CN115412319A

CN115412319A - Network authority control method, equipment and medium based on strategy accompanying

Info

Publication number: CN115412319A
Application number: CN202210997114.2A
Authority: CN
Inventors: 蔡旺
Original assignee: Inspur Cisco Networking Technology Co Ltd
Current assignee: Inspur Cisco Networking Technology Co Ltd
Priority date: 2022-08-19
Filing date: 2022-08-19
Publication date: 2022-11-29
Anticipated expiration: 2042-08-19
Also published as: CN115412319B

Abstract

The application discloses a network authority control method, equipment and a medium based on strategy accompanying, wherein the method comprises the following steps: taking an access switch for accessing terminal equipment in a multi-level switch as authentication equipment, and taking a convergence switch for converging the access switches as strategy execution equipment; determining a control strategy for controlling network access authority of the terminal equipment according to whether an authentication server is arranged outside the park network; aiming at a first terminal device accessed to an authentication device, controlling the authentication device to perform network access authority control on the first terminal device according to access white list configuration information issued by an SDN controller based on an internal white list authentication strategy; and aiming at a second terminal device which sends an access authentication request to the authentication device, generating an access control rule corresponding to the second terminal device based on an external authentication policy and issuing the access control rule to the policy execution device so as to control the policy execution device to perform network access authority control on the second terminal device according to the access control rule.

Description

Network authority control method, equipment and medium based on strategy accompanying

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a medium for controlling network permissions based on policy-based walk.

Background

In a campus network, a network administrator needs to uniformly manage network access permissions of users, and the users need to access the campus network according to a network segment and a position which are planned in advance. At the present stage, the network of an enterprise is continuously built and developed, the boundary of the traditional park network gradually disappears, and in order to improve the working efficiency of employees, the enterprise requires the employees to irregularly move within the allowable range of the network. In the office mode, the access position of the user can move in a large range, and a network administrator often needs to re-assign the network access authority to the user, so that great inconvenience is brought to the management and maintenance of the network.

Therefore, in order to solve the above problems, an effective network management and a method for ensuring the security of the enterprise network, i.e. policy compliance, are proposed. The strategy accompanying means that the user experience is unchanged no matter where the user moves, the limitation that the traditional network is limited by the access position is broken through, and the characteristic that the network is moved along with people is really reflected. Under the management mode, the way for realizing the user network authority control is as follows: the method comprises the following steps that switch configuration issuing, terminal equipment authentication and relevant execution strategy issuing are carried out through an SDN controller in a campus network, a core switch serves as strategy execution equipment, a convergence switch serves as authentication equipment, and the method has the following defects: first, the authentication point is located in the convergence switch, and if the terminal device is not authenticated successfully, it still receives the BUM traffic (broadcast, multicast, unknown unicast traffic) sent by other terminal devices under the same access switch, and cannot implement isolation between the flows of the terminal devices. Secondly, the SDN controller must rely on the authentication result to control the network authority, and has poor flexibility and certain use limitation.

Disclosure of Invention

In order to solve the above problem, the present application provides a policy-based network permission control method, which is applied to a preset campus network, where the campus network includes at least an SDN controller, a multi-tier switch, and a terminal device, and the method includes:

taking an access switch used for accessing the terminal device in the multi-level switch as authentication equipment, and taking a convergence switch used for converging the access switch as policy execution equipment;

determining a control strategy for controlling the network access authority of the terminal equipment according to whether an authentication server is arranged outside the park network; the control strategy comprises an external authentication strategy and an internal white list authentication strategy;

for a first terminal device accessed to the authentication device, controlling the authentication device to perform network access authority control on the first terminal device according to access white list configuration information issued by the SDN controller based on the internal white list authentication policy;

and aiming at a second terminal device which sends an access authentication request to the authentication device, generating an access control rule corresponding to the second terminal device based on the external authentication policy and issuing the access control rule to the policy execution device so as to control the policy execution device to perform network access authority control on the second terminal device according to the access control rule.

