CN100417078C - Method for realizing local virtual private network based on firewall - Google Patents
Method for realizing local virtual private network based on firewall Download PDFInfo
- Publication number
- CN100417078C CN100417078C CNB2004100389764A CN200410038976A CN100417078C CN 100417078 C CN100417078 C CN 100417078C CN B2004100389764 A CNB2004100389764 A CN B2004100389764A CN 200410038976 A CN200410038976 A CN 200410038976A CN 100417078 C CN100417078 C CN 100417078C
- Authority
- CN
- China
- Prior art keywords
- vpn
- compartment wall
- fire compartment
- virtual private
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a method for dividing local virtual private network regions based on a firewall. The present invention is characterized in that the method for dividing local virtual private network regions based on a firewall comprises the following procedures that virtual private network (VPN) attribute values, namely VPN-IDs, are firstly configured in an interface attribute table of a firewall in the first step; VPN-ID fields are added to seek key values of a routing table, namely that the VPN-IDs and target IPs are used as the seek key values in the second step; the VPN-IDs are simultaneously added to the seek key values in a security policy table in the third step. The present invention realizes the partition of the firewall device on a local VPN area, or realizes the firewall resource sharing of a plurality of security entities from another view point. Meanwhile, the present invention realizes access control for a plurality of security VPN entities and access control for all security areas in the security entities, and provides a convenient and practical solution for local VPN application.
Description
Technical field
The present invention relates to a kind of implementation method of virtual private network network, particularly relate to the method that makes up the local virtual private network network that to isolate mutually of safety based on firewall technology.
Background technology
Virtual private network network (VPN) has obtained use more and more widely owing to advantages such as it is flexible, cheap, safety.Briefly, VPN utilizes open public network to set up the dedicated data transmission passage, and long-range branch, business parnter etc. are coupled together the closed user group of a kind of logic of formation.Generally speaking, VPN has certain geographical span.There is multiple scheme can realize this VPN, as based on the scheme of the point-to-point of user's cpe device and the VPN scheme that provides based on the operator of ISP.
In the prior art, MPLS VPN is one of vpn solution of providing of a kind of operator, it is suitable for operator's large scale deployment, also needs the cooperation of operator's multiple devices simultaneously, is a kind of solution of complexity, need a whole set of label protocol relevant, Routing Protocol to realize with MPLS, and need equipment to support the MPLS mark, therefore, if in the local VPN isolation and safety precaution of hope in being similar to some mansions, this scheme is because cost and administrative reason, and inapplicable; Nor can realize the function of the safety zone of fire compartment wall.
Present firewall box, generally all supposition has only a corporate entity to use, the highest grade of Generally Recognized as safe safety zone can other low-grade zone of random access, if when under the fire compartment wall of this locality, having a plurality of companies to use simultaneously, should there be privately owned separately safety zone in different company, forbid between the zone of different company exchanging visits, so present fire compartment wall can not be applied to this occasion.
Because the situation that needs to realize VPN under the local condition extensively exists, such as, the situation of a plurality of companies is arranged in some mansions of above mentioning; Perhaps, the inside of a company (under the same fire compartment wall), the situation of different department's needs to be keep secret, and this locality generally all has firewall box.If can on fire compartment wall, realize the division of VPN, both can realize then that local VPN isolated and safety precaution, can realize external firewall security strick precaution again; And do not increase new equipment, management is got up also can be convenient.
Summary of the invention
The technical problem to be solved in the present invention is to propose a kind of method that realizes local virtual private network network based on fire compartment wall; the method of the invention is the insulation blocking that the safety of fire compartment wall increases the local VPN of one deck, can realize protection mechanism local virtual private network network more flexibly.
A kind of method of dividing local virtual private network network zone based on fire compartment wall of the present invention comprises the steps:
Step 1 at first will dispose VPN property value, i.e. VPN-ID in the interface attributes table of fire compartment wall;
Step 2 also will increase the VPN-ID territory in the finding key value of routing table, also be that VPN-ID and Target IP are as finding key value;
Step 3 will increase VPN-ID simultaneously in the finding key value of security strategy table.
