action of tactful appointment, if it fails to match then the continuation coupling until all it fails to match, is not carried out VPN and divided or be divided among the VPN of acquiescence.
Typically, is the form of policing rule: comprise network parameter, customer parameter, message parameter, service parameter, and relational calculus (include but not limited to and or, deny, belong to, do not belong to, equal, be not equal to), fuzzy matching (the asterisk wildcard * of any, expression arbitrary value, are represented the asterisk wildcard of single value?, and regular expression) expression formula that is formed by combining.
Certain big customer's speech business need be delivered among certain voice VPN as certain operator, certain class user uses a VPN to the ISP place, the message of every HTTP is delivered among the VPN and is carried out information filtering, from certain VPN of whole uses that port 5 is come in, and other divide according to network parameter.
At this moment, collocation strategy group #1 or name are called " strategy group 1 ", the contents are as follows:
If (SIP belongs to 192.168.5.*) and (Voice_Service) then VPN1
If (user domain is " * .isp.telecom.cn ") then VPN2
if(HTTP)then?VPN3
if(Port=5)then?VPN4
default?VPNx
Especially, when the policy expression expression-form makes up according to priority, be exactly above-mentioned priority mode.
Simultaneously, tactful group and mode and priority mode also can use simultaneously, and preferential or mode group preferentially realizes the dual mode coexistence by the collocation strategy group.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.

Claims (15)

1, a kind of method that realizes Virtual Private Network is characterized in that, described method comprises step:
A, configuration virtual private network operation parameter information;
B, set up the corresponding relation of described operation parameter and VPN website according to following at least a mode:
Set up the corresponding relation of user account, territory and customer group and described VPN website;
Set up the corresponding relation of message parameter and described VPN website;
Set up the corresponding relation of service parameter and described VPN website;
C, after VPN equipment receives the private network data from the VPN website, determine the VPN and the corresponding VPN parameter of record of its ownership according to the described operation parameter and the corresponding relation of VPN website, by the VPN parameter of its ownership it is transmitted;
D, when VPN equipment when public network receives the VPN message, determine VPN, user account, territory and the customer group of its ownership according to the corresponding relation of described operation parameter and VPN website, and transmit the private network data to the VPN of its ownership website.
2, method according to claim 1 is characterized in that, described steps A is specially:
By the described VPN operation of command line interface/WEB/ webmaster static configuration parameter.
3, method according to claim 1 is characterized in that, described steps A is specially:
By authentication, mandate, the described VPN operation of charging/tactful dynamic-configuration parameter.
4, method according to claim 1 is characterized in that, described message parameter comprises: the parameter that comprises in physical layer message, Layer 2 data link layer message, three-layer network layer message, four layers of transport layer message and the higher layer applications layer message.
5, method according to claim 1 is characterized in that, described service parameter comprises: business in data, video, voice, the specified session and session information.
6, method according to claim 1 is characterized in that, the VPN parameter by the private network attribution data among the described step C comprises its process of transmitting:
The VPN website that VPN parameter and the described private network data of record are corresponding carries out related;
Set up corresponding tunnel according to described VPN parameter, provide corresponding route, label, forwarding, packaging information by the public network agreement simultaneously;
Route, label, forwarding, the packaging information that provides according to the VPN parameter and the described public network agreement of correspondence encapsulates described private network data respectively;
Private network data after the encapsulation are transmitted by public network.
7, method according to claim 1 is characterized in that, the process that the VPN website that belongs to the VPN message among the described step D sends the private network data comprises:
According to the VPN message information that receives from public network, obtain the VPN site information of VPN operation information and ownership thereof;
Peel off all VPN encapsulation in the VPN message, deblocking takes on VPN private network data;
According to described VPN site information the private network data that deblocking takes on are encapsulated;
Private network data after the encapsulation are sent to the VPN website of VPN message ownership.
8, a kind of method that realizes Virtual Private Network is characterized in that, described method comprises step:
A, configuration virtual private network operation parameter information;
B, set up the corresponding relation of described operation parameter and VPN website in the following manner:
Set up user account, territory and customer group and described VPN website corresponding relation, set up message parameter and described VPN website corresponding relation, set up at least a mode in the corresponding relation of service parameter and described VPN website and set up network parameter and the corresponding relation of described VPN website;
C, after VPN equipment receives the private network data from the VPN website, determine the VPN and the corresponding VPN parameter of record of its ownership according to the described operation parameter and the corresponding relation of VPN website, by the VPN parameter of its ownership it is transmitted;
D, when VPN equipment when public network receives the VPN message, determine VPN, user account, territory and the customer group of its ownership according to the corresponding relation of described operation parameter and VPN website, and transmit the private network data to the VPN of its ownership website.
9, method according to claim 8 is characterized in that, described steps A is specially:
By the described VPN operation of command line interface/WEB/ webmaster static configuration parameter.
10, method according to claim 8 is characterized in that, described steps A is specially:
By authentication, mandate, the described VPN operation of charging/tactful dynamic-configuration parameter.
11, method according to claim 8 is characterized in that, described message parameter comprises: the parameter that comprises in physical layer message, Layer 2 data link layer message, three-layer network layer message, four layers of transport layer message and the higher layer applications layer message.
12, method according to claim 8 is characterized in that, described service parameter comprises: business in data, video, voice, the specified session and session information.
13, method according to claim 8, it is characterized in that, when establishing the corresponding relation of multiple network parameter, operation parameter and VPN website, the corresponding relation that is suitable for when selecting to determine to receive the VPN that data belonged to by priority or policy expression.
14, method according to claim 8 is characterized in that, the VPN parameter by the private network attribution data among the described step C comprises its process of transmitting:
The VPN website that VPN parameter and the described private network data of record are corresponding carries out related;
Set up corresponding tunnel according to described VPN parameter, provide corresponding route, label, forwarding, packaging information by the public network agreement simultaneously;
Route, label, forwarding, the packaging information that provides according to the VPN parameter and the described public network agreement of correspondence encapsulates described private network data respectively;
Private network data after the encapsulation are transmitted by public network.
15, method according to claim 8 is characterized in that, the process that the VPN website that belongs to the VPN message among the described step D sends the private network data comprises:
According to the VPN message information that receives from public network, obtain the VPN site information of VPN operation information and ownership thereof;
Peel off all VPN encapsulation in the VPN message, deblocking takes on VPN private network data;
According to described VPN site information the private network data that deblocking takes on are encapsulated;
Private network data after the encapsulation are sent to the VPN website of VPN message ownership.
CNB2005100642589A 2005-04-12 2005-04-12 Method for realizing virtual special network Active CN100518138C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2005100642589A CN100518138C (en) 2005-04-12 2005-04-12 Method for realizing virtual special network
PCT/CN2006/000572 WO2006108344A1 (en) 2005-04-12 2006-03-31 Method for realizing vpn

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100642589A CN100518138C (en) 2005-04-12 2005-04-12 Method for realizing virtual special network

Publications (2)

Publication Number Publication Date
CN1848799A CN1848799A (en) 2006-10-18
CN100518138C true CN100518138C (en) 2009-07-22

Family

ID=37078168

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100642589A Active CN100518138C (en) 2005-04-12 2005-04-12 Method for realizing virtual special network

Country Status (2)

Country Link
CN (1) CN100518138C (en)
WO (1) WO2006108344A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917228B (en) * 2010-07-30 2014-04-30 武汉烽火网络有限责任公司 Method for realizing wired private network of group users
CN103634171A (en) * 2012-08-24 2014-03-12 中兴通讯股份有限公司 Dynamic configuration method, device and system
CN103685310B (en) * 2013-12-27 2017-01-04 恒为科技(上海)股份有限公司 A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network
CN103905285A (en) * 2014-04-06 2014-07-02 陈桂芳 Method for dividing users with the same MAC address into multiple different VLANs
CN105636151B (en) * 2015-06-29 2017-08-11 宇龙计算机通信科技(深圳)有限公司 A kind of method for connecting network and electronic equipment
CN111327531B (en) * 2018-12-17 2022-08-02 中兴通讯股份有限公司 VDC-based routing configuration method, device, equipment and readable storage medium
CN112887158B (en) * 2021-03-19 2022-02-08 中国电子科技集团公司第三十研究所 Equipment communication rule configuration method based on domain mode
CN114884876B (en) * 2022-04-14 2023-06-30 烽火通信科技股份有限公司 Cross-network plane communication method, device and readable storage medium
CN116781428B (en) * 2023-08-24 2023-11-07 湖南马栏山视频先进技术研究院有限公司 Forwarding system based on VPN flow

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7450505B2 (en) * 2001-06-01 2008-11-11 Fujitsu Limited System and method for topology constrained routing policy provisioning
CN1125545C (en) * 2001-12-31 2003-10-22 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
CN1297105C (en) * 2003-01-06 2007-01-24 华为技术有限公司 Method for implementing multirole main machine based on virtual local network

Also Published As

Publication number Publication date
WO2006108344A1 (en) 2006-10-19
CN1848799A (en) 2006-10-18

Similar Documents

Publication Publication Date Title
CN100518138C (en) Method for realizing virtual special network
CN100384172C (en) System and its method for guaranteeing service quality in virtual special net based network
CN100583773C (en) Method and device for controlling data link layer elements with network layer elements
EP1585264B1 (en) Method for indicating classification of a communications flow
US7903553B2 (en) Method, apparatus, edge router and system for providing QoS guarantee
US8036237B2 (en) System and method for transparent virtual routing
US20040223499A1 (en) Communications networks with converged services
CN101399742B (en) Data service network system and access method of data service
EP1732268B1 (en) A method for safely transmitting the service stream over the ip network
US8451833B2 (en) System and method for transparent virtual routing
JP2004529546A (en) Virtual Private Network (VPN) aware customer premises equipment (CPE) edge router
US20050265308A1 (en) Selection techniques for logical grouping of VPN tunnels
JP5113963B2 (en) Provision of desired service policies to subscribers accessing the Internet
CN101360037B (en) Data service network system and access method of data service
Wilkins Designing for Cisco Internetwork Solutions (DESIGN) Foundation Learing Guide
US20050220059A1 (en) System and method for providing a multiple-protocol crossconnect
CN102377645A (en) Exchange chip and realization method thereof
CN101238683A (en) Service quality in access network based on VLAN
Cisco Introduction to Cisco MPLS VPN Technology
JP2004528756A (en) System, method and apparatus for isolating virtual private network (VPN) and best effort traffic to withstand denial of service attacks
JP2004533149A (en) System, method and apparatus employing virtual private network to withstand IP QoS denial of service attacks
Reddy Building MPLS-based broadband access VPNs
Held Quality of service in a Cisco networking environment
Cullen Virtual Local Area Networks
KR20120071112A (en) Method for providing end to end qos between heterogeneous networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220829

Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041

Patentee after: Chengdu Huawei Technologies Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right