In an implementation manner of the present application, controlling the authentication device to perform network access right control on the first terminal device according to access white list configuration information issued by the SDN controller specifically includes:

acquiring basic equipment information of the first terminal equipment from a preset access equipment cache information table through the authentication equipment; the basic device information includes at least any one or more of: media access control address, access interface, and up and down line time;

when the first terminal equipment is determined to be on-line according to the basic equipment information, auditing the first terminal equipment to judge whether the first terminal equipment has network access authority;

and when the first terminal equipment has the network access authority, issuing access white list configuration information to the authentication equipment so that the authentication equipment opens the network access authority to the first terminal equipment according to the access white list configuration information.

In an implementation manner of the present application, before generating the access control rule corresponding to the second terminal device and issuing the access control rule to the policy executing device, the method further includes:

controlling the authentication equipment, sending an admission authentication request sent by the second terminal equipment to the authentication server so that the authentication server determines the network access authority corresponding to the second terminal equipment and feeds back authentication information carrying the network access authority to the authentication equipment;

and receiving authentication information and basic equipment information corresponding to the second terminal equipment, which are sent by the authentication equipment, and generating an access control rule corresponding to the second terminal equipment according to the basic equipment information and the authentication information.

In an implementation manner of the present application, when the first terminal device has the network access right, issuing access white list configuration information to the authentication device specifically includes:

when the first terminal device has the network access right, taking a media access control address in the basic device information as an identifier, generating access white list configuration information corresponding to the first terminal device, and sending the access white list configuration information to the authentication device; the access white list configuration information at least includes the basic device information.

In an implementation manner of the present application, after obtaining the basic device information of the first terminal device, the method further includes:

when the first terminal equipment is determined to be off-line according to the basic equipment information, removing access white list information corresponding to the first terminal equipment from a corresponding white list through the authentication equipment; and are

And generating removal configuration information of the first terminal device according to the media access control address, and sending the removal configuration information to the authentication device, so that the authentication device confirms whether the access white list information is removed in the white list according to the removal configuration information.

In an implementation manner of the present application, before obtaining the basic device information of the first terminal device from a preset access device cache information table, the method further includes:

issuing first authentication configuration information to the authentication equipment so that the authentication equipment performs equipment configuration according to the first authentication configuration information under the condition that the authentication server is not arranged outside the park network; the first authentication configuration information includes authentication protocol information, port audit information, and address information of the SDN controller.

In an implementation manner of the present application, before controlling the authentication device to send the admission authentication request sent by the second terminal device to the authentication server, the method further includes:

issuing second authentication configuration information to the authentication equipment so that the authentication equipment performs equipment configuration according to the second authentication configuration information under the condition that the authentication server is arranged outside the park network; the second authentication configuration information includes authentication protocol information and address information of the authentication server.

In an implementation manner of the present application, after an access switch in the multi-tier switch, which is used to access the terminal device, is taken as an authentication device, the method further includes:

and controlling the authentication equipment to generate a specified access control rule which can allow a dynamic host configuration protocol message to pass through the authentication equipment, so that the second terminal equipment acquires the corresponding IP address according to the specified access control rule.

The embodiment of the application provides a network authority control equipment based on strategy retinue, its characterized in that is applied to on the preset campus network, the campus network includes SDN controller, multistage switch and terminal equipment at least, equipment includes: at least one processor;

and a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

taking an access switch used for accessing the terminal equipment in the multi-level switch as authentication equipment, and taking an aggregation switch used for aggregating the access switches as policy execution equipment;

determining a control strategy for controlling the network access right of the terminal equipment according to whether an authentication server is arranged outside the park network; the control strategy comprises an external authentication strategy and an internal white list authentication strategy;

The embodiment of the application provides a non-volatile computer storage medium, which stores computer-executable instructions and is characterized in that the computer-executable instructions are applied to a preset campus network, the campus network at least comprises an SDN controller, a multi-level switch and terminal equipment, and the computer-executable instructions are set as follows:

The network authority control method based on the strategy accompanying can bring the following beneficial effects:

the access switch for accessing the terminal equipment is used as authentication equipment, and the authentication configuration is carried out on the access switch, so that the terminal equipment which is not authenticated can not access other terminal equipment under the same access switch, the flow access among the terminal equipment under the same access switch is effectively isolated, and the communication safety is improved; different control strategies are set according to whether the authentication server exists outside the park network, and compared with a single control strategy, network authority control is not carried out on the terminal equipment depending on an authentication result any more, flexibility is stronger, and the application range is wider.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic flowchart of a network permission control method based on policy following according to an embodiment of the present application;

fig. 2 is a view of a topology structure of a campus network according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a network access right control policy according to an embodiment of the present application;

fig. 4 is a schematic flowchart of another network access right control policy provided in an embodiment of the present application;

fig. 5 is a schematic structural diagram of a network authority control device based on policy following according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