Aforesaid method of dividing local virtual private network network zone based on fire compartment wall, between step 1 and the step 2, also comprise: if special server is provided in the fire compartment wall or supports NAT, then increase VPN-ID territory and target ip address in the finding key value of server table;
Aforesaid method of dividing local virtual private network network zone based on fire compartment wall, after described step 3, if also comprise if fire compartment wall is supported NAT, increase VPN-ID territory in the finding key value of nat translation table then.
The present invention realizes local VPN dividing region on firewall box, perhaps from another angle, realize the fire compartment wall resource-sharing of a plurality of secure entity; Simultaneously, the access control of a plurality of secure vpn inter-entity and the access control of interior each safety zone of each secure entity have been realized, for local VPN uses the practical solution of providing convenience.
Description of drawings
Fig. 1 is the local VPN networking schematic diagram that the present invention is based on fire compartment wall;
Fig. 2 is for being provided with the schematic diagram of each table of fire compartment wall in the method for the invention;
Fig. 3 is the structural representation of each table of fire compartment wall of the present invention;
Fig. 4 is the flow chart that the message of local VPN is handled.
Embodiment
Among the present invention, the notion of described local VPN and common VPN are different, it is made of the coexist local a plurality of companies or the website entity that are connected on the common firewall box, isolate mutually in logic between these entities, form different VPN territories, also be directly to exchange visits between these entities, and can use overlapping IP address.
VPN of the present invention has only local significance, whether after crossing over fire compartment wall, sets up VPN relation with other network entity of far-end as for these VPN.
Local VPN typical application, its networking be as shown in Figure 1: property provides a fire compartment wall in a certain mansion, and each company in the mansion can be linked on one or more interfaces of fire compartment wall, forms different VPN each other; Each firewall interface under in the same company can also dispose different safety zones, to realize in-company security control; Mansion provides unified Internet outlet, and provides some value-added services by special server, such as services such as the Web service of information issue and VOD program requests.
Be that example illustrates this problem with a plurality of companies in the mansion above, in fact this a kind of application scenario that is not limited only to of this demand is arranged.Such as,, also can make in this way safe isolation aspect that at this moment VPN is just many if the unit that needs strict isolation and divide is arranged an intra-company.
Technical scheme of the present invention, as described below:
Step 1 at first will dispose VPN property value, i.e. VPN-ID in the interface attributes table of fire compartment wall;
Step 2 also will increase the VPN-ID territory in the finding key value of routing table, also be that the VPN-ID+ Target IP is as finding key value;
Step 3 will increase VPN-ID simultaneously in the finding key value of security strategy table.
Between described step 1 and step 2, also comprise: if special server is provided in the fire compartment wall or supports NAT, then increase VPN-ID territory and target ip address in the finding key value of server table;
After described step 3, also comprise:, also need in the finding key value of nat translation table, increase the VPN-ID territory if fire compartment wall is supported NAT simultaneously.
Fig. 2 is the method schematic diagram that is provided with in the method for the invention based on the local VPN of fire compartment wall, in order to realize dividing the VPN zone based on interface/sub-interface, the present invention is provided with interface attributes table, routing table, Policy Table, NAT binding table, the internal server address mapping table of fire compartment wall, has realized the local VPN area dividing based on fire compartment wall.
In conjunction with Fig. 2, concrete step is described as follows:
Step 201: the user at first will dispose VPN attribute, i.e. VPN-ID in the interface attributes table; Each interface that is fire compartment wall increases a VPN-ID by the interface attributes table, and the internal network that interface connects that all VPN-ID are identical constitutes the virtual private network network an of this locality.The general VPN-ID that connects the interface of public network is made as 0.
Simultaneously, if VPN inside need be provided with the safety zone, also need divide based on interface, so can also dispose the safety zone numbering in the interface attributes table, also be ZONE-ID.
When message enters from interface, need obtain these two parameters to carry out follow-up processing, referring to the table 201 among Fig. 2, many other attributes can also be arranged in the interface attributes table, such as MTU, encapsulated type etc., the different setting can be arranged in the different systems, the present invention is not limited in this respect.
Step 202: generally will realize the mapping of static state or dynamic state server in the fire compartment wall, to finish target access function flexibly.In order to realize the isolation of VPN, need in the finding key value of server table, increase the VPN-ID territory, simultaneously, must comprise target ip address in finding key value.
Described increase VPN-ID territory is meant that increasing a VPN-ID on the content of original list item obtains a new table, if two list items do not have only the VPN-ID difference in new table, remaining part is identical, then is considered to two different list items.At new table, all list items are divided into a plurality of zones by VPN-ID, in the different VPN-ID territories, identical project can be arranged, and in the same territory, identical project can not occur like this.Below in other steps, the implication in described increase VPN-ID territory is identical.
Alternatively, server table also can comprise other content such as IP protocol number, TCP/UDP port numbers.Referring to the table 202 among Fig. 2, server table can have many attributes, such as application protocol type, number of connection, destination address NAT etc., the different setting can be arranged in the different systems, and the present invention is not limited in this respect.
Step 203: isolating in order to realize the route between the VPN territory, also will increase the VPN-ID territory in the finding key value of routing table, also is that the VPN-ID+ Target IP is as finding key value.Referring to the table 203 among Fig. 2, for the other guide of route table items, the present invention without limits.
Step 204: in order to realize, in the finding key value of security strategy table, will increase VPN-ID based on the strategy between VPN territory and safety zone.If VPN inside is provided with the safety zone, also to increase ZONE-ID simultaneously.For IP-based security strategy, in finding key value, generally comprise source/target ip address.
Alternatively, can also comprise territories such as IP protocol number, TCP/UDP port numbers.Various tactful contents such as whether filtering, whether do Bandwidth Management are generally arranged in the attribute of security strategy table, and the present invention is not limited in this respect.
If in VPN, use private net address, generally be the address of advising among the RFC1918, the user need visit Internet, if or security strategy when allowing, visit the user in other VPN, need make network address translation.
Referring to the table 205 among Fig. 2, use public nat address pool in order to support different VPN, need be in increase VPN-ID territory in the finding key value of nat translation table, usually, in finding key value, also comprise source IP address, alternatively, can also comprise territories such as IP protocol number, TCP/UDP port numbers.Contents such as IP address after the conversion are generally arranged in the attribute of nat translation table, and the present invention is not limited in this respect.
NAPT (Network Address Port Translation, the network address-port translation) and NAT are similar, also can be equally applicable to the present invention.
Referring to the 210-212 among Fig. 3, more than a few class tables all with the tree form exist;
210: be a Hash bucket.After item key value is carried out Hash, get the preceding N position of cryptographic Hash and in this bucket, carry out index, can tentatively separate different list items;
211: the node of divergence that is tree.After two or more list items carry out Hash,, then need to use node of divergence and distinguish if drop in the same Hash bucket;
212: be leaf node, deposit the particular content of list item.
Below by through the wall of setting fire of the inventive method setting to the processing of message, further specify technical scheme of the present invention:
Fig. 3 is the flow chart that the message of local VPN is handled.
Message enters into fire compartment wall from physical port.The physical port here generally is meant Ethernet interface, also can be meant the port of other types such as ATM.The concrete steps that message is handled are as follows:
Step 301: message is checked the interface attributes table of answering at different physical links, if sub-interface such as the vlan sub-interface of Ethernet, is then checked the sub-interface attribute list of answering.According to classification and the processing that link layer information carries out,, and carry out necessary message validity inspection such as separating unicast, multicast and broadcast packet.Afterwards, carry the VPN-ID and the ZONE-ID information that dispose in the interface attributes table, change next step.
Step 302: before the processing of carrying out the IP layer, will carry out basic IP message validity inspection earlier, mainly be predetermined process among the RFC1812.Look into server table afterwards, to determine whether to dispose special server or not on purpose location NAT mapping.
The step of looking into server is optionally, if special server is not provided, and support purpose IP address NAT not, then this step can be omitted.
Step 303: purpose IP address and VPN-ID according to message, look into routing table, if hit, then write down corresponding routing iinformation; If miss, then look into routing table, to determine whether to visit public network address with VPN-ID=0.
Some optional optimizations can be arranged here, such as, if the private net address that the private net address of each VPN all uses RFC1918 to determine then can be according to the type of purpose IP address, only look into the VPN route table of VPD-ID correspondence or only look into the public network routing table of VPN-ID=0 correspondence.If still can not find out route at last, then the strategy of determining according to system abandons or does to be redirected and wait other processing.
Step 304: after in step 303, finding routing table, can obtain outgoing interface information, further from the outgoing interface attribute list, obtain target VPN-ID and ZONE-ID information, thereby according to information such as source VPN-ID, source ZONE-ID and source IP addresss, look into the Policy Table again, to determine whether visit allows, and whether will carry out address transition and other policy action.If strategy passes through, then E-Packet.
Described security strategy generally can be divided into two kinds, and the one, exception forbids that all the other permissions are passed through; The 2nd, exception allows, and no thoroughfare for all the other; It also can be the combination of two kinds of strategies.Further, if the exchanging visit between the VPN, then according to target VPN-ID and ZONE-ID information and source VPN-ID and ZONE-ID information are searched corresponding security strategy in the security strategy table; If VPN is to the message of the VPN of public network or public network, then according to target VPN-ID and ZONE-ID information or source VPN-ID and ZONE-ID and public network IP are searched corresponding security strategy.If pass through, then E-Packet; If do not pass through, then be redirected or directly abandon by setting.
Step 305: carry out NAT if desired, then from nat address pool, distribute idle address resource, carry out NAT, and create nat translation table, so that subsequent packet can directly use this conversion table.
Step 306: message is carried out the encapsulation of link layer, and transmit.
Step 307: subsequent packet can directly be transmitted by nat translation table, saves each processing links of first bag.
Each VPN entity can link to each other with fire compartment wall by two/three-tier switch or router, Routing Protocols such as configuring static route or operation RIP/OSPF.
Under the situation of supporting NAT, different VPN can be shared valuable public network address resource, realizes the exchanging visit of visit public network (as: Internet) and inner VPN.
Below by the instantiation explanation, the fire compartment wall of process setting of the present invention is how to realize sharing of public network address:
In the network configuration as shown in Figure 1, suppose the main frame 1 among the VPN A, be designated as the main frame 2 among A1 and the VPN B, be designated as B2, initiate the request message RA1 and the RB2 of a visit public network main frame 3 respectively; These two requests are after the processing through step 301-304, to step 305
The RA1 request message has distributed an address and tcp port number to (a.b.c.d, 3000) from nat address pool, and its source address is transmitted after replacing with this public network address, and writes down next NAT transformational relation { VPN_A, A1, (a.b.c.d, 3000) };
RB2 request simultaneously still can distribute an address and tcp port number to (a.b.c.d, 3001) from nat address pool, and its source address is transmitted after replacing with this public network address, and writes down next NAT transformational relation { VPN_B, B2, (a.b.c.d, 3001) };
When replying when main frame 3 is returned of RA1 request, can find NAT transformational relation table { VPN_A, A1, (a.b.c.d, 3000) } by application target (IP+TCP+ port numbers), thereby purpose is reverted to host A 1 among the VPN A.
Same when replying of asking of RB2 when main frame 3 is returned, can find NAT transformational relation table { VPN_B, B2, (a.b.c.d, 3001) } by application target (IP+TCP+ port numbers), thereby purpose is reverted to host B 2 among the main frame VPN_B.
Like this, just realized VPN A and VPN B sharing to the address Pooled resources.
If the exchanging visit between the VPN, the simplest mode is to use public network address in VPN, and exchanging visit between the VPN and outside visit are treated equally; Also can use the mode of TwiceNAT (twice conversion) to realize by dns server, can be referring to " RFC2663 NAT Terminology and Considerations " document.Which kind of mode no matter can realize exchanging visit control between VPN easily by strategy.
It should be noted last that: above embodiment is the unrestricted technical scheme of the present invention in order to explanation only, although the present invention is had been described in detail with reference to the foregoing description, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement the present invention, and not breaking away from any modification or partial replacement of the spirit and scope of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (9)
1. a method of dividing local virtual private network network zone based on fire compartment wall is characterized in that: comprise the steps:
Configuration VPN property value VPN-ID in the interface attributes table of fire compartment wall;
In the finding key value of routing table, increase the territory of VPN-ID, with VPN-ID and Target IP as finding key value;
In the finding key value of security strategy table, increase VPN-ID;
Divide different local virtual private network network zones according to VPN-ID.
2. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1, it is characterized in that: if special server is provided in the fire compartment wall or supports NAT, then increase VPN-ID territory and target ip address in the finding key value of server table.
3. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1 and 2 is characterized in that: comprising: if described fire compartment wall is supported the NAT conversion, and increase VPN-ID territory in the finding key value of nat translation table then.
4. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1 is characterized in that: also comprise: configuration safety zone numbering ZONE-ID in the interface attributes table of fire compartment wall; In the finding key value of security strategy table, increase ZONE-ID.
5. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1, it is characterized in that: described in the interface attributes table of fire compartment wall the step of configuration VPN property value VPN-ID comprise: for each internal interface of fire compartment wall by the interface attributes table, increase a VPN-ID, the internal network that interface connects that all VPN-ID are identical constitutes the virtual private network network an of this locality.
6. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1, it is characterized in that: the described territory that in the finding key value of routing table, increases VPN-ID, comprise as the step that finds key value with VPN-ID and Target IP: according to the purpose IP address and the VPN-ID of message, look into routing table, if find, then write down corresponding routing iinformation; If do not find, then look into routing table, to determine whether to visit public network address; If still can not find out route, then the strategy of determining according to system abandons or does re-orientation processes.
7. method of dividing local virtual private network network zone based on fire compartment wall according to claim 1, it is characterized in that: the described territory that in the finding key value of routing table, increases VPN-ID, with VPN-ID and Target IP as in the step that finds key value, if the private net address that the private net address of each VPN all uses RFC1918 to determine, then according to the type of purpose IP address, the net routing table of only searching for smugglers and smuggling goods or only look into the public network routing table.
8. method of dividing local virtual private network network zone based on fire compartment wall according to claim 4, it is characterized in that: according to the territory that in the finding key value of routing table, increases VPN-ID, with VPN-ID and Target IP as VPN-ID that obtains in the step that finds key value and Target IP, further from the outgoing interface attribute list, obtain target VPN-ID and ZONE-ID information, thereby according to source VPN-ID, source ZONE-ID and source IP address information, look into the security strategy table again, if strategy passes through, then E-Packet; Otherwise the strategy of determining according to system abandons or does re-orientation processes.
9. method of dividing local virtual private network network zone based on fire compartment wall according to claim 3, it is characterized in that: different VPN is passed through nat translation table, share the public network address resource of fire compartment wall, realize the exchanging visit of the multiplexing and/or inner VPN of public network address resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100389764A CN100417078C (en) | 2004-05-10 | 2004-05-10 | Method for realizing local virtual private network based on firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100389764A CN100417078C (en) | 2004-05-10 | 2004-05-10 | Method for realizing local virtual private network based on firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1697396A CN1697396A (en) | 2005-11-16 |
| CN100417078C true CN100417078C (en) | 2008-09-03 |
Family
ID=35349932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100389764A Expired - Fee Related CN100417078C (en) | 2004-05-10 | 2004-05-10 | Method for realizing local virtual private network based on firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100417078C (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222456A (en) * | 2008-01-28 | 2008-07-16 | 陈勇 | Network safety gateway product sharing method |
| CN101582830B (en) * | 2009-06-22 | 2011-12-21 | 杭州华三通信技术有限公司 | Device for realizing mutual access of crossing virtual private networks and method |
| CN103004145B (en) * | 2011-07-21 | 2015-04-08 | 华为技术有限公司 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
| CN102710669B (en) | 2012-06-29 | 2016-03-02 | 杭州华三通信技术有限公司 | A kind of method that firewall policy controls and device |
| CN103516822A (en) * | 2012-06-29 | 2014-01-15 | 同方股份有限公司 | Virtualization data exchange safety system for virtualization network |
| CN103036801B (en) * | 2012-12-18 | 2019-06-14 | 网神信息技术(北京)股份有限公司 | The processing method and processing device of data packet |
| CN105991442B (en) * | 2015-04-30 | 2019-10-11 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN107769938B (en) * | 2016-08-16 | 2021-01-22 | 北京金山云网络技术有限公司 | System and method for Openstack platform to support multiple network areas |
| CN107547509B (en) * | 2017-06-27 | 2020-10-13 | 新华三技术有限公司 | Message forwarding method and device |
| CN107395645B (en) * | 2017-09-05 | 2018-06-26 | 瑞科网信(北京)科技有限公司 | For fire wall system and method and be stored with the medium of corresponding program |
| SE541314C2 (en) | 2017-10-31 | 2019-06-25 | Telia Co Ab | Methods and apparatuses for routing data packets in a network topology |
| CN109412941B (en) * | 2018-10-23 | 2020-03-17 | 北京明朝万达科技股份有限公司 | Data exchange method, data exchange server, network and readable storage medium |
| US11201854B2 (en) * | 2018-11-30 | 2021-12-14 | Cisco Technology, Inc. | Dynamic intent-based firewall |
| CN113194162B (en) * | 2021-04-28 | 2023-03-14 | 浙江宇视科技有限公司 | Data transmission method, device, electronic equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471275A (en) * | 2002-07-23 | 2004-01-28 | ��Ϊ��������˾ | Enterprise external virtual special network system and method using virtual router structure |
| US6693878B1 (en) * | 1999-10-15 | 2004-02-17 | Cisco Technology, Inc. | Technique and apparatus for using node ID as virtual private network (VPN) identifiers |
-
2004
- 2004-05-10 CN CNB2004100389764A patent/CN100417078C/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6693878B1 (en) * | 1999-10-15 | 2004-02-17 | Cisco Technology, Inc. | Technique and apparatus for using node ID as virtual private network (VPN) identifiers |
| CN1471275A (en) * | 2002-07-23 | 2004-01-28 | ��Ϊ��������˾ | Enterprise external virtual special network system and method using virtual router structure |
Non-Patent Citations (2)
| Title |
|---|
| MPLS-VPN工作特性. 陈启美,张国强,薛健.电力自动化设备,第22卷第10期. 2002 |
| MPLS-VPN工作特性. 陈启美,张国强,薛健.电力自动化设备,第22卷第10期. 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1697396A (en) | 2005-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11671450B2 (en) | Dynamic honeypots | |
| US11563681B2 (en) | Managing communications using alternative packet addressing | |
| US11063819B2 (en) | Managing use of alternative intermediate destination computing nodes for provided computer networks | |
| CN100417078C (en) | Method for realizing local virtual private network based on firewall | |
| ES2663410T3 (en) | A network controller and a computerized method implemented to automatically define forwarding rules to configure a computer network interconnect device | |
| US7760729B2 (en) | Policy based network address translation | |
| US7885276B1 (en) | Isolating network traffic in multi-tenant virtualization environments | |
| US8224931B1 (en) | Managing use of intermediate destination computing nodes for provided computer networks | |
| EP2253123B1 (en) | Method and apparatus for communication of data packets between local networks | |
| JP5579853B2 (en) | Method and system for realizing virtual private network | |
| US7643484B2 (en) | Network abstraction and isolation layer rules-based federation and masquerading | |
| CN107959654A (en) | A kind of data transmission method, device and mixing cloud system | |
| US20110075674A1 (en) | Scalable architecture for enterprise extension in a cloud topology | |
| JP2013507045A (en) | Enterprise layer 2 seamless site expansion in cloud computing | |
| EP3188422A1 (en) | Traffic black holing avoidance and fast convergence for active-active pbb-evpn redundancy | |
| CN101582830B (en) | Device for realizing mutual access of crossing virtual private networks and method | |
| Dangovas et al. | SDN-driven authentication and access control system | |
| Ranjbar et al. | Domain isolation in a multi-tenant software-defined network | |
| Gold et al. | A virtualized link layer with support for indirection | |
| US20110103383A1 (en) | Two dimensional location transparency of software services | |
| US20150100625A1 (en) | Data Transmission System | |
| KR100431207B1 (en) | Exteranet ip-vpn service provinding methode in mpls based network | |
| EP3827556B1 (en) | A platform comprising a plurality of routing entities | |
| Radia | Network protocol folklore | |
| Goodell et al. | Building a coreless Internet without ripping out the core |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080903 Termination date: 20170510 |