As shown in fig. 1, a network permission control method based on policy following provided in an embodiment of the present application includes:

s101: and taking an access switch used for accessing the terminal equipment in the multi-level switch as authentication equipment, and taking a convergence switch used for converging the access switch as policy execution equipment.

As shown in fig. 2, a topology of a campus network includes at least an SDN controller, a multi-tier switch, and a terminal device. The terminal equipment is located at the bottommost layer, the access switches located at the access layer are used for accessing the terminal equipment belonging to the same local area network, the aggregation switches located at the aggregation layer are aggregation points of a plurality of access switches, the core switch located at the core layer can carry out high-speed forwarding communication, and the boundary switch is used for realizing interconnection among different networks.

In the embodiment of the application, the access switch is used as authentication equipment for realizing network authority authentication on the terminal equipment, and the convergence switch is used as strategy execution equipment for realizing access control of network authority by executing a corresponding access control strategy. After the port of the access switch starts the dot1x authentication function, the port discards the flow of all the unauthenticated terminal equipment, so that under the condition that the terminal equipment does not complete authentication, the terminal equipment which does not pass the authentication is effectively prevented from accessing other terminal equipment under the same access switch, the flow is isolated, and the communication safety is also improved. It should be noted that, the Software Defined Network (SDN) controller may also control the authentication device to configure a corresponding access control rule, so as to allow a Dynamic Host Configuration Protocol (DHCP) message to pass through the authentication device, so that a terminal device accessed by the authentication device can obtain an Internet Protocol (IP) address by sending the DHCP message, and only after knowing the IP address of the terminal device, the policy enforcement device can perform corresponding Network authority control accordingly.

S102: determining a control strategy for controlling network access authority of the terminal equipment according to whether an authentication server is arranged outside the park network; the control policy includes an external authentication policy and an internal white list authentication policy.

According to the embodiment of the application, different control strategies are set according to whether the authentication server exists outside the park network or not, and compared with a single control strategy, the network authority control of the terminal equipment is not carried out by depending on an authentication result any more, the flexibility is stronger, and the application range is wider. The control strategy is divided into an external authentication strategy and an internal white list authentication strategy.

S103: and aiming at a first terminal device accessed to the authentication device, controlling the authentication device to perform network access authority control on the first terminal device according to access white list configuration information issued by the SDN controller based on an internal white list authentication strategy.

In one embodiment, if no authentication server is located outside the campus network, an internal white list authentication policy is required to perform network authority control. The authentication of the terminal equipment does not depend on an authentication server any more, but the terminal equipment can control whether to distribute network authority to the corresponding terminal equipment according to an audit result by starting an audit function of an SDN controller, wherein the network authority can be determined by access white list configuration information issued to the authentication equipment, that is, only the terminal equipment in the white list can pass the authentication of the authentication equipment, and the terminal equipment has the authority of externally accessing the network.

Specifically, as shown in the flowchart of a network access right control policy shown in fig. 3, in a case that an external authentication server is not provided, the execution of the control policy may be triggered by sensing whether the terminal device accesses the authentication device. Before executing the control policy, the SDN controller first issues first authentication configuration information to the authentication device, so that the authentication device can perform device configuration according to the first authentication configuration information. The first authentication configuration information includes authentication protocol information (e.g., 802.1x protocol), port audit information, and address information of the SDN controller.

After the authentication equipment completes equipment configuration according to the first authentication configuration information, the access condition of the first terminal equipment can be monitored in real time, and when the first terminal equipment is on-line or off-line, basic equipment information of the first terminal equipment can be written into a preset access equipment cache information table. When a first terminal device is offline, it initiates a connection request to the SDN controller, at this time, an authentication device may obtain basic device information of the first terminal device from a device cache information table and report the basic device information to the SDN controller, where the basic device information at least includes any one or more of the following items: media Access Control (MAC) Address, access interface, and up/down time. After receiving the basic device information, the SDN controller may determine whether the first terminal device is currently online or offline according to the basic device information, and if the first terminal device is online, the SDN controller needs to audit the online first terminal device, so as to determine whether the corresponding first terminal device has a network access right. And if the first terminal equipment has the network access authority, issuing corresponding access white list configuration information to the authentication equipment, so that the authentication equipment can perform relevant configuration on the white list after receiving the access white list configuration information, and further opening the network access authority for the first terminal equipment in the white list so as to enable the first terminal equipment to access other terminal equipment in the park network.

It should be noted that the access white list configuration information at least includes basic device information of the first terminal device, and when generating the access white list configuration information, the MAC address in the basic device information is used as an identifier instead of relying on an identification function of an IP address to generate the access white list configuration information corresponding to the first terminal device, and then the access white list configuration information is issued to the authentication device. At this time, the configuration of the white list is not required to be performed after the terminal device acquires the IP address of the terminal device, so that the time delay is effectively reduced, and the authentication efficiency is improved.

If the first terminal device is offline, firstly, the authentication device removes access white list information corresponding to the first terminal device from a corresponding white list, then, the SDN controller also generates corresponding removal configuration information according to the MAC address of the first terminal device and sends the removal configuration information to the authentication device, and after receiving the removal configuration information, the authentication device can inquire the access white list information in the white list according to the removal configuration information, so that whether the authentication device actively removes the first terminal device from the white list is determined. The off-line first terminal device is removed from the white list through two modes of removing under the control of the SDN controller and actively removing the authentication device, so that timely response to the off-line device is made, the situation that the authentication device does not receive removal configuration information issued by the SDN controller due to certain special conditions is avoided, and more guarantee is provided.

In a possible implementation manner, the SDN controller is provided with a visual interface, and the visual interface is used for displaying information of the first terminal device, and the allocation of the network permission can be realized by operating the visual interface.

Under the condition that the authentication server is not arranged, the terminal equipment does not need to actively report the IP address to the SDN controller, but can directly learn and sense the online of the terminal equipment through the MAC address, so that the time delay caused by obtaining the IP address is reduced, and the authentication efficiency is effectively improved.

S104: and aiming at a second terminal device which sends an access authentication request to the authentication device, generating an access control rule corresponding to the second terminal device based on an external authentication policy and issuing the access control rule to the policy execution device so as to control the policy execution device to perform network access authority control on the second terminal device according to the access control rule.

In one embodiment, if an authentication server is provided outside the campus network, an external authentication policy is required to perform network authority control. The authentication of the terminal device depends on the authentication result of the authentication server, and the corresponding access control rule is generated only after the SDN controller receives the authentication result. After the access control rule is issued to the policy execution device, the policy execution device can execute the relevant access policy according to the access flow source address and the destination address, so as to realize the network authority control of the terminal device.

Specifically, as shown in fig. 4, in another flow chart of the network access right control policy, in the case where an external authentication server is provided, the admission authentication request sent to the authentication device by the second terminal device may trigger the execution of the control policy. Before executing the control policy, the SDN controller first issues second authentication configuration information to the authentication device, so that the authentication device can perform device configuration according to the second authentication configuration information. The difference from the case where the authentication server is not provided is that the second authentication configuration information only includes authentication protocol information (for example, 802.1x protocol) and address information of the authentication server, and the configuration of the audit function is no longer required, that is, in this case, the network authority no longer needs to be audited, but can be determined directly by the authentication server.

After the authentication device completes device configuration, an admission authentication request sent by the second terminal device needs to be received in real time, and the received admission authentication request is sent to the authentication server under the control of the SDN controller, so that the authentication server authenticates the network access authority corresponding to the second terminal device. The authentication server feeds back the authentication information of the second terminal device to the authentication device regardless of whether the second terminal device passes the authentication. After receiving authentication information issued by the authentication server, the authentication device reports the authentication information and basic device information of the second terminal device to the SDN controller, and meanwhile, after the second terminal device obtains an IP address corresponding to the second terminal device through a DHCP message, the second terminal device directly reports the IP address to the SDN controller. After receiving the authentication information, the basic device information and the IP address corresponding to the second terminal device, the SDN controller can establish an association relationship between the IP address and the basic device information, determine whether the second terminal device has an external network access right according to the authentication information, generate a corresponding access control rule according to the IP address corresponding to the second terminal device, and then issue the access control rule to the policy enforcement device according to the MAC address in the basic device information. And after the strategy execution device receives the access control rule, the network authority of the second terminal device can be controlled by controlling the access flow between the destination IP address and the source IP address contained in the access control rule.

The above is the method embodiment proposed by the present application. Based on the same idea, one or more embodiments of the present specification further provide an apparatus and a medium corresponding to the above method.

Fig. 5 is a schematic structural diagram of a policy-following-based network permission control device according to an embodiment of the present application, where the device is applied to a preset campus network, the campus network at least includes an SDN controller, a multi-tier switch, and a terminal device, and the device includes: at least one processor;

and a memory communicatively coupled to the at least one processor; wherein,

the memory stores instructions executable by the at least one processor to cause the at least one processor to:

taking an access switch for accessing terminal equipment in a multi-level switch as authentication equipment, and taking a convergence switch for converging the access switches as strategy execution equipment;

aiming at a first terminal device accessed to an authentication device, controlling the authentication device to perform network access authority control on the first terminal device according to access white list configuration information issued by an SDN controller based on an internal white list authentication strategy;

and aiming at the second terminal equipment which sends the admission authentication request to the authentication equipment, generating an access control rule corresponding to the second terminal equipment based on the external authentication policy and issuing the access control rule to the policy execution equipment so as to control the policy execution equipment to perform network access authority control on the second terminal equipment according to the access control rule.

The embodiment of the application provides a nonvolatile computer storage medium, which stores computer executable instructions and is applied to a preset campus network, wherein the campus network at least comprises an SDN controller, a multilevel switch and terminal equipment, and the computer executable instructions are set as:

The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device and media embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for relevant points.

The device and the medium provided by the embodiment of the application correspond to the method one to one, so the device and the medium also have the similar beneficial technical effects as the corresponding method, and the beneficial technical effects of the method are explained in detail above, so the beneficial technical effects of the device and the medium are not repeated herein.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A network authority control method based on policy following is applied to a preset campus network, wherein the campus network at least comprises an SDN controller, a multilevel switch and a terminal device, and the method comprises the following steps:

2. The method according to claim 1, wherein the controlling the authentication device to perform network access right control on the first terminal device according to access white list configuration information issued by the SDN controller specifically comprises:

and when the first terminal equipment has the network access right, issuing access white list configuration information to the authentication equipment so that the authentication equipment opens the network access right to the first terminal equipment according to the access white list configuration information.

3. The method according to claim 1, wherein before generating the access control rule corresponding to the second terminal device and issuing the access control rule to the policy enforcement device, the method further comprises:

controlling the authentication equipment, sending the admission authentication request sent by the second terminal equipment to the authentication server, so that the authentication server determines the network access authority corresponding to the second terminal equipment and feeds back authentication information carrying the network access authority to the authentication equipment;

4. The method according to claim 2, wherein when the first terminal device has the network access right, issuing access white list configuration information to the authentication device includes:

5. The method as claimed in claim 2, wherein after obtaining the basic device information of the first terminal device, the method further comprises:

when the first terminal equipment is determined to be offline according to the basic equipment information, removing access white list information corresponding to the first terminal equipment from a corresponding white list through the authentication equipment; and are

6. The method as claimed in claim 2, wherein before obtaining the basic device information of the first terminal device from a preset access device cache information table, the method further comprises:

7. The method as claimed in claim 3, wherein before controlling the authentication device to send the admission authentication request sent by the second terminal device to the authentication server, the method further comprises:

8. The method of claim 1, wherein after an access switch for accessing the terminal device in the multi-tier switch is used as an authentication device, the method further comprises:

9. A network authority control device based on policy following, applied to a preset campus network, where the campus network includes at least an SDN controller, a multi-tier switch, and a terminal device, and the device includes: at least one processor;

and a memory communicatively coupled to the at least one processor; wherein,

10. A non-transitory computer storage medium storing computer-executable instructions for use on a predetermined campus network, the campus network including at least an SDN controller, a multi-tier switch, and an end device, the computer-executable instructions configured to: