WO2016107261A1 - Method for accessing vpn service, and network device - Google Patents

Method for accessing vpn service, and network device Download PDF

Info

Publication number
WO2016107261A1
WO2016107261A1 PCT/CN2015/093091 CN2015093091W WO2016107261A1 WO 2016107261 A1 WO2016107261 A1 WO 2016107261A1 CN 2015093091 W CN2015093091 W CN 2015093091W WO 2016107261 A1 WO2016107261 A1 WO 2016107261A1
Authority
WO
WIPO (PCT)
Prior art keywords
edge device
port
vpn
vpn tunnel
user site
Prior art date
Application number
PCT/CN2015/093091
Other languages
French (fr)
Chinese (zh)
Inventor
于德雷
赖晓
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016107261A1 publication Critical patent/WO2016107261A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to communication technologies, and in particular, to a VPN service access method and a network device.
  • Virtual Private Network (English: Virtual Private Network, VPN) is a technology for constructing a private network on a public data network. These private networks are isolated from each other, and data of one private network is not transmitted to another private network. In order to make the data transmission between the user sites using the VPN, the user site needs to first access the VPN service.
  • the current practice of the user site accessing the VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service, and then manually configure the edge devices respectively connected to each of the user sites, thereby Each of the user sites is connected to the VPN service.
  • the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, the resource of the edge device is inevitably occupied, and in the foregoing access mode, the user site cannot access the VPN service on demand, That is to say, even if the user station cannot transmit data after accessing the VPN service, the operator still accesses the user site to the VPN service, thereby causing waste of resources.
  • the technical problem to be solved by the present invention is to provide a VPN service access method and a network device, so as to implement a user site to access the VPN service on demand, thereby reducing resource waste.
  • the present invention provides a method for accessing a virtual private network VPN service, including:
  • the network device configures the first edge device and a second edge device connected to the second user site to access the VPN service by the first user site and the second user site.
  • the network device configures the first edge device and a second edge device that is connected to the second user site, to use the first user site and the The second user site accesses the VPN service, including:
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, where A head end of a VPN tunnel is associated with the first port, a tail end of the first VPN tunnel is associated with the second port, and a head end of the second VPN tunnel is associated with the second port,
  • the second port of the second VPN tunnel is associated with the first port, the first port is a port connected to the first user site on the first edge device, and the second port is the second edge The port on the device that is connected to the second user site.
  • the method further includes:
  • the network device deploys a third VPN tunnel from the first edge device to the third edge device, and deploys a fourth VPN tunnel from the third edge device to the first edge device, the first The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, the fourth The trailing end of the VPN tunnel is associated with the first port, and the third port is a port connected to the third user station on the third edge device;
  • the network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a sixth VPN tunnel from the third edge device to the second edge device, where the The head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, and the head end of the sixth VPN tunnel is associated with the third port, The tail end of the sixth VPN tunnel is associated with the second port.
  • the method further includes:
  • the network device allocates a VPN tunnel identifier to the VPN service
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, including:
  • the network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device ;
  • the network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device .
  • the network device is deployed from the first edge device to the second edge device
  • the first VPN tunnel, and the second VPN tunnel from the second edge device to the first edge device including:
  • the network device sends a request for deploying the first VPN tunnel and the second VPN tunnel to a controller, where the request for deploying the first VPN tunnel and the second VPN tunnel includes the first port
  • the port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device includes the first port
  • the port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device includes the first port.
  • the method further includes:
  • the network device revokes the first VPN tunnel and the second VPN tunnel.
  • the method further includes:
  • the network device sends the related information to the charging device.
  • the first access request further includes the first user site request Accessing the account of the VPN service;
  • the method further includes:
  • the network device deploying the first VPN tunnel from the first edge device to the second edge device including:
  • the network device deploys the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account.
  • the method further includes:
  • the network device After receiving the first access request, the network device stores information that the first user station requests to access the VPN service;
  • the network device determines that the second user site requests to access the VPN service, including:
  • the network device determines that information that the second user site requests to access the VPN service is stored.
  • the first edge device After receiving the online request of the first user station, the first edge device sends the first access request to the network device.
  • the present invention provides a network device, including:
  • a receiving unit configured to receive a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the virtual private network VPN service;
  • a processing unit configured to: when the receiving unit receives the first access request, determine that a second user station requests access to the VPN service, and configure the first edge device and the second user a second edge device connected to the site to access the VPN service by the first user site and the second user site.
  • the processing unit is specifically configured to deploy a first VPN tunnel from the first edge device to the second edge device, and deploy the second edge device to the a second VPN tunnel of the first edge device, the head end of the first VPN tunnel is associated with the first port, and the tail end of the first VPN tunnel is associated with the second port, the second VPN tunnel The head end is associated with the second port, the tail end of the second VPN tunnel is associated with the first port, and the first port is connected to the first user station on the first edge device. a port, the second port being a port on the second edge device that is connected to the second user site.
  • the receiving unit is further configured to receive a second access request sent by the third edge device, The second access request is used to request that the third user station connected to the third edge device access the VPN service;
  • the processing unit is further configured to: when the receiving unit receives the second access request, determine that the first user site and the second user site access the VPN service, and deploy the Deploying a first edge device to a third VPN tunnel of the third edge device, deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying from the second edge device to the a fifth VPN tunnel of the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device;
  • the head end of the third VPN tunnel is associated with the first port
  • the tail end of the third VPN tunnel is associated with the third port
  • the head end of the fourth VPN tunnel is associated with the third port.
  • the trailing end of the fourth VPN tunnel is associated with the first port
  • the head end of the fifth VPN tunnel is associated with the second port
  • the tail end of the fifth VPN tunnel is associated with the third port.
  • the head end of the sixth VPN tunnel is associated with the third port
  • the tail end of the sixth VPN tunnel is associated with the second port
  • the third port is the third edge device and the The port to which the third user site is connected.
  • the method further includes: a sending unit;
  • the processing unit is further configured to allocate a VPN tunnel identifier for the VPN service
  • the processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the sending, by the sending unit, sending the first configuration parameter to the first edge device, to And sending, by the sending unit, the second configuration parameter to the second edge device;
  • the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device;
  • the second configuration parameter includes: the VPN tunnel identifier, the a port identifier of the second port, and a device identifier of the first edge device.
  • the method further includes: a sending unit;
  • the processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the request for deploying the first VPN tunnel and the second VPN tunnel is sent to the controller by using the sending unit, where the request for deploying the first VPN tunnel and the second VPN tunnel includes The port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
  • the receiving unit is further configured to receive, by the first edge device, a first exit request or a second exit request sent by the second edge device, the first exit request is used to request to exit the VPN service from the first user site, and the second exit request is used to request Exiting the second user site from the VPN service;
  • the processing unit is further configured to: when the receiving unit receives the first exit request or the second exit request, cancel the deployed first VPN tunnel and the second VPN tunnel.
  • the method further includes: a sending unit;
  • the processing unit is further configured to acquire related information used to indicate deployment time of the first VPN tunnel and the second VPN tunnel;
  • the sending unit is configured to send the related information to a charging device.
  • the first access request further includes the first user site request Accessing the account of the VPN service;
  • the processing unit is further configured to acquire a quality of service QoS corresponding to the account;
  • the processing unit is specifically configured to deploy from the first edge device to the QoS based on the QoS corresponding to the account The first VPN tunnel of the second edge device.
  • the processing unit is further configured to: when the receiving And receiving, by the unit, the information that the first user station requests to access the VPN service when receiving the first access request;
  • the processing unit is specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
  • the first edge device is configured to receive the first After the online request of the user site, the device that sends the first access request to the network device is sent.
  • the network device in the present invention when the network device in the present invention receives the first access request for requesting the first user site to access the VPN service, the first user site does not directly access the VPN service. Determining that a second user site different from the first user site requests to access the VPN service, that is, the first user site can transmit data with the second user site after accessing the VPN service. Configuring a first edge device connected to the first user site and a second edge device connected to the second user site to access the first user site and the second user site VPN business. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN. The service, that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
  • FIG. 1 is a schematic flow chart of an embodiment of a method provided by the present invention.
  • FIG. 3 is a schematic flow chart of another method embodiment provided by the present invention.
  • Figure 5 is a specific path of the first VPN tunnel acquired by the controller
  • FIG. 6 is a schematic structural diagram of an apparatus embodiment of a network device according to the present invention.
  • FIG. 7 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention.
  • FIG. 8 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention.
  • the user site In order to enable data transmission between users' sites using VPN, the user site needs to be first connected to the VPN service.
  • the user site is a user-side device.
  • Each user site is connected to the edge device of the carrier through a physical connection.
  • the edge devices of the carrier can transmit data through the backbone network.
  • the current practice of connecting a user site to a VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service. When all the user sites are determined, the edge of each of the user sites is separately connected. The device is manually configured to access each of the user sites to the VPN service.
  • the inventor has found that the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, which will inevitably occupy the resources of the edge device.
  • Accessing the VPN service means that even if the user station accesses the VPN service, the data cannot be transmitted, and the operator still accesses the user site to the VPN service.
  • the resources of the edge device connected to the user site are occupied, the user site cannot transmit data, thereby causing waste of resources.
  • the following is illustrated by an example. It is assumed that there are three user sites: user site 01, user site 02, and user site 03.
  • a VPN service access method and a network device are provided to implement a user site to access a VPN service on demand, thereby reducing resource waste.
  • an embodiment of the present invention provides an embodiment of a method for accessing a VPN service.
  • FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention.
  • the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network.
  • the first edge device is connected to the first user site by means of a physical connection.
  • the first user site may also be referred to as being attached to the first edge device.
  • the first port connected to the first user site on the first edge device may be referred to as an access port of the first user site.
  • the second edge device is connected to the second user site, and the second port on the second edge device connected to the second user site may be referred to as an access port of the second user site.
  • the VPN data of the first user site and the second user site need to be transmitted by using the first edge device, the backbone network, and the second edge device.
  • the solid line indicates the physical connection
  • the broken line indicates the logical relationship, that is, the interaction between the devices is the control information.
  • the network device receives the first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the VPN service. .
  • the network device when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device sends the first access request.
  • the embodiment may further include that the first edge device sends the online request to the network device after receiving the online request of the first user station. First access request.
  • the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator.
  • the VPN service may correspond to one registered account, or may correspond to multiple registered accounts.
  • the network device saves the correspondence between the opened VPN service and the registered account.
  • the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected. Entering the VPN service to send the first access request to the network device.
  • the first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
  • the first access request may include an identifier of the first user site and an identifier of the VPN service.
  • the identifier of the first user site may specifically be a port identifier of the first port.
  • the identifier of the VPN service may be specifically allocated by the network device.
  • the first access request may be included in the billing CC information to the network device.
  • the network device determines that the second user site requests to access the VPN service.
  • the second user site is a user site different from the first user site.
  • the first user site is not directly connected to the VPN service, but is further determined whether there is a first The second user site that is different from the user site accesses the VPN service, and if yes, the network device determines that the second user site requests to access the VPN service.
  • the network device determines that the second user site requests access to the VPN service, indicating that both the first user site and the second user site request to access the VPN service, After the first user site and the second user site access the VPN service, the first user site can transmit data with the second user site.
  • the second user site refers to any user site different from the first user site. That is, when the network device determines that any user station different from the first user site accesses the VPN service, the user site is used as the second user site.
  • the network device configures the first edge device and the second edge device connected to the second user site to access the first user site and the second user site to the VPN business.
  • the network device determines that the second user site different from the first user site requests to access the VPN service
  • the first user site access can be further determined.
  • the VPN service can then transmit data with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site. Said VPN business.
  • the embodiment further includes: if the network device determines that the user site other than the first user site accesses the VPN service, the first user site accesses the VPN If the data cannot be transmitted after the service, the process may not be performed 103. Instead, the process of this embodiment may be directly ended. After the preset period, it may be determined whether there is a second one different from the first user site. The user site accesses the VPN service.
  • the network device in the embodiment of the present invention receives the first access request for requesting the first user station to access the VPN service
  • the network device does not directly A user site accesses the VPN service, but determines that the second user site that is different from the first user site requests to access the VPN service, that is, the first user site accesses the
  • the VPN service is capable of transmitting data with the second user site, configuring the first edge device connected to the first user site and the second edge device connected to the second user site to The first user site and the second user site access the VPN service.
  • the first user site and the second user site are access to the VPN.
  • the service that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
  • the network device may be a device with a collaborative management function, such as a collaboration device, an orchestrator device, or a network management device.
  • the first edge device and the second edge device may be Broadband Network Gateway (BNG).
  • BNG Broadband Network Gateway
  • CPE user premises equipment
  • the network device receives the first access request sent by the first edge device, and may further store information that the first user site requests to access the VPN service, for example, Storing a correspondence between the VPN service and a port identifier of the first port, when again After receiving the access request sent by the other edge device, the information about the first user site accessing the VPN service may be determined according to the stored information. Therefore, the network device in the 102 determines that the second user station requests to access the VPN service, and the method includes: determining, by the network device, that the second user site requests to access the VPN service. .
  • the network device when the network device receives the first access request, and determines that the second user site requests access to the VPN service, configuring the first edge device and the first The two edge devices are configured to access the VPN service by using the first user site and the second user site.
  • the network device may have two configurations when the first edge device and the second edge device are configured.
  • the first configuration manner is that the first user site and the second user site are independent. Accessing the VPN service, that is, each user site accessing the VPN service does not know other user equipments that access the VPN service.
  • the second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site.
  • the two configuration methods are described below.
  • the first configuration manner the network device may separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service.
  • the network device sends a configuration parameter to the first edge device, where the configuration parameter includes only configuration parameters for accessing the first user site to the VPN service, for example, a port identifier of the first port. Without including the configuration parameters associated with the second user site.
  • the port identifier of the first port may be obtained from the first access request.
  • the network device may further send, to the first edge device, a first route target parameter (English: Route Target, referred to as RT) allocated by the network device to the first user site.
  • RT Route Target
  • a routing specifier parameter (English: Route Ditinguiher, referred to as: RD).
  • the configuration parameter sent by the network device to the second edge device only includes configuration parameters for accessing the VPN service by the second user site, for example, a port identifier of the second port, and Configuration parameters related to the first user site are not included.
  • the port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service.
  • the network device may further send, to the second edge device, a second RT and a second RD that are allocated by the network device to the second user site.
  • the first edge device and the second edge device respectively respectively use the first edge device and the second edge device according to configuration parameters sent by the network device Independent access to the VPN service.
  • the second configuration mode is: in some scenarios, for example, when the user applies for the VPN service, and the VPN service is a point-to-point service type, the second configuration mode may be adopted, that is, The VPN service is deployed in a manner that a VPN tunnel is deployed between the first edge device and the second edge device. This will be specifically described below by way of an embodiment.
  • an embodiment of the present invention provides another method embodiment of a method for accessing a VPN service. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
  • the method of the present embodiment includes 301 to 303, wherein 301 and 302 are similar to 101 and 102 of the embodiment shown in FIG. 1, so the description is relatively simple, and the relevant embodiment is shown in FIG. This embodiment focuses on 303.
  • the network device receives a first access request sent by the first edge device, where the first access request is used to request that the first user station that is connected to the first edge device access the VPN business.
  • the network device determines that the second user site requests access to the VPN service, and the second user site is a user site different from the first user site.
  • the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the first VPN tunnel is associated with the second port
  • the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port.
  • the first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site
  • the second port is on the second edge device.
  • the port to which the second user site is connected that is, the access port of the second user site.
  • the first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship.
  • the trailing end of the first VPN tunnel is associated with the second port, and may be specifically configured to store the second port and the first on the second edge device.
  • the mapping relationship of the VPN tunnel so that the second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
  • the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
  • the network device after receiving the first access request, the network device does not directly access the first user station to the VPN service, but determines whether there is the second user.
  • the site requests access to the VPN service, and if yes, the network device actually acquires two user sites that access the VPN service, and the network device may deploy the first VPN tunnel and the first The two VPN tunnels access the two user sites to the VPN service.
  • the implementation manner of the second configuration manner is described, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device. And the first user site and the second user site are connected to the VPN service.
  • the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first
  • the configuration mode is that the first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol.
  • Edge devices have lower equipment requirements and lower error rates.
  • the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively.
  • the specific implementation manner is that the network device receives a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN
  • the network device determines that the first user site and the second user site access the VPN service; and the network device deploys the first edge device to the third edge device a third VPN tunnel, and a fourth VPN tunnel from the third edge device to the first edge device, the head end of the third VPN tunnel being associated with the first port, the third VPN tunnel
  • the trailing end is associated with the third port, the head end of the fourth VPN tunnel is associated with the third port, the tail end of the fourth VPN tunnel is associated with the first port, and the third port is the a port connected to the third user site on the third edge device; the network device deploying a fifth VPN from the second edge device to the third edge device a tunnel, and a sixth VPN tunnel from the third edge device to the second edge device, a head end of the fifth VPN tunnel is associated with the second port, and a tail end of the fifth VPN
  • the specific manner of the port is associated with the head end or the tail end of the tunnel.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
  • the network device may be configured by directly configuring the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first The edge device and the second edge device send configuration parameters.
  • the network device may further configure the first edge device and the second edge device indirectly, for example, by sending a request to other devices, and deploying the first VPN tunnel and the second VPN tunnel by other devices. The following are explained separately.
  • the embodiment may further include: the network device assigning a VPN tunnel identifier to the VPN service.
  • 303 of the present embodiment includes 3031 and 3032.
  • the VPN tunnel identifier is used to uniquely represent the VPN tunnel.
  • the VPN tunnel refers to a VPN tunnel for carrying VPN services, for example, an MPLS LSP tunnel, an MPLS TE tunnel, an L2TP tunnel, a GRE tunnel, an IPSEC tunnel, and the like, which are not limited in this embodiment of the present invention.
  • the network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, a port identifier of the first port, and the second edge device Equipment Identity.
  • the device identifier of the second edge device may specifically be an IP address of the second edge device.
  • the network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, a port identifier of the second port, and the first edge device Equipment Identity.
  • the device identifier of the first edge device may specifically be an IP address of the first edge device.
  • the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device
  • the second edge device is The second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device.
  • the first edge device and the second side The edge device deploys the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be configured according to any one of the current VPN tunnels. Limited.
  • the network device may further send, to the first edge device, a first RT and a first RD allocated for the first user site, and send the first RD to the second edge device.
  • the 303 of the embodiment may include: the network device sending, to the controller 401, the first VPN tunnel and the deployment between the first edge device and the second edge device.
  • the request for the first VPN tunnel and the second VPN tunnel includes the port identifier of the first port, the port identifier of the second port, and the first request The device identifier of the edge device and the device identifier of the second edge device.
  • the request for deploying the first VPN tunnel and the second VPN tunnel may further include an identifier of the VPN service.
  • the controller 401 deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request.
  • the controller 401 may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed.
  • the specific path of the tunnel and the second VPN tunnel that is, the path device of the first VPN tunnel and the second VPN tunnel.
  • the controller 401 can be an SDN controller.
  • the forwarding entry may include a label allocated by the controller 401 and an output port.
  • the manner in which the first VPN tunnel is deployed is illustrated by a specific example.
  • the path device of the first VPN tunnel acquired by the controller 401 includes: BNG1, RouterRouter1, Router2, and BNG2.
  • the BNG1 and the BNG2 are the first edge device and the second edge device, respectively.
  • the request sent by the network device to the controller 401 is:
  • the forwarding entry sent by the controller 401 to the BNG1 is:
  • the forwarding entry sent by the controller 401 to the Router1 is:
  • the forwarding entry sent by the controller 401 to the Router 2 is:
  • the forwarding entry sent by the controller 401 to the BNG2 is:
  • the port 1 is the first port
  • the port 2 is the second port
  • the port 3 and port 4 are ports connected to the BNG 1 and the router 1
  • the port 5 and port 6 are the router 1 and the port 1 Ports connected to Router 2, where port 7 and port 8 are ports connected to Router 2 and the BNG 2.
  • the forwarding entry is delivered to each of the path devices, so that the first VPN tunnel is deployed between the first edge device and the second edge device.
  • the route device includes the first edge device and the second edge device.
  • the deployment manner of the second VPN tunnel is similar to that of the first VPN tunnel, and details are not described herein again.
  • the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number.
  • the first access request further includes an account that the first user station requests to access the VPN service; the embodiment may further include: the network device acquiring a QoS corresponding to the account; the network The device deploying the first VPN tunnel from the first edge device to the second edge device includes: the network device deploying from the first edge device to the second edge device based on QoS corresponding to the account The first VPN tunnel.
  • the account of the second user site requesting access to the VPN service may be further obtained, and the second VPN tunnel is deployed according to the QoS corresponding to the account.
  • the first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and
  • the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests offline, the first user site may further be revoked. a VPN tunnel and the second VPN tunnel to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel.
  • the network device receives a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request the first user The site exits the VPN service, and the second exit request is used to request that the second user site exit the VPN service; the network device revokes deployment between the first edge device and the second edge device The first VPN tunnel and the second VPN tunnel.
  • the QoS is generally performed according to the QoS of the opened VPN service.
  • the first VPN tunnel and the second VPN tunnel may be The deployment time, that is, the actual time of accessing the VPN service of the first user site for charging.
  • the embodiment further includes: the network device acquiring related information for indicating a deployment time of the first VPN tunnel and the second VPN tunnel; and the network device sending the related information to the The charging device may obtain the deployment time of the first VPN tunnel and the second VPN tunnel according to the related information, so as to perform charging according to the deployment time.
  • the related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel.
  • the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
  • an embodiment of the present invention provides an apparatus embodiment of a network device 600.
  • FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention.
  • the network device is connected to the first edge device and the second edge device, and the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network.
  • the first edge device is connected to the first user site by means of a physical connection.
  • the second edge device is connected to the second user site by being physically connected.
  • the network device 600 of this embodiment includes: a receiving unit 601 and a processing unit 602.
  • the receiving unit 601 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device.
  • VPN business
  • the network device 600 when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device 600 sends the first access request.
  • the first edge device may be a device that sends the first access request to the network device 600 after receiving an online request of the first user site.
  • the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator.
  • the VPN service may correspond to one registered account, or may correspond to multiple registered accounts.
  • the network device 600 saves the correspondence between the opened VPN service and the registered account.
  • the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected.
  • the VPN service is entered, thereby transmitting the first access request to the network device 600.
  • the first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
  • the first access request may include an identifier of the first user site and an identifier of the VPN service.
  • the identifier of the first user site may specifically be a port identifier of the first port.
  • the identifier of the VPN service may be specifically allocated by the network device 600.
  • the processing unit 602 is configured to determine, when the receiving unit 601 receives the first access request, that the second user station requests to access the VPN service.
  • the second user site is a user site different from the first user site.
  • the processing unit 602 does not directly access the first user station to the VPN service, but further determines whether The second user site that is different from the first user site accesses the VPN service, and if yes, the processing unit 602 determines that the second user site requests to access the VPN service.
  • processing unit 602 determines that the second user site requests to access the VPN service, The first user site and the second user site are both requested to access the VPN service, and after the first user site and the second user site are connected to the VPN service, the The first user site is capable of transmitting data with the second user site.
  • the second user site refers to any user site different from the first user site. That is, the processing unit 602 is specifically configured to determine that any user site different from the first user site accesses the VPN service, and use any one of the user sites as the second user site.
  • the processing unit 602 is further configured to: configure the first edge device and the second edge connected to the second user site when determining that the second user site requests access to the VPN service
  • the device is configured to access the VPN service by using the first user site and the second user site.
  • the processing unit 602 determines that the second user site different from the first user site requests to access the VPN service
  • the first user site can be further determined.
  • the data can be transmitted with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site.
  • the VPN service is
  • the processing unit 602 is further configured to: if it is determined that the user site other than the first user site accesses the VPN service, the first user site cannot transmit after accessing the VPN service. In the case of data, the first user site is not connected to the VPN service, but may end the work, or may be re-determined after the preset period whether there is a second second different from the first user site. The user site accesses the VPN service.
  • the processing unit 602 not directly accessing the first user site to the VPN service, but determining that the second user site different from the first user site requests access to the VPN service, that is, the first Configuring the first edge device connected to the first user site and the first connection with the second user site when the user site can access the VPN service and can transmit data with the second user site
  • the two edge devices are configured to access the VPN service by using the first user site and the second user site. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN.
  • the service that is, the first user site is accessed to access the VPN on demand. The service, so as to avoid the situation that the resources of the first edge device are occupied but the first user site cannot transmit data, thereby reducing resource waste.
  • the network device 600 may be a device with a collaborative management function, such as a collaboration device, an orchestration device, and a network management device.
  • the first edge device and the second edge device may be BNGs, and the first user site and the second user site may be CPEs.
  • the processing unit 602 when the receiving unit 601 receives the first access request sent by the first edge device, the processing unit 602 may be further configured to store the first user site request
  • the information about the VPN service for example, the corresponding relationship between the VPN service and the port identifier of the first port is specifically stored.
  • the processing unit 602. Determine, according to the stored information, information that the first user station accesses the VPN service. Therefore, when it is determined that the second user site requests to access the VPN service, the processing unit 602 may be specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
  • the processing unit 602 when the receiving unit 601 receives the first access request, and the processing unit 602 determines that the second user site requests access to the VPN service, the processing unit 602 And configuring the first edge device and the second edge device to access the VPN service by using the first user site and the second user site.
  • the processing unit 602 may have two configurations when configuring the first edge device and the second edge device, where the first configuration manner is to use the first user site and the second user site.
  • the user accesses the VPN service independently, that is, each user station accesses the VPN service and does not know other user equipments that access the VPN service.
  • the second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site.
  • the two configuration methods are described below.
  • the first configuration mode the processing unit 602 can separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service. .
  • the network device 600 may further include a sending unit, where the processing unit 602 sends a configuration parameter to the first edge device by using the sending unit, where the configuration parameter includes only for accessing the first user station.
  • the configuration parameter of the VPN service for example, the port identifier of the first port, does not include configuration parameters related to the second user site.
  • the processing unit 602 may further send, by the sending unit, the first edge device, the first RT and the first RD that are allocated by the network device 600 to the first user site.
  • the configuration parameter sent by the processing unit 602 to the second edge device by using the sending unit includes only configuration parameters for accessing the second user station to the VPN service, for example, The port identification of the second port, without including the configuration parameters associated with the first user site.
  • the port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service.
  • the processing unit 602 may further send, by the sending unit, the second edge device, the second RT and the second RD that the network device 600 allocates to the second user site.
  • the first edge device and the second edge device independently access the VPN service by the first edge device and the second edge device according to the configuration parameters sent by the network device 600.
  • the second configuration mode is: in some scenarios, for example, when the user requests the VPN service to set the VPN service as a point-to-point service type, the first edge device and the first A VPN tunnel is deployed between the two edge devices to access the VPN service. This will be specifically described below by way of an embodiment.
  • an embodiment of the present invention provides another apparatus embodiment of the network device 700. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
  • the network device 700 of this embodiment includes: a receiving unit 701 and a processing unit 702.
  • the receiving unit 701 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device.
  • the VPN service is configured to provide a first access request to the first edge device.
  • the processing unit 702 is configured to: when the receiving unit 701 receives the first access request, determine that the second user station requests to access the VPN service, where the second user site is A different user site of the first user site.
  • the functions of the receiving unit 701 and the processing unit 702 are similar to those of the receiving unit 601 and the processing unit 602 in the embodiment shown in FIG. 6, so the description is relatively simple.
  • the processing unit 702 is further configured to: when it is determined that the second user site requests to access the During the VPN service, a first VPN tunnel from the first edge device to the second edge device is deployed, and a second VPN tunnel from the second edge device to the first edge device is deployed.
  • the head end of the first VPN tunnel is associated with the first port
  • the tail end of the first VPN tunnel is associated with the second port
  • the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port.
  • the first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site
  • the second port is on the second edge device.
  • the port to which the second user site is connected that is, the access port of the second user site.
  • the first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship.
  • the trailing end of the first VPN tunnel is associated with the second port, and the mapping relationship between the second port and the first VPN tunnel is stored on the second edge device, so that the The second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
  • the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
  • the processing unit 702 does not directly access the first user station to the VPN service, but determines whether The second user site requests access to the VPN service, and if so, the processing unit 702 actually acquires two user sites that access the VPN service, and the processing unit 702 can deploy the The two VPN sites access the VPN service in a manner of the first VPN tunnel and the second VPN tunnel.
  • the implementation manner of the second configuration manner is implemented, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device.
  • the first user site and the second user site are connected to the VPN service.
  • the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first Configuration side
  • the first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol, and the edge device is Equipment requirements are lower and the error rate is lower.
  • the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively.
  • the receiving unit 701 is further configured to receive a second access request sent by the third edge device, where the second access request is used to request a third user site that connects the third edge device.
  • the processing unit 702 is further configured to: when the receiving unit 701 receives the second access request, determine that the first user site and the second user site are connected Deploying the VPN service, deploying a third VPN tunnel from the first edge device to the third edge device, and deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying a slave And a fifth VPN tunnel from the second edge device to the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device.
  • the head end of the third VPN tunnel is associated with the first port
  • the tail end of the third VPN tunnel is associated with the third port
  • the head end of the fourth VPN tunnel is associated with the third port.
  • the trailing end of the fourth VPN tunnel is associated with the first port
  • the head end of the fifth VPN tunnel is associated with the second port
  • the tail end of the fifth VPN tunnel is associated with the third port
  • the head end of the sixth VPN tunnel is associated with the third port
  • the tail end of the sixth VPN tunnel is associated with the second port.
  • the specific manner of the port is associated with the head end or the tail end of the tunnel. For details, refer to that the head end of the first VPN tunnel is associated with the first port, and the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
  • processing unit 702 may be configured to directly deploy the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first edge.
  • the device and the second edge device send configuration parameters.
  • the processing unit 702 can also indirectly configure the first edge device and the second edge device, for example, deploying the first VPN tunnel and the second VPN tunnel by other devices by sending a request to other devices. The following are explained separately.
  • the network device 700 of this embodiment further includes a sending unit.
  • the processing unit 702 is further configured to allocate a VPN tunnel identifier for the VPN service.
  • the VPN tunnel identifier uniquely represents a VPN tunnel, and the VPN tunnel refers to the VPN service. VPN tunnel.
  • the processing unit 702 is specifically configured to use the sending unit to
  • the first edge device sends a first configuration parameter, and sends a second configuration parameter to the second edge device by using the sending unit;
  • the first configuration parameter includes: the VPN tunnel identifier, the first port The port identifier, and the device identifier of the second edge device;
  • the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device.
  • the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device
  • the second edge device is
  • the second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device.
  • the first edge device and the second edge device deploy the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be according to any current VPN.
  • the tunnel deployment mode is not limited in this embodiment of the present invention.
  • the processing unit 702 may be further configured to send, by using the sending unit, the first RT and the first RD allocated to the first user site to the first edge device, and to the first The two edge devices send the second RT and the second RD allocated for the second user site.
  • the network device 700 of this embodiment further includes a sending unit, when the first VPN tunnel and the second VPN tunnel of the VPN service are deployed between the first edge device and the second edge device,
  • the processing unit 702 is specifically configured to send, by using the sending unit, a request for deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device to a controller, where
  • the request for deploying the first VPN tunnel and the second VPN tunnel includes a port identifier of the first port, a port identifier of the second port, a device identifier of the first edge device, and the The device identifier of the second edge device.
  • the request for deploying the first VPN tunnel and the second VPN tunnel may further include: an identifier of the VPN service.
  • the controller deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request.
  • the controller may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed.
  • the specific path of the tunnel and the second VPN tunnel that is, the path device of the first VPN tunnel and the second VPN tunnel.
  • the label and the output port allocated by the controller 401 may be included in the forwarding entry.
  • the connection relationship between the controller and the network device 700 can be as shown in FIG. 4.
  • the controller may specifically be an SDN controller.
  • the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number.
  • the first access request further includes an account that the first user station requests to access the VPN service; the processing unit 702 is further configured to acquire a QoS corresponding to the account;
  • the processing unit 702 is specifically configured to deploy the first edge device to the second edge device based on the QoS corresponding to the account The first VPN tunnel.
  • the processing unit 702 is further configured to obtain an account that the second user station requests to access the VPN service, and deploy the second VPN tunnel according to the QoS corresponding to the account.
  • the first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel
  • bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel
  • the first VPN tunnel and the office may be further revoked.
  • the second VPN tunnel is configured to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel.
  • the receiving unit 701 is further configured to receive a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request The first user site is logged out of the VPN service, and the second quit request is used to request the second user site to quit the VPN service.
  • the processing unit 702 is further configured to receive, by the receiving unit 701, And canceling, by the first exit request or the second exit request, the first VPN tunnel and the second VPN tunnel deployed between the first edge device and the second edge device.
  • the network device 700 of this embodiment further includes: a sending unit; the processing unit 702 is further configured to: acquire, for indicating a deployment time of the first VPN tunnel and the second VPN tunnel, The sending unit is configured to send the related information to the charging device.
  • the related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel.
  • the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
  • the device embodiment of the network device in the embodiment of the present invention is described above from the perspective of a modular functional entity.
  • the device embodiment of the network device in the embodiment of the present invention will be described below from the perspective of hardware processing.
  • an embodiment of the present invention provides another apparatus embodiment of a network device.
  • the network device 800 of this embodiment may be a microprocessor computer.
  • the network device 800 can be one of a portable device such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet.
  • the network device 800 includes a processor 804, a memory 806, a communication interface 802, and a bus 808.
  • the processor 804, the memory 806, and the communication interface 802 are connected by the bus 808 and complete communication with each other.
  • the bus 808 may be an Industry Standard Architecture (ISA) bus or a Peripheral Component (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus 808 can be divided into one or more of an address bus, a data bus, and a control bus. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
  • the memory 806 is for storing executable program code, the program code including computer operating instructions.
  • the network device 800 executes the program code, the network device 800 can complete the embodiment shown in FIG. 1 or FIG. 3, and can also implement all the functions of the network device in the embodiment shown in FIG. 6 or FIG. 7.
  • the memory 806 can include a high speed RAM (Ramdom Access Memory) memory.
  • the memory 806 may further include a non-volatile memory.
  • the memory 806 can include a disk storage.
  • the processor 804 may be a central processing unit (CPU), or the processor 804 may be an application specific integrated circuit (ASIC), or the processor 804 may Is one or more integrated circuits that are configured to implement embodiments of the present invention.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the communication interface 802 is configured to perform the first access request sent by the first edge device in the embodiment shown in FIG. 1 and FIG. 3, where the first access request is used to request the first edge
  • the first user station connected to the device accesses the VPN service.
  • the processor 804 is configured to read an instruction stored in the memory 806, so as to perform, in the embodiment shown in FIG. 1 and FIG. 3, that the second user site requests to access the VPN service, the second The user site is a user site different from the first user site, and the first edge device and a second edge device connected to the second user site are configured to use the first user site and the second The user site accesses the VPN service.
  • each functional unit of the network device provided by the present invention may be a specific implementation based on the method of the embodiment shown in FIG. 1 or FIG. 3 and the function of the apparatus shown in FIG. 6 or FIG.
  • the definitions and descriptions of the terms are consistent with the embodiments shown in FIGS. 1, 3, 6, and 7, and are not described herein again.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Provided are a method for accessing a VPN service, and a network device. The method comprises: a network device receiving a first access request sent by a first edge device, wherein the first access request is used for requesting to provide a first user website connected to the first edge device with access to the VPN service; determining that a second user website requests to access the VPN service; and configuring the first edge device and a second edge device that is connected to the second user website, so as to make the first user website and the second user website access the VPN service. It can be seen that, in the present invention, when it is determined that the first user website can transmit data with the second user website after accessing the VPN service, then the first user website and the second user website can access the VPN service, thereby avoiding the occurrence of the situation where the resources of the first edge device are occupied but the first user website cannot transmit data as far as possible, and therefore resource waste is reduced.

Description

一种VPN业务的接入方法及网络设备VPN service access method and network device
本申请要求于2014年12月31日提交中国专利局、申请号为CN 201410850003.4、发明名称为“一种VPN业务的接入方法及网络设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on Dec. 31, 2014, the Chinese Patent Office, the application number is CN 201410850003.4, and the invention is entitled "Access Method and Network Device for VPN Service". Combined in this application.
技术领域Technical field
本发明涉及通信技术,尤其是涉及一种VPN业务的接入方法及网络设备。The present invention relates to communication technologies, and in particular, to a VPN service access method and a network device.
背景技术Background technique
虚拟专用网(英文:Virtual Private Network,简称:VPN)是在公共数据网络上构建专用网络的技术,这些专用网络互相隔离,一个专用网络的数据不会传输到另一个专用网络中。而为了使得用户站点之间利用VPN进行数据传输,需要首先将用户站点接入VPN业务。Virtual Private Network (English: Virtual Private Network, VPN) is a technology for constructing a private network on a public data network. These private networks are isolated from each other, and data of one private network is not transmitted to another private network. In order to make the data transmission between the user sites using the VPN, the user site needs to first access the VPN service.
目前将用户站点接入VPN业务的通常做法是,运营商和用户人工协商出需要接入所述VPN业务的所有用户站点,之后对每个所述用户站点分别连接的边缘设备进行人工配置,从而将每个所述用户站点都接入所述VPN业务。The current practice of the user site accessing the VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service, and then manually configure the edge devices respectively connected to each of the user sites, thereby Each of the user sites is connected to the VPN service.
然而,由于用户站点接入VPN业务时需要对该用户站点连接的边缘设备进行配置,必然会占用边缘设备的资源,而上述接入方式中,由于不能实现用户站点按需接入VPN业务,也就是说即使用户站点接入VPN业务后无法传输数据,所述运营商也仍然会将该用户站点接入VPN业务,从而造成了资源浪费。However, since the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, the resource of the edge device is inevitably occupied, and in the foregoing access mode, the user site cannot access the VPN service on demand, That is to say, even if the user station cannot transmit data after accessing the VPN service, the operator still accesses the user site to the VPN service, thereby causing waste of resources.
发明内容Summary of the invention
本发明解决的技术问题在于提供一种VPN业务的接入方法及网络设备,以实现用户站点按需接入VPN业务,从而减少资源浪费。The technical problem to be solved by the present invention is to provide a VPN service access method and a network device, so as to implement a user site to access the VPN service on demand, thereby reducing resource waste.
为此,本发明解决技术问题的技术方案是:To this end, the technical solution of the present invention to solve the technical problem is:
第一方面,本发明提供了一种虚拟专用网VPN业务的接入方法,包括:In a first aspect, the present invention provides a method for accessing a virtual private network VPN service, including:
网络设备接收第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的第一用户站点接入所述VPN业务; Receiving, by the network device, a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the VPN service;
所述网络设备确定出有第二用户站点请求接入所述VPN业务;Determining, by the network device, that the second user station requests to access the VPN service;
所述网络设备配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。The network device configures the first edge device and a second edge device connected to the second user site to access the VPN service by the first user site and the second user site.
在第一方面的第一种可能的实现方式中,所述网络设备配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务,包括:In a first possible implementation manner of the first aspect, the network device configures the first edge device and a second edge device that is connected to the second user site, to use the first user site and the The second user site accesses the VPN service, including:
所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联,所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口。The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, where A head end of a VPN tunnel is associated with the first port, a tail end of the first VPN tunnel is associated with the second port, and a head end of the second VPN tunnel is associated with the second port, The second port of the second VPN tunnel is associated with the first port, the first port is a port connected to the first user site on the first edge device, and the second port is the second edge The port on the device that is connected to the second user site.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,还包括:In conjunction with the first possible implementation of the first aspect, in a second possible implementation of the first aspect, the method further includes:
所述网络设备接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;Receiving, by the network device, a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN service;
所述网络设备确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务;Determining, by the network device, that the first user site and the second user site access the VPN service;
所述网络设备部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,以及部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第三端口为所述第三边缘设备上与所述第三用户站点连接的端口;The network device deploys a third VPN tunnel from the first edge device to the third edge device, and deploys a fourth VPN tunnel from the third edge device to the first edge device, the first The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, the fourth The trailing end of the VPN tunnel is associated with the first port, and the third port is a port connected to the third user station on the third edge device;
所述网络设备部署从所述第二边缘设备至所述第三边缘设备的第五VPN隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道,所述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联。 The network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a sixth VPN tunnel from the third edge device to the second edge device, where the The head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, and the head end of the sixth VPN tunnel is associated with the third port, The tail end of the sixth VPN tunnel is associated with the second port.
结合第一方面的第一种或第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述方法还包括:In conjunction with the first or second possible implementation of the first aspect, in a third possible implementation of the first aspect, the method further includes:
所述网络设备为所述VPN业务分配VPN隧道标识;The network device allocates a VPN tunnel identifier to the VPN service;
所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,包括:The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, including:
所述网络设备向所述第一边缘设备发送第一配置参数,所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、和所述第二边缘设备的设备标识;The network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device ;
所述网络设备向所述第二边缘设备发送第二配置参数,所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。The network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device .
结合第一方面的第一种或第二种可能的实现方式,在第一方面的第四种可能的实现方式中,所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,包括:In conjunction with the first or second possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the network device is deployed from the first edge device to the second edge device The first VPN tunnel, and the second VPN tunnel from the second edge device to the first edge device, including:
所述网络设备向控制器发送部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。The network device sends a request for deploying the first VPN tunnel and the second VPN tunnel to a controller, where the request for deploying the first VPN tunnel and the second VPN tunnel includes the first port The port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
结合第一方面的第一种至第四种任一种可能的实现方式,在第一方面的第五种可能的实现方式中,还包括:With reference to any one of the first to fourth possible implementations of the first aspect, in a fifth possible implementation of the first aspect, the method further includes:
所述网络设备接收所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;Receiving, by the network device, a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request to withdraw the first user site from the a VPN service, where the second exit request is used to request that the second user site exit the VPN service;
所述网络设备撤销所述第一VPN隧道和所述第二VPN隧道。The network device revokes the first VPN tunnel and the second VPN tunnel.
结合第一方面的第五种可能的实现方式,在第一方面的第六种可能的实现方式中,还包括:In conjunction with the fifth possible implementation of the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes:
所述网络设备获取用于表示所述第一VPN隧道和所述第二VPN隧道的部 署时间的相关信息;Obtaining, by the network device, a part for indicating the first VPN tunnel and the second VPN tunnel Information about the time of the department;
所述网络设备将所述相关信息发送至计费设备。The network device sends the related information to the charging device.
结合第一方面的第一种至第六种任一种可能的实现方式,在第一方面的第七种可能的实现方式中,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;With reference to the first to sixth possible implementation manners of the first aspect, in a seventh possible implementation manner of the first aspect, the first access request further includes the first user site request Accessing the account of the VPN service;
所述方法还包括:The method further includes:
所述网络设备获取所述账号对应的服务质量QoS;Obtaining, by the network device, a quality of service QoS corresponding to the account;
所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,包括:The network device deploying the first VPN tunnel from the first edge device to the second edge device, including:
所述网络设备基于所述账号对应的QoS,部署从所述第一边缘设备至所述第二边缘设备的所述第一VPN隧道。The network device deploys the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account.
结合第一方面、第一方面的第一种至第七种任一种可能的实现方式,在第一方面的第八种可能的实现方式中,还包括:With reference to the first aspect, the first to the seventh possible implementation manners of the first aspect, in an eighth possible implementation manner of the first aspect, the method further includes:
所述网络设备接收所述第一接入请求后,存储所述第一用户站点请求接入所述VPN业务的信息;After receiving the first access request, the network device stores information that the first user station requests to access the VPN service;
所述网络设备确定出有第二用户站点请求接入所述VPN业务,包括:The network device determines that the second user site requests to access the VPN service, including:
所述网络设备确定出存储有所述第二用户站点请求接入所述VPN业务的信息。The network device determines that information that the second user site requests to access the VPN service is stored.
结合第一方面、第一方面的第一种至第八种任一种可能的实现方式,在第一方面的第九种可能的实现方式中,还包括:With reference to the first aspect, the first to the eighth possible implementation manners of the first aspect, in the ninth possible implementation manner of the first aspect,
所述第一边缘设备在接收所述第一用户站点的上线请求后,向所述网络设备发送所述第一接入请求。After receiving the online request of the first user station, the first edge device sends the first access request to the network device.
第二方面,本发明提供了一种网络设备,包括:In a second aspect, the present invention provides a network device, including:
接收单元,用于接收第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的第一用户站点接入虚拟专用网VPN业务;a receiving unit, configured to receive a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the virtual private network VPN service;
处理单元,用于当所述接收单元接收到所述第一接入请求时,确定出有第二用户站点请求接入所述VPN业务,配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。 a processing unit, configured to: when the receiving unit receives the first access request, determine that a second user station requests access to the VPN service, and configure the first edge device and the second user a second edge device connected to the site to access the VPN service by the first user site and the second user site.
在第二方面的第一种可能的实现方式中,当配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务时,所述处理单元具体用于部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联,所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口。In a first possible implementation manner of the second aspect, when the first edge device and the second edge device connected to the second user site are configured, the first user site and the second device are configured When the user site accesses the VPN service, the processing unit is specifically configured to deploy a first VPN tunnel from the first edge device to the second edge device, and deploy the second edge device to the a second VPN tunnel of the first edge device, the head end of the first VPN tunnel is associated with the first port, and the tail end of the first VPN tunnel is associated with the second port, the second VPN tunnel The head end is associated with the second port, the tail end of the second VPN tunnel is associated with the first port, and the first port is connected to the first user station on the first edge device. a port, the second port being a port on the second edge device that is connected to the second user site.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述接收单元还用于,接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;With reference to the first possible implementation of the second aspect, in a second possible implementation manner of the second aspect, the receiving unit is further configured to receive a second access request sent by the third edge device, The second access request is used to request that the third user station connected to the third edge device access the VPN service;
所述处理单元还用于,当所述接收单元接收到所述第二接入请求时,确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务,部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,部署从所述第二边缘设备至所述第三边缘设备的第五VPN隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道;The processing unit is further configured to: when the receiving unit receives the second access request, determine that the first user site and the second user site access the VPN service, and deploy the Deploying a first edge device to a third VPN tunnel of the third edge device, deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying from the second edge device to the a fifth VPN tunnel of the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device;
所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联,所述第三端口为所述第三边缘设备上与所述第三用户站点连接的端口。The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port. The trailing end of the fourth VPN tunnel is associated with the first port, the head end of the fifth VPN tunnel is associated with the second port, and the tail end of the fifth VPN tunnel is associated with the third port. The head end of the sixth VPN tunnel is associated with the third port, the tail end of the sixth VPN tunnel is associated with the second port, and the third port is the third edge device and the The port to which the third user site is connected.
结合第二方面的第一种或第二种可能的实现方式,在第二方面的第三种可能的实现方式中,还包括:发送单元;In conjunction with the first or second possible implementation of the second aspect, in a third possible implementation of the second aspect, the method further includes: a sending unit;
所述处理单元还用于,为所述VPN业务分配VPN隧道标识;The processing unit is further configured to allocate a VPN tunnel identifier for the VPN service;
当在部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道时,所述处理单元具体用于通过所述发送单元向所述第一边缘设备发送第一配置参数,以 及通过所述发送单元向所述第二边缘设备发送第二配置参数;The processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the sending, by the sending unit, sending the first configuration parameter to the first edge device, to And sending, by the sending unit, the second configuration parameter to the second edge device;
所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、和所述第二边缘设备的设备标识;所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。The first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device; the second configuration parameter includes: the VPN tunnel identifier, the a port identifier of the second port, and a device identifier of the first edge device.
结合第二方面的第一种或第二种可能的实现方式,在第二方面的第四种可能的实现方式中,还包括:发送单元;In conjunction with the first or second possible implementation of the second aspect, in a fourth possible implementation of the second aspect, the method further includes: a sending unit;
当在部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道时,所述处理单元具体用于通过所述发送单元向控制器发送部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。The processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the request for deploying the first VPN tunnel and the second VPN tunnel is sent to the controller by using the sending unit, where the request for deploying the first VPN tunnel and the second VPN tunnel includes The port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
结合第二方面的第一种至第四种任一种可能的实现方式,在第二方面的第五种可能的实现方式中,所述接收单元还用于,接收所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;With the first to fourth possible implementation manners of the second aspect, in a fifth possible implementation manner of the second aspect, the receiving unit is further configured to receive, by the first edge device, a first exit request or a second exit request sent by the second edge device, the first exit request is used to request to exit the VPN service from the first user site, and the second exit request is used to request Exiting the second user site from the VPN service;
所述处理单元还用于,所述接收单元接收到所述第一退出请求或者所述第二退出请求时,撤销部署的所述第一VPN隧道和所述第二VPN隧道。The processing unit is further configured to: when the receiving unit receives the first exit request or the second exit request, cancel the deployed first VPN tunnel and the second VPN tunnel.
结合第二方面的第五种可能的实现方式,在第二方面的第六种可能的实现方式中,还包括:发送单元;With reference to the fifth possible implementation of the second aspect, in a sixth possible implementation manner of the second aspect, the method further includes: a sending unit;
所述处理单元还用于,获取用于表示所述第一VPN隧道和所述第二VPN隧道的部署时间的相关信息;The processing unit is further configured to acquire related information used to indicate deployment time of the first VPN tunnel and the second VPN tunnel;
所述发送单元,用于将所述相关信息发送至计费设备。The sending unit is configured to send the related information to a charging device.
结合第二方面的第一种至第六种任一种可能的实现方式,在第二方面的第七种可能的实现方式中,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;With reference to the first to sixth possible implementation manners of the second aspect, in a seventh possible implementation manner of the second aspect, the first access request further includes the first user site request Accessing the account of the VPN service;
所述处理单元还用于,获取所述账号对应的服务质量QoS;The processing unit is further configured to acquire a quality of service QoS corresponding to the account;
当部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道时,所述处理单元具体用于基于所述账号对应的QoS,部署从所述第一边缘设备至所 述第二边缘设备的所述第一VPN隧道。When the first VPN tunnel from the first edge device to the second edge device is deployed, the processing unit is specifically configured to deploy from the first edge device to the QoS based on the QoS corresponding to the account The first VPN tunnel of the second edge device.
结合第二方面、第二方面的第一种至第七种任一种可能的实现方式,在第二方面的第八种可能的实现方式中,所述处理单元还用于,当所述接收单元接收所述第一接入请求时,存储所述第一用户站点请求接入所述VPN业务的信息;With reference to the second aspect, the first to the seventh possible implementation manners of the second aspect, in the eighth possible implementation manner of the second aspect, the processing unit is further configured to: when the receiving And receiving, by the unit, the information that the first user station requests to access the VPN service when receiving the first access request;
当确定出有第二用户站点请求接入所述VPN业务时,所述处理单元具体用于确定出存储有所述第二用户站点请求接入所述VPN业务的信息。When it is determined that the second user site requests to access the VPN service, the processing unit is specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
结合第二方面、第二方面的第一种至第八种任一种可能的实现方式,在第二方面的第九种可能的实现方式中,所述第一边缘设备为接收所述第一用户站点的上线请求后,向所述网络设备发送所述第一接入请求的设备。With reference to the second aspect, the first to the eighth possible implementation manners of the second aspect, in the ninth possible implementation manner of the second aspect, the first edge device is configured to receive the first After the online request of the user site, the device that sends the first access request to the network device is sent.
通过上述技术方案可知,本发明中网络设备接收用于请求将第一用户站点接入VPN业务的第一接入请求时,并不直接将所述第一用户站点接入所述VPN业务,而是确定出有与所述第一用户站点不同的第二用户站点请求接入所述VPN业务,即说明所述第一用户站点接入所述VPN业务后能够与所述第二用户站点传输数据时,配置与所述第一用户站点连接的第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。可见本发明中当确定出所述第一用户站点接入VPN业务后能够与所述第二用户站点传输数据时,才将所述第一用户站点和所述第二用户站点接入所述VPN业务,即实现了所述第一用户站点按需接入所述VPN业务,从而尽可能地避免占用了所述第一边缘设备的资源但是所述第一用户站点却不能传输数据的情况出现,因此减少了资源浪费。According to the foregoing technical solution, when the network device in the present invention receives the first access request for requesting the first user site to access the VPN service, the first user site does not directly access the VPN service. Determining that a second user site different from the first user site requests to access the VPN service, that is, the first user site can transmit data with the second user site after accessing the VPN service. Configuring a first edge device connected to the first user site and a second edge device connected to the second user site to access the first user site and the second user site VPN business. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN. The service, that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
附图说明DRAWINGS
图1为本发明提供的一种方法实施例的流程示意图;1 is a schematic flow chart of an embodiment of a method provided by the present invention;
图2为本发明实施例用于的一种网络拓扑;2 is a network topology used in an embodiment of the present invention;
图3为本发明提供的另一种方法实施例的流程示意图;3 is a schematic flow chart of another method embodiment provided by the present invention;
图4为本发明实施例用于的另一种网络拓扑;4 is another network topology used in an embodiment of the present invention;
图5为控制器获取的第一VPN隧道的一种具体路径;Figure 5 is a specific path of the first VPN tunnel acquired by the controller;
图6为本发明提供的网络设备的一种装置实施例的结构示意图;FIG. 6 is a schematic structural diagram of an apparatus embodiment of a network device according to the present invention;
图7为本发明提供的网络设备的另一种装置实施例的结构示意图; FIG. 7 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention; FIG.
图8为本发明提供的网络设备的另一种装置实施例的结构示意图。FIG. 8 is a schematic structural diagram of another apparatus embodiment of a network device according to the present invention.
具体实施方式detailed description
为了使得用户站点之间利用VPN进行数据传输,需要首先将用户站点接入VPN业务。其中,用户站点是用户侧设备,每个用户站点一般都通过物理连接方式与运营商的边缘设备进行连接,而运营商的边缘设备之间可以通过骨干网络传输数据。In order to enable data transmission between users' sites using VPN, the user site needs to be first connected to the VPN service. The user site is a user-side device. Each user site is connected to the edge device of the carrier through a physical connection. The edge devices of the carrier can transmit data through the backbone network.
目前将用户站点接入VPN业务的通常做法是,运营商和用户人工协商出需要接入所述VPN业务的所有用户站点,当所有用户站点确定后,对每个所述用户站点分别连接的边缘设备进行人工配置,从而将每个所述用户站点都接入所述VPN业务。The current practice of connecting a user site to a VPN service is that the operator and the user manually negotiate all the user sites that need to access the VPN service. When all the user sites are determined, the edge of each of the user sites is separately connected. The device is manually configured to access each of the user sites to the VPN service.
然而,发明人经过研究发现,由于用户站点接入VPN业务时需要对该用户站点连接的边缘设备进行配置,必然会占用边缘设备的资源,而上述接入方式中,由于不能实现用户站点按需接入VPN业务,也就是说即使用户站点接入VPN业务也无法传输数据,所述运营商也仍然会将该用户站点接入VPN业务。导致即使占用了该用户站点连接的边缘设备的资源,该用户站点也不能传输数据,从而造成了资源浪费。下面通过一个例子加以说明,假设共有3个用户站点:用户站点01、用户站点02和用户站点03,如果用户站点02和用户站点03处于离线状态或者没有接入VPN业务,那么即使用户站点01接入上述VPN业务,用户站点01也无法与用户站点02和用户站点03传输数据,但是由于上述接入方式中仍然会对用户站点01连接的边缘设备进行配置以使其接入上述VPN业务中,从而造成了资源浪费。However, the inventor has found that the user equipment needs to configure the edge device connected to the user site when accessing the VPN service, which will inevitably occupy the resources of the edge device. Accessing the VPN service means that even if the user station accesses the VPN service, the data cannot be transmitted, and the operator still accesses the user site to the VPN service. As a result, even if the resources of the edge device connected to the user site are occupied, the user site cannot transmit data, thereby causing waste of resources. The following is illustrated by an example. It is assumed that there are three user sites: user site 01, user site 02, and user site 03. If user site 02 and user site 03 are offline or do not have access to VPN services, then even if user site 01 is connected The user site 01 cannot transmit data to the user site 02 and the user site 03, but the edge device connected to the user site 01 is still configured to access the VPN service. This has resulted in a waste of resources.
而在本发明实施例中,提供一种VPN业务的接入方法及网络设备,以实现用户站点按需接入VPN业务,从而降低资源浪费。In the embodiment of the present invention, a VPN service access method and a network device are provided to implement a user site to access a VPN service on demand, thereby reducing resource waste.
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、 “第三”“第四”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它或单元。The terms "first" and "second" in the specification and claims of the present invention and the above drawings, "Third", "fourth", etc. are used to distinguish similar objects, and are not necessarily used to describe a particular order or order. It is to be understood that the data so used may be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than what is illustrated or described herein. In addition, the terms "comprises" and "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series or unit is not necessarily limited to those that are clearly listed Or units, but may include other or units that are not explicitly listed or inherent to such processes, methods, products, or devices.
请参阅图1,本发明实施例提供了VPN业务的接入方法的一种方法实施例。Referring to FIG. 1, an embodiment of the present invention provides an embodiment of a method for accessing a VPN service.
为了更好的理解本发明实施例的技术方案,下面通过图2说明本实施例所用于的一种可选的网络拓扑。需要说明的是,图2仅为一种示例性的说明,其具体结构并不会对本发明实施例起到限制作用。In order to better understand the technical solution of the embodiment of the present invention, an optional network topology used in this embodiment is described below through FIG. It should be noted that FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention.
如图2所示,第一边缘设备和第二边缘设备属于运营商的边缘设备,通过骨干网络相连。所述第一边缘设备通过物理连接的方式与第一用户站点连接,在本领域中,也可以称所述第一用户站点附着在所述第一边缘设备上。其中,所述第一边缘设备上与所述第一用户站点连接的第一端口可以称为所述第一用户站点的接入端口。与之类似,所述第二边缘设备与第二用户站点连接,所述第二边缘设备上与所述第二用户站点连接的第二端口可以称为所述第二用户站点的接入端口。所述第一用户站点和所述第二用户站点的VPN数据,需要利用所述第一边缘设备、所述骨干网络以及所述第二边缘设备进行传输。需要说明的是,在本发明的图2和图4中,实线表示物理连接,虚线表示逻辑关系,即表示设备之间交互的是控制信息。As shown in FIG. 2, the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network. The first edge device is connected to the first user site by means of a physical connection. In the art, the first user site may also be referred to as being attached to the first edge device. The first port connected to the first user site on the first edge device may be referred to as an access port of the first user site. Similarly, the second edge device is connected to the second user site, and the second port on the second edge device connected to the second user site may be referred to as an access port of the second user site. The VPN data of the first user site and the second user site need to be transmitted by using the first edge device, the backbone network, and the second edge device. It should be noted that in FIG. 2 and FIG. 4 of the present invention, the solid line indicates the physical connection, and the broken line indicates the logical relationship, that is, the interaction between the devices is the control information.
本实施例的所述方法包括:The method of this embodiment includes:
101:网络设备接收所述第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的所述第一用户站点接入所述VPN业务。The network device receives the first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the VPN service. .
在本发明实施例中,可以是由所述第一边缘设备确定出所述第一用户站点需要接入所述VPN业务时,例如接收到所述第一用户站点的上线请求后,向所述网络设备发送所述第一接入请求。其中,本实施例还可以包括所述第一边缘设备接收所述第一用户站点的上线请求后,向所述网络设备发送所述 第一接入请求。In the embodiment of the present invention, when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device sends the first access request. The embodiment may further include that the first edge device sends the online request to the network device after receiving the online request of the first user station. First access request.
在具体实现时,用户可以预先申请开通所述VPN业务,例如用户可以在运营商的网站上申请开通所述VPN业务。其中所述VPN业务可以对应一个注册账号,也可以对应多个注册账号。所述网络设备保存开通的所述VPN业务和注册账号的对应关系。当所述VPN业务开通后,用户可以向所述第一边缘设备发送包括注册账号的上线请求,所述第一边缘设备根据所述上线请求中的注册账号确定出所述第一用户站点需要接入所述VPN业务,从而向所述网络设备发送所述第一接入请求。其中,所述第一边缘设备还可以将该注册账号发送至认证设备进行认证,认证通过后再发送所述第一接入请求。In a specific implementation, the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator. The VPN service may correspond to one registered account, or may correspond to multiple registered accounts. The network device saves the correspondence between the opened VPN service and the registered account. After the VPN service is enabled, the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected. Entering the VPN service to send the first access request to the network device. The first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
在本发明实施例中,所述第一接入请求中可以包括所述第一用户站点的标识和所述VPN业务的标识。其中,所述第一用户站点的标识具体可以为所述第一端口的端口标识。所述VPN业务的标识具体可以由所述网络设备进行分配。其中第一接入请求可以包括在计费抄送信息中发生至所述网络设备。In the embodiment of the present invention, the first access request may include an identifier of the first user site and an identifier of the VPN service. The identifier of the first user site may specifically be a port identifier of the first port. The identifier of the VPN service may be specifically allocated by the network device. The first access request may be included in the billing CC information to the network device.
102:所述网络设备确定出有所述第二用户站点请求接入所述VPN业务。其中,所述第二用户站点为与所述第一用户站点不同的用户站点。102: The network device determines that the second user site requests to access the VPN service. The second user site is a user site different from the first user site.
在本发明实施例中,当所述网络设备接收所述第一接入请求后,并不是直接将所述第一用户站点接入所述VPN业务,而是进一步确定是否有与所述第一用户站点不同的所述第二用户站点接入所述VPN业务,如果是,则表示所述网络设备确定出有所述第二用户站点请求接入所述VPN业务。In the embodiment of the present invention, after the network device receives the first access request, the first user site is not directly connected to the VPN service, but is further determined whether there is a first The second user site that is different from the user site accesses the VPN service, and if yes, the network device determines that the second user site requests to access the VPN service.
若所述网络设备确定出有所述第二用户站点请求接入所述VPN业务,表示所述第一用户站点和所述第二用户站点都请求接入所述VPN业务,此时说明将所述第一用户站点和所述第二用户站点接入所述VPN业务后,所述第一用户站点能够与所述第二用户站点传输数据。If the network device determines that the second user site requests access to the VPN service, indicating that both the first user site and the second user site request to access the VPN service, After the first user site and the second user site access the VPN service, the first user site can transmit data with the second user site.
需要说明的是,本发明实施例中,所述第二用户站点指的是与所述第一用户站点不同的任一用户站点。即本中所述网络设备确定出有与所述第一用户站点不同的任一用户站点接入所述VPN业务时,将所述任一用户站点作为所述第二用户站点。It should be noted that, in the embodiment of the present invention, the second user site refers to any user site different from the first user site. That is, when the network device determines that any user station different from the first user site accesses the VPN service, the user site is used as the second user site.
103:所述网络设备配置所述第一边缘设备和与所述第二用户站点连接的所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。 103: The network device configures the first edge device and the second edge device connected to the second user site to access the first user site and the second user site to the VPN business.
在本发明实施例中,当所述网络设备确定出有与所述第一用户站点不同的所述第二用户站点请求接入所述VPN业务,能够进一步确定出所述第一用户站点接入所述VPN业务后能够与所述第二用户站点传输数据,因此配置所述第一边缘设备和所述第二边缘设备,从而将所述第一用户站点和所述第二用户站点接入所述VPN业务。In the embodiment of the present invention, when the network device determines that the second user site different from the first user site requests to access the VPN service, the first user site access can be further determined. The VPN service can then transmit data with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site. Said VPN business.
可选的,本实施例中还包括:若所述网络设备确定出没有除所述第一用户站点之外的用户站点接入所述VPN业务,说明所述第一用户站点接入所述VPN业务后也不能传输数据时,则并不执行103,而是可以直接结束本实施例的流程,也可以在预设周期之后,重新确定是否有与所述第一用户站点不同的所述第二用户站点接入所述VPN业务。Optionally, the embodiment further includes: if the network device determines that the user site other than the first user site accesses the VPN service, the first user site accesses the VPN If the data cannot be transmitted after the service, the process may not be performed 103. Instead, the process of this embodiment may be directly ended. After the preset period, it may be determined whether there is a second one different from the first user site. The user site accesses the VPN service.
通过上述技术方案可知,本发明实施例中的所述网络设备接收用于请求将所述第一用户站点接入所述VPN业务的所述第一接入请求时,并不直接将所述第一用户站点接入所述VPN业务,而是确定出有与所述第一用户站点不同的所述第二用户站点请求接入所述VPN业务,即说明所述第一用户站点接入所述VPN业务后能够与所述第二用户站点传输数据时,配置与所述第一用户站点连接的所述第一边缘设备和与所述第二用户站点连接的所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。可见本发明中当确定出所述第一用户站点接入VPN业务后能够与所述第二用户站点传输数据时,才将所述第一用户站点和所述第二用户站点接入所述VPN业务,即实现了所述第一用户站点按需接入所述VPN业务,从而尽可能地避免占用了所述第一边缘设备的资源但是所述第一用户站点却不能传输数据的情况出现,因此减少了资源浪费。According to the foregoing technical solution, when the network device in the embodiment of the present invention receives the first access request for requesting the first user station to access the VPN service, the network device does not directly A user site accesses the VPN service, but determines that the second user site that is different from the first user site requests to access the VPN service, that is, the first user site accesses the When the VPN service is capable of transmitting data with the second user site, configuring the first edge device connected to the first user site and the second edge device connected to the second user site to The first user site and the second user site access the VPN service. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN. The service, that is, the first user site accesses the VPN service on demand, so as to avoid occupying the resources of the first edge device as much as possible but the first user site cannot transmit data. Therefore, resource waste is reduced.
在本发明实施例中,所述网络设备可以是协同设备、编排设备(英文:orchetrator)、网管设备等具有协同管理功能的设备。所述第一边缘设备和所述第二边缘设备可以为宽带网络网关(英文:Broadband Network Gateway,简称BNG)。所述第一用户站点和所述第二用户站点可以为用户驻地设备(简称:CPE)。In the embodiment of the present invention, the network device may be a device with a collaborative management function, such as a collaboration device, an orchestrator device, or a network management device. The first edge device and the second edge device may be Broadband Network Gateway (BNG). The first user site and the second user site may be user premises equipment (referred to as: CPE).
在本发明实施例中,所述网络设备接收到所述第一边缘设备发送的所述第一接入请求,还可以存储所述第一用户站点请求接入所述VPN业务的信息,例如具体存储所述VPN业务和所述第一端口的端口标识的对应关系,当再次 接收其他边缘设备发送的接入请求后,就可以根据存储的所述信息确定出有所述第一用户站点接入所述VPN业务的信息。因此,102中的所述网络设备确定出有第二用户站点请求接入所述VPN业务,可以包括:所述网络设备确定出存储有所述第二用户站点请求接入所述VPN业务的信息。In the embodiment of the present invention, the network device receives the first access request sent by the first edge device, and may further store information that the first user site requests to access the VPN service, for example, Storing a correspondence between the VPN service and a port identifier of the first port, when again After receiving the access request sent by the other edge device, the information about the first user site accessing the VPN service may be determined according to the stored information. Therefore, the network device in the 102 determines that the second user station requests to access the VPN service, and the method includes: determining, by the network device, that the second user site requests to access the VPN service. .
在本发明实施例中,所述网络设备接收所述第一接入请求,并且确定出有所述第二用户站点请求接入所述VPN业务时,配置所述第一边缘设备和所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。其中所述网络设备在配置所述第一边缘设备和所述第二边缘设备时,可以有两种配置方式,第一种配置方式是将所述第一用户站点和所述第二用户站点独立接入所述VPN业务,即每个用户站点接入所述VPN业务后并不获知其他接入所述VPN业务的用户设备。第二种配置方式是通过在所述第一用户站点和所述第二用户站点之间部署VPN隧道的方式,将所述第一用户站点和所述第二用户站点接入所述VPN业务。下面分别介绍这两种配置方式。In the embodiment of the present invention, when the network device receives the first access request, and determines that the second user site requests access to the VPN service, configuring the first edge device and the first The two edge devices are configured to access the VPN service by using the first user site and the second user site. The network device may have two configurations when the first edge device and the second edge device are configured. The first configuration manner is that the first user site and the second user site are independent. Accessing the VPN service, that is, each user site accessing the VPN service does not know other user equipments that access the VPN service. The second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site. The two configuration methods are described below.
第一种配置方式:所述网络设备可以对所述第一边缘设备和所述第二边缘设备分别配置,使得所述第一用户站点和所述第二用户站点独立接入所述VPN业务。The first configuration manner: the network device may separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service.
例如,所述网络设备向所述第一边缘设备发送配置参数,该配置参数仅包括用于将所述第一用户站点接入所述VPN业务的配置参数,例如所述第一端口的端口标识,而不包括与所述第二用户站点相关的配置参数。其中所述第一端口的端口标识可以从所述第一接入请求中获取。在一些场景下,所述网络设备还可以向所述第一边缘设备发送:所述网络设备为所述第一用户站点分配的第一路由目标参数(英文:Route Target,简称:RT)和第一路由区分符参数(英文:Route Ditinguiher,简称:RD)。类似地,所述网络设备向所述第二边缘设备发送的配置参数,也仅包括用于将所述第二用户站点接入所述VPN业务的配置参数,例如第二端口的端口标识,而不包括与所述第一用户站点相关的配置参数。其中所述第二端口的端口标识可以从用于请求将所述第二用户站点接入所述VPN业务的接入请求中获取。在一些场景下,所述网络设备还可以向所述第二边缘设备发送:所述网络设备为所述第二用户站点分配的第二RT和第二RD。所述第一边缘设备和所述第二边缘设备根据所述网络设备发送的配置参数,分别将所述第一边缘设备和所述第二边缘设备 独立接入所述VPN业务。For example, the network device sends a configuration parameter to the first edge device, where the configuration parameter includes only configuration parameters for accessing the first user site to the VPN service, for example, a port identifier of the first port. Without including the configuration parameters associated with the second user site. The port identifier of the first port may be obtained from the first access request. In some scenarios, the network device may further send, to the first edge device, a first route target parameter (English: Route Target, referred to as RT) allocated by the network device to the first user site. A routing specifier parameter (English: Route Ditinguiher, referred to as: RD). Similarly, the configuration parameter sent by the network device to the second edge device only includes configuration parameters for accessing the VPN service by the second user site, for example, a port identifier of the second port, and Configuration parameters related to the first user site are not included. The port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service. In some scenarios, the network device may further send, to the second edge device, a second RT and a second RD that are allocated by the network device to the second user site. The first edge device and the second edge device respectively respectively use the first edge device and the second edge device according to configuration parameters sent by the network device Independent access to the VPN service.
第二种配置方式:实际上,在一些场景下,例如用户申请所述VPN业务时设定所述VPN业务为点到点的业务类型时,可以采用上述第二种配置方式,即通过在所述第一边缘设备和所述第二边缘设备之间部署VPN隧道的方式接入所述VPN业务。下面通过一个实施例加以具体说明。The second configuration mode is: in some scenarios, for example, when the user applies for the VPN service, and the VPN service is a point-to-point service type, the second configuration mode may be adopted, that is, The VPN service is deployed in a manner that a VPN tunnel is deployed between the first edge device and the second edge device. This will be specifically described below by way of an embodiment.
请参阅图3,本发明实施例提供了VPN业务的接入方法的另一种方法实施例。与其他实施例的不同的是,本实施例重点说明通过在所述第一边缘设备和所述第二边缘设备之间部署VPN隧道的方式接入所述VPN业务。Referring to FIG. 3, an embodiment of the present invention provides another method embodiment of a method for accessing a VPN service. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
本实施例的所述方法包括301至303,其中301和302与图1所示实施例的101和102相类似,因此描述较为简单,相关之处请参见图1所示的实施例。本实施例重点描述303。The method of the present embodiment includes 301 to 303, wherein 301 and 302 are similar to 101 and 102 of the embodiment shown in FIG. 1, so the description is relatively simple, and the relevant embodiment is shown in FIG. This embodiment focuses on 303.
301:所述网络设备接收所述第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的所述第一用户站点接入所述VPN业务。301: The network device receives a first access request sent by the first edge device, where the first access request is used to request that the first user station that is connected to the first edge device access the VPN business.
302:所述网络设备确定出有所述第二用户站点请求接入所述VPN业务,所述第二用户站点为与所述第一用户站点不同的用户站点。302: The network device determines that the second user site requests access to the VPN service, and the second user site is a user site different from the first user site.
303:所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道。303: The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device.
其中,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联。所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,即所述第一用户站点的接入端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口,即所述第二用户站点的接入端口。The head end of the first VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, and the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port. The first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site, and the second port is on the second edge device. The port to which the second user site is connected, that is, the access port of the second user site.
下面介绍本发明实施例中,VPN隧道的头端或者尾端与端口关联的一种实现方式。所述第一VPN隧道的头端与所述第一端口关联,可以具体表现为在所述第一边缘设备上存储所述第一端口和所述第一VPN隧道的映射关系,从而使得所述第一边缘设备根据该映射关系,将从所述第一端口接收到的数据通过所述第一VPN隧道进行传输。所述第一VPN隧道的尾端与所述第二端口关联,可以具体表现为在所述第二边缘设备上存储所述第二端口和所述第一 VPN隧道的映射关系,从而使得所述第二边缘设备根据该映射关系,将所述第一VPN隧道传输的数据向所述第二端口输出。An implementation manner in which a head end or a tail end of a VPN tunnel is associated with a port in the embodiment of the present invention is described below. The first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship. The trailing end of the first VPN tunnel is associated with the second port, and may be specifically configured to store the second port and the first on the second edge device. The mapping relationship of the VPN tunnel, so that the second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
类似地,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联也可以具体表现为上述实现方式,这里不再赘述。Similarly, the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
由于在本发明实施例中,所述网络设备接收到所述第一接入请求后,并不是直接将所述第一用户站点接入所述VPN业务,而是确定是否有所述第二用户站点请求接入所述VPN业务,如果是,则所述网络设备实际上获取到接入所述VPN业务的两个用户站点,所述网络设备可以通过部署所述第一VPN隧道和所述第二VPN隧道的方式将该两个用户站点接入所述VPN业务。In the embodiment of the present invention, after receiving the first access request, the network device does not directly access the first user station to the VPN service, but determines whether there is the second user. The site requests access to the VPN service, and if yes, the network device actually acquires two user sites that access the VPN service, and the network device may deploy the first VPN tunnel and the first The two VPN tunnels access the two user sites to the VPN service.
可见,本实施例介绍了所述第二种配置方式的实现方式,即通过在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道,将所述第一用户站点和所述第二用户站点接入了所述VPN业务。实际上,所述第一VPN隧道和所述第二VPN隧道是所述第一用户站点和所述第二用户站点之间,已知对端的点到点VPN隧道,因此相比于所述第一种配置方式,即,将所述第一用户站点和所述第二用户站点独立接入所述VPN业务,所述第二种配置方式无需自动发现站点,因此无需运行复杂的发现协议,对边缘设备的设备要求较低,并且出错率较低。It can be seen that, in this embodiment, the implementation manner of the second configuration manner is described, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device. And the first user site and the second user site are connected to the VPN service. In fact, the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first The configuration mode is that the first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol. Edge devices have lower equipment requirements and lower error rates.
在本实施例中,在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道后,若有其他的用户站点请求接入所述VPN业务,则可以将其他的用户站点所连接的边缘设备,分别与所述第一边缘设备和所述第二边缘设备部署VPN隧道。具体实现方式是,所述网络设备接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;所述网络设备确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务;所述网络设备部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,以及部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第三端口为所述第三边缘设备上与所述第三用户站点连接的端口;所述网络设备部署从所述第二边缘设备至所述第三边缘设备的第五VPN 隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道,所述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联。其中,端口与隧道的头端或尾端关联的具体表现方式,具体请参见所述第一VPN隧道的头端与所述第一端口关联,以及所述第二VPN隧道的尾端与所述第二端口关联的具体表现方式。这里不再赘述。In this embodiment, after the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device, if other user sites request to access the VPN For the service, the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively. The specific implementation manner is that the network device receives a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN The network device determines that the first user site and the second user site access the VPN service; and the network device deploys the first edge device to the third edge device a third VPN tunnel, and a fourth VPN tunnel from the third edge device to the first edge device, the head end of the third VPN tunnel being associated with the first port, the third VPN tunnel The trailing end is associated with the third port, the head end of the fourth VPN tunnel is associated with the third port, the tail end of the fourth VPN tunnel is associated with the first port, and the third port is the a port connected to the third user site on the third edge device; the network device deploying a fifth VPN from the second edge device to the third edge device a tunnel, and a sixth VPN tunnel from the third edge device to the second edge device, a head end of the fifth VPN tunnel is associated with the second port, and a tail end of the fifth VPN tunnel Associated with the third port, a head end of the sixth VPN tunnel is associated with the third port, and a tail end of the sixth VPN tunnel is associated with the second port. The specific manner of the port is associated with the head end or the tail end of the tunnel. For details, refer to that the head end of the first VPN tunnel is associated with the first port, and the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
需要说明的是,所述网络设备可以是通过直接配置所述第一边缘设备和所述第二边缘设备以实现部署所述第一VPN隧道和所述第二VPN隧道,例如向所述第一边缘设备和所述第二边缘设备发送配置参数。所述网络设备还可以间接配置所述第一边缘设备和所述第二边缘设备,例如通过向其他设备发送请求的方式,由其他设备部署所述第一VPN隧道和所述第二VPN隧道。下面分别说明。It should be noted that the network device may be configured by directly configuring the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first The edge device and the second edge device send configuration parameters. The network device may further configure the first edge device and the second edge device indirectly, for example, by sending a request to other devices, and deploying the first VPN tunnel and the second VPN tunnel by other devices. The following are explained separately.
首先说明直接配置的方式。本实施例还可以包括:所述网络设备为所述VPN业务分配VPN隧道标识。本实施例的303包括3031和3032。其中,VPN隧道标识用于唯一的表示VPN隧道。VPN隧道指的是用于承载VPN业务的VPN隧道,例如可以为MPLS的LSP隧道、MPLS的TE隧道、L2TP隧道、GRE隧道、IPSEC隧道等等,本发明实施例对此并不加以限定。First explain the way of direct configuration. The embodiment may further include: the network device assigning a VPN tunnel identifier to the VPN service. 303 of the present embodiment includes 3031 and 3032. The VPN tunnel identifier is used to uniquely represent the VPN tunnel. The VPN tunnel refers to a VPN tunnel for carrying VPN services, for example, an MPLS LSP tunnel, an MPLS TE tunnel, an L2TP tunnel, a GRE tunnel, an IPSEC tunnel, and the like, which are not limited in this embodiment of the present invention.
3031:所述网络设备向所述第一边缘设备发送第一配置参数,所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、和所述第二边缘设备的设备标识。所述第二边缘设备的设备标识具体可以为所述第二边缘设备的IP地址。3031: The network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, a port identifier of the first port, and the second edge device Equipment Identity. The device identifier of the second edge device may specifically be an IP address of the second edge device.
3032:所述网络设备向所述第二边缘设备发送第二配置参数,所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。所述第一边缘设备的设备标识具体可以为所述第一边缘设备的IP地址。3032: The network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, a port identifier of the second port, and the first edge device Equipment Identity. The device identifier of the first edge device may specifically be an IP address of the first edge device.
可见,在向所述第一边缘设备发送的所述第一配置参数中包括与所述第二用户站点相关的配置参数:所述第二边缘设备的设备标识,并且向所述第二边缘设备发送的所述第二配置参数中包括与所述第一用户站点相关的配置参数:所述第一边缘设备的设备标识。其中所述第一边缘设备和所述第二边 缘设备根据所述第一配置参数和所述第二配置参数部署所述第一VPN隧道和所述第二VPN隧道,可以根据目前任一种VPN隧道部署方式,本发明实施例对此并不加以限定。在某些场景下,所述网络设备还可以向所述第一边缘设备发送为所述第一用户站点分配的第一RT和第一RD,并向所述第二边缘设备发送为所述第二用户站点分配的第二RT和第二RD。It can be seen that the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device, and the second edge device is The second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device. Wherein the first edge device and the second side The edge device deploys the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be configured according to any one of the current VPN tunnels. Limited. In some scenarios, the network device may further send, to the first edge device, a first RT and a first RD allocated for the first user site, and send the first RD to the second edge device. The second RT and the second RD assigned by the two user sites.
下面说明间接配置的方式,具体由通过向其他设备发送请求部署所述第一VPN隧道和所述第二VPN隧道。请参阅图4所示,本实施例的303具体可以包括:所述网络设备向控制器401发送在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。所述部署所述第一VPN隧道和所述第二VPN隧道的请求中还可以包括所述VPN业务的标识。The manner of indirect configuration is described below, specifically by deploying the first VPN tunnel and the second VPN tunnel by sending a request to other devices. Referring to FIG. 4, the 303 of the embodiment may include: the network device sending, to the controller 401, the first VPN tunnel and the deployment between the first edge device and the second edge device. The request for the first VPN tunnel and the second VPN tunnel includes the port identifier of the first port, the port identifier of the second port, and the first request The device identifier of the edge device and the device identifier of the second edge device. The request for deploying the first VPN tunnel and the second VPN tunnel may further include an identifier of the VPN service.
所述控制器401在接收到所述请求后,根据所述请求在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道。其中所述控制器401在部署所述第一VPN隧道和所述第二VPN隧道时,可以根据所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识获取所述第一VPN隧道和所述第二VPN隧道的具体路径,即确定所述第一VPN隧道和所述第二VPN隧道的途径设备。之后根据所述路径、所述第一端口的端口标识和所述第二端口的端口标识,生成并为每个所述途径设备下发转发表项,以使得每个所述途径设备根据所述转发表项传输数据。所述控制器401可以为SDN控制器。After receiving the request, the controller 401 deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request. The controller 401 may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed. The specific path of the tunnel and the second VPN tunnel, that is, the path device of the first VPN tunnel and the second VPN tunnel. And generating, according to the path, the port identifier of the first port, and the port identifier of the second port, a forwarding entry for each path device, so that each of the path devices is configured according to the The forwarding entry transmits data. The controller 401 can be an SDN controller.
所述转发表项中可以包括所述控制器401分配的标签以及输出端口。下面通过一个具体例子说明对所述第一VPN隧道的部署方式。如图5所示,所述控制器401获取的所述第一VPN隧道的途径设备依次包括:BNG1、路由器Router1、路由器Router2和BNG2。其中所述BNG1和所述BNG2分别为所述第一边缘设备和所述第二边缘设备。The forwarding entry may include a label allocated by the controller 401 and an output port. The manner in which the first VPN tunnel is deployed is illustrated by a specific example. As shown in FIG. 5, the path device of the first VPN tunnel acquired by the controller 401 includes: BNG1, RouterRouter1, Router2, and BNG2. The BNG1 and the BNG2 are the first edge device and the second edge device, respectively.
所述网络设备向所述控制器401发送的所述请求为:The request sent by the network device to the controller 401 is:
port1/BNG1-->port2/BNG2Port1/BNG1-->port2/BNG2
所述控制器401向所述BNG1发送的转发表项为: The forwarding entry sent by the controller 401 to the BNG1 is:
port1-->port3,with Label 100Port1-->port3,with Label 100
所述控制器401向所述Router1发送的转发表项为:The forwarding entry sent by the controller 401 to the Router1 is:
port4with label 100-->port5with label 200Port4with label 100-->port5with label 200
所述控制器401向所述Router2发送的转发表项为:The forwarding entry sent by the controller 401 to the Router 2 is:
port6with label 200-->port7with labe 100Port6with label 200-->port7with labe 100
所述控制器401向所述BNG2发送的转发表项为:The forwarding entry sent by the controller 401 to the BNG2 is:
port8with label 100-->port2Port8with label 100-->port2
其中,所述port1为所述第一端口,所述port2为所述第二端口,所述port3和port4为所述BNG1和所述Router1连接的端口,所述port5和port6为所述Router1和所述Router2连接的端口,所述port7和port8为所述Router2和所述BNG2连接的端口。The port 1 is the first port, the port 2 is the second port, the port 3 and port 4 are ports connected to the BNG 1 and the router 1, and the port 5 and port 6 are the router 1 and the port 1 Ports connected to Router 2, where port 7 and port 8 are ports connected to Router 2 and the BNG 2.
可见,通过所述控制器401向每个所述途径设备下发所述转发表项,实现了在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道。其中,所述途径设备包括所述第一边缘设备和所述第二边缘设备。对所述第二VPN隧道的部署方式,与对所述第一VPN隧道的部署方式类似,这里不再赘述。It can be seen that, by using the controller 401, the forwarding entry is delivered to each of the path devices, so that the first VPN tunnel is deployed between the first edge device and the second edge device. The route device includes the first edge device and the second edge device. The deployment manner of the second VPN tunnel is similar to that of the first VPN tunnel, and details are not described herein again.
可选的,在本实施例中,由于所述VPN业务可以对应一个或多个账号,而每个账号可以对应不同的QoS,因此在部署所述第一VPN隧道时,还可以基于用户所使用的账号所对应的Qos。具体地,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;本实施例还可以包括:所述网络设备获取所述账号对应的QoS;所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道包括:所述网络设备基于所述账号对应的QoS,部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道。其中,还可以进一步获取所述第二用户站点请求接入所述VPN业务的账号,并且根据该账号对应的QoS部署所述第二VPN隧道。最终部署的所述第一VPN隧道和所述第二VPN隧道可以具有不同的QoS。Optionally, in this embodiment, the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number. Specifically, the first access request further includes an account that the first user station requests to access the VPN service; the embodiment may further include: the network device acquiring a QoS corresponding to the account; the network The device deploying the first VPN tunnel from the first edge device to the second edge device includes: the network device deploying from the first edge device to the second edge device based on QoS corresponding to the account The first VPN tunnel. The account of the second user site requesting access to the VPN service may be further obtained, and the second VPN tunnel is deployed according to the QoS corresponding to the account. The first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
进一步可选的,在本实施例中,部署所述第一VPN隧道和所述第二VPN隧道时,还可以为所述第一VPN隧道和所述第二VPN隧道预留带宽,而当所述第一用户站点或者所述第二用户站点需要退出所述VPN业务时,比如所述第一用户站点或者所述第二用户站点请求离线时,还可以进一步撤销所述第 一VPN隧道和所述第二VPN隧道,以释放为所述第一VPN隧道和所述第二VPN隧道预留的带宽。具体实现时,所述网络设备接收所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;所述网络设备撤销所述第一边缘设备和所述第二边缘设备之间部署的所述第一VPN隧道和所述第二VPN隧道。Further, in this embodiment, when the first VPN tunnel and the second VPN tunnel are deployed, bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and When the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests offline, the first user site may further be revoked. a VPN tunnel and the second VPN tunnel to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel. In a specific implementation, the network device receives a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request the first user The site exits the VPN service, and the second exit request is used to request that the second user site exit the VPN service; the network device revokes deployment between the first edge device and the second edge device The first VPN tunnel and the second VPN tunnel.
目前在对VPN业务进行计费时,由于不能实现按需接入VPN业务,因此一般是根据开通的VPN业务的QoS进行计费。进一步可选的,在本实施例中,由于实现了按需部署和撤销所述第一VPN隧道和所述第二VPN隧道,因此可以根据所述第一VPN隧道和所述第二VPN隧道的部署时间,即所述第一用户站点的接入VPN业务的实际时间进行计费。具体实现时,本实施例还包括:所述网络设备获取用于表示所述第一VPN隧道和所述第二VPN隧道的部署时间的相关信息;所述网络设备将所述相关信息发送至计费设备,所述计费设备可以根据所述相关信息获取到所述第一VPN隧道和所述第二VPN隧道的部署时间,从而根据所述部署时间进行计费。其中,所述相关信息,具体可以为所述第一VPN隧道和所述第二VPN隧道的部署时间,或者也可以为部署所述第一VPN隧道和所述第二VPN隧道的时刻和撤销所述第一VPN隧道和所述第二VPN隧道的时刻,由所述计费设备根据该两个时刻计算出所述第一VPN隧道和所述第二VPN隧道的部署时间。Currently, when charging a VPN service, since the VPN service cannot be accessed on demand, the QoS is generally performed according to the QoS of the opened VPN service. Further, in this embodiment, since the first VPN tunnel and the second VPN tunnel are deployed and revoked on demand, the first VPN tunnel and the second VPN tunnel may be The deployment time, that is, the actual time of accessing the VPN service of the first user site for charging. In a specific implementation, the embodiment further includes: the network device acquiring related information for indicating a deployment time of the first VPN tunnel and the second VPN tunnel; and the network device sending the related information to the The charging device may obtain the deployment time of the first VPN tunnel and the second VPN tunnel according to the related information, so as to perform charging according to the deployment time. The related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel. At the time of the first VPN tunnel and the second VPN tunnel, the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
上面对本发明实施例中的VPN业务的接入方法的实施例进行了描述,下面将从模块化功能实体的角度对本发明实施例中的网络设备的装置实施例进行描述。The embodiment of the access method of the VPN service in the embodiment of the present invention is described above. The device embodiment of the network device in the embodiment of the present invention will be described below from the perspective of the modular functional entity.
请参阅图6,本发明实施例提供了网络设备600的一种装置实施例。Referring to FIG. 6, an embodiment of the present invention provides an apparatus embodiment of a network device 600.
为了更好的理解本发明实施例的技术方案,下面通过图2说明本实施例的所述网络设备所用于的一种可选的网络拓扑。需要说明的是,图2仅为一种示例性的说明,其具体结构并不会对本发明实施例起到限制作用。如图2所示,网络设备分别与第一边缘设备和第二边缘设备连接,所述第一边缘设备和所述第二边缘设备属于运营商的边缘设备,通过骨干网络相连。所述第一边缘设备通过物理连接的方式与第一用户站点连接。所述第二边缘设备通过物理连接的与第二用户站点连接。 For a better understanding of the technical solution of the embodiment of the present invention, an optional network topology used by the network device of this embodiment is described below with reference to FIG. It should be noted that FIG. 2 is only an exemplary description, and the specific structure thereof does not limit the embodiment of the present invention. As shown in FIG. 2, the network device is connected to the first edge device and the second edge device, and the first edge device and the second edge device belong to an edge device of the operator, and are connected through a backbone network. The first edge device is connected to the first user site by means of a physical connection. The second edge device is connected to the second user site by being physically connected.
本实施例的所述网络设备600包括:接收单元601和处理单元602。The network device 600 of this embodiment includes: a receiving unit 601 and a processing unit 602.
所述接收单元601,用于接收所述第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的所述第一用户站点接入VPN业务。The receiving unit 601 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device. VPN business.
在本发明实施例中,可以是由所述第一边缘设备确定出所述第一用户站点需要接入所述VPN业务时,例如接收到所述第一用户站点的上线请求后,向所述网络设备600发送所述第一接入请求。其中,所述第一边缘设备可以为接收所述第一用户站点的上线请求后,向所述网络设备600发送所述第一接入请求的设备。In the embodiment of the present invention, when the first edge device determines that the first user site needs to access the VPN service, for example, after receiving an online request of the first user site, The network device 600 sends the first access request. The first edge device may be a device that sends the first access request to the network device 600 after receiving an online request of the first user site.
在具体实现时,用户可以预先申请开通所述VPN业务,例如用户可以在运营商的网站上申请开通所述VPN业务。其中所述VPN业务可以对应一个注册账号,也可以对应多个注册账号。所述网络设备600保存开通的所述VPN业务和注册账号的对应关系。当所述VPN业务开通后,用户可以向所述第一边缘设备发送包括注册账号的上线请求,所述第一边缘设备根据所述上线请求中的注册账号确定出所述第一用户站点需要接入所述VPN业务,从而向所述网络设备600发送所述第一接入请求。其中,所述第一边缘设备还可以将该注册账号发送至认证设备进行认证,认证通过后再发送所述第一接入请求。In a specific implementation, the user may apply for the VPN service in advance, for example, the user may apply for the VPN service on the website of the operator. The VPN service may correspond to one registered account, or may correspond to multiple registered accounts. The network device 600 saves the correspondence between the opened VPN service and the registered account. After the VPN service is enabled, the user may send an online request including the registered account to the first edge device, and the first edge device determines, according to the registered account in the online request, that the first user site needs to be connected. The VPN service is entered, thereby transmitting the first access request to the network device 600. The first edge device may further send the registration account to the authentication device for authentication, and then send the first access request after the authentication is passed.
在本发明实施例中,所述第一接入请求中可以包括所述第一用户站点的标识和所述VPN业务的标识。其中,所述第一用户站点的标识具体可以为所述第一端口的端口标识。所述VPN业务的标识具体可以由所述网络设备600进行分配。In the embodiment of the present invention, the first access request may include an identifier of the first user site and an identifier of the VPN service. The identifier of the first user site may specifically be a port identifier of the first port. The identifier of the VPN service may be specifically allocated by the network device 600.
所述处理单元602,用于当所述接收单元601接收到所述第一接入请求时,确定出有第二用户站点请求接入所述VPN业务。其中,所述第二用户站点为与所述第一用户站点不同的用户站点。The processing unit 602 is configured to determine, when the receiving unit 601 receives the first access request, that the second user station requests to access the VPN service. The second user site is a user site different from the first user site.
在本发明实施例中,当所述接收单元601接收所述第一接入请求后,所述处理单元602并不是直接将所述第一用户站点接入所述VPN业务,而是进一步确定是否有与所述第一用户站点不同的所述第二用户站点接入所述VPN业务,如果是,则表示所述处理单元602确定出有所述第二用户站点请求接入所述VPN业务。In the embodiment of the present invention, after the receiving unit 601 receives the first access request, the processing unit 602 does not directly access the first user station to the VPN service, but further determines whether The second user site that is different from the first user site accesses the VPN service, and if yes, the processing unit 602 determines that the second user site requests to access the VPN service.
若所述处理单元602确定出有所述第二用户站点请求接入所述VPN业务, 表示所述第一用户站点和所述第二用户站点都请求接入所述VPN业务,此时说明将所述第一用户站点和所述第二用户站点接入所述VPN业务后,所述第一用户站点能够与所述第二用户站点传输数据。If the processing unit 602 determines that the second user site requests to access the VPN service, The first user site and the second user site are both requested to access the VPN service, and after the first user site and the second user site are connected to the VPN service, the The first user site is capable of transmitting data with the second user site.
需要说明的是,本发明实施例中,所述第二用户站点指的是与所述第一用户站点不同的任一用户站点。即所述处理单元602具体用于确定出有与所述第一用户站点不同的任一用户站点接入所述VPN业务时,将所述任一用户站点作为所述第二用户站点。It should be noted that, in the embodiment of the present invention, the second user site refers to any user site different from the first user site. That is, the processing unit 602 is specifically configured to determine that any user site different from the first user site accesses the VPN service, and use any one of the user sites as the second user site.
所述处理单元602还用于,当确定出有所述第二用户站点请求接入所述VPN业务时,配置所述第一边缘设备和与所述第二用户站点连接的所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。The processing unit 602 is further configured to: configure the first edge device and the second edge connected to the second user site when determining that the second user site requests access to the VPN service The device is configured to access the VPN service by using the first user site and the second user site.
在本发明实施例中,当所述处理单元602确定出有与所述第一用户站点不同的所述第二用户站点请求接入所述VPN业务,能够进一步确定出所述第一用户站点接入所述VPN业务后能够与所述第二用户站点传输数据,因此配置所述第一边缘设备和所述第二边缘设备,从而将所述第一用户站点和所述第二用户站点接入所述VPN业务。In the embodiment of the present invention, when the processing unit 602 determines that the second user site different from the first user site requests to access the VPN service, the first user site can be further determined. After the VPN service is entered, the data can be transmitted with the second user site, so the first edge device and the second edge device are configured to access the first user site and the second user site. The VPN service.
所述处理单元602还可以用于:若确定出没有除所述第一用户站点之外的用户站点接入所述VPN业务,说明所述第一用户站点接入所述VPN业务后也不能传输数据时,则不将所述第一用户站点接入所述VPN业务,而是可以结束工作,也可以在预设周期之后,重新确定是否有与所述第一用户站点不同的所述第二用户站点接入所述VPN业务。The processing unit 602 is further configured to: if it is determined that the user site other than the first user site accesses the VPN service, the first user site cannot transmit after accessing the VPN service. In the case of data, the first user site is not connected to the VPN service, but may end the work, or may be re-determined after the preset period whether there is a second second different from the first user site. The user site accesses the VPN service.
通过上述技术方案可知,本发明实施例中的所述接收单元601接收用于请求将所述第一用户站点接入所述VPN业务的所述第一接入请求时,所述处理单元602并不直接将所述第一用户站点接入所述VPN业务,而是确定出有与所述第一用户站点不同的所述第二用户站点请求接入所述VPN业务,即说明所述第一用户站点接入所述VPN业务后能够与所述第二用户站点传输数据时,配置与所述第一用户站点连接的所述第一边缘设备和与所述第二用户站点连接的所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。可见本发明中当确定出所述第一用户站点接入VPN业务后能够与所述第二用户站点传输数据时,才将所述第一用户站点和所述第二用户站点接入所述VPN业务,即实现了所述第一用户站点按需接入所述VPN 业务,从而尽可能地避免占用了所述第一边缘设备的资源但是所述第一用户站点却不能传输数据的情况出现,因此减少了资源浪费。According to the foregoing technical solution, when the receiving unit 601 in the embodiment of the present invention receives the first access request for requesting the first user station to access the VPN service, the processing unit 602 Not directly accessing the first user site to the VPN service, but determining that the second user site different from the first user site requests access to the VPN service, that is, the first Configuring the first edge device connected to the first user site and the first connection with the second user site when the user site can access the VPN service and can transmit data with the second user site The two edge devices are configured to access the VPN service by using the first user site and the second user site. It can be seen that, when it is determined that the first user station can access the VPN service and can transmit data with the second user station, the first user site and the second user site are access to the VPN. The service, that is, the first user site is accessed to access the VPN on demand. The service, so as to avoid the situation that the resources of the first edge device are occupied but the first user site cannot transmit data, thereby reducing resource waste.
在本发明实施例中,所述网络设备600可以是协同设备、编排设备、网管设备等具有协同管理功能的设备。所述第一边缘设备和所述第二边缘设备可以为BNG,所述第一用户站点和所述第二用户站点可以为CPE。In the embodiment of the present invention, the network device 600 may be a device with a collaborative management function, such as a collaboration device, an orchestration device, and a network management device. The first edge device and the second edge device may be BNGs, and the first user site and the second user site may be CPEs.
在本发明实施例中,当所述接收单元601接收到所述第一边缘设备发送的所述第一接入请求时,所述处理单元602还可以用于存储所述第一用户站点请求接入所述VPN业务的信息,例如具体存储所述VPN业务和所述第一端口的端口标识的对应关系,当所述接收单元601再次接收其他边缘设备发送的接入请求后,所述处理单元602就可以根据存储的所述信息确定出有所述第一用户站点接入所述VPN业务的信息。因此,当确定出有第二用户站点请求接入所述VPN业务时,所述处理单元602可以具体用于确定出存储有所述第二用户站点请求接入所述VPN业务的信息。In the embodiment of the present invention, when the receiving unit 601 receives the first access request sent by the first edge device, the processing unit 602 may be further configured to store the first user site request The information about the VPN service, for example, the corresponding relationship between the VPN service and the port identifier of the first port is specifically stored. After the receiving unit 601 receives the access request sent by another edge device again, the processing unit 602. Determine, according to the stored information, information that the first user station accesses the VPN service. Therefore, when it is determined that the second user site requests to access the VPN service, the processing unit 602 may be specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
在本发明实施例中,所述接收单元601接收所述第一接入请求,并且所述处理单元602确定出有所述第二用户站点请求接入所述VPN业务时,所述处理单元602配置所述第一边缘设备和所述第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。其中所述处理单元602在配置所述第一边缘设备和所述第二边缘设备时,可以有两种配置方式,第一种配置方式是将所述第一用户站点和所述第二用户站点独立接入所述VPN业务,即每个用户站点接入所述VPN业务后并不获知其他接入所述VPN业务的用户设备。第二种配置方式是通过在所述第一用户站点和所述第二用户站点之间部署VPN隧道的方式,将所述第一用户站点和所述第二用户站点接入所述VPN业务。下面分别介绍这两种配置方式。In the embodiment of the present invention, when the receiving unit 601 receives the first access request, and the processing unit 602 determines that the second user site requests access to the VPN service, the processing unit 602 And configuring the first edge device and the second edge device to access the VPN service by using the first user site and the second user site. The processing unit 602 may have two configurations when configuring the first edge device and the second edge device, where the first configuration manner is to use the first user site and the second user site. The user accesses the VPN service independently, that is, each user station accesses the VPN service and does not know other user equipments that access the VPN service. The second configuration mode is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site. The two configuration methods are described below.
第一种配置方式:所述处理单元602可以对所述第一边缘设备和所述第二边缘设备分别配置,使得所述第一用户站点和所述第二用户站点独立接入所述VPN业务。The first configuration mode: the processing unit 602 can separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service. .
例如,所述网络设备600还可以包括发送单元,所述处理单元602通过所述发送单元向所述第一边缘设备发送配置参数,该配置参数仅包括用于将所述第一用户站点接入所述VPN业务的配置参数,例如所述第一端口的端口标识,而不包括与所述第二用户站点相关的配置参数。其中所述第一端口的 端口标识可以从所述第一接入请求中获取。在一些场景下,所述处理单元602还可以通过所述发送单元向所述第一边缘设备发送:所述网络设备600为所述第一用户站点分配的第一RT和第一RD。类似地,所述处理单元602通过所述发送单元向所述第二边缘设备发送的配置参数,也仅包括用于将所述第二用户站点接入所述VPN业务的配置参数,例如所述第二端口的端口标识,而不包括与所述第一用户站点相关的配置参数。其中所述第二端口的端口标识可以从用于请求将所述第二用户站点接入所述VPN业务的接入请求中获取。在一些场景下,所述处理单元602还可以通过所述发送单元向所述第二边缘设备发送:所述网络设备600为所述第二用户站点分配的第二RT和第二RD。所述第一边缘设备和所述第二边缘设备根据所述网络设备600发送的配置参数,分别将所述第一边缘设备和所述第二边缘设备独立接入所述VPN业务。For example, the network device 600 may further include a sending unit, where the processing unit 602 sends a configuration parameter to the first edge device by using the sending unit, where the configuration parameter includes only for accessing the first user station. The configuration parameter of the VPN service, for example, the port identifier of the first port, does not include configuration parameters related to the second user site. Where the first port is The port identification can be obtained from the first access request. In some scenarios, the processing unit 602 may further send, by the sending unit, the first edge device, the first RT and the first RD that are allocated by the network device 600 to the first user site. Similarly, the configuration parameter sent by the processing unit 602 to the second edge device by using the sending unit includes only configuration parameters for accessing the second user station to the VPN service, for example, The port identification of the second port, without including the configuration parameters associated with the first user site. The port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service. In some scenarios, the processing unit 602 may further send, by the sending unit, the second edge device, the second RT and the second RD that the network device 600 allocates to the second user site. The first edge device and the second edge device independently access the VPN service by the first edge device and the second edge device according to the configuration parameters sent by the network device 600.
第二种配置方式:实际上,在一些场景下,例如用户申请所述VPN业务时设定所述VPN业务为点到点的业务类型时,可以通过在所述第一边缘设备和所述第二边缘设备之间部署VPN隧道的方式接入所述VPN业务。下面通过一个实施例加以具体说明。The second configuration mode is: in some scenarios, for example, when the user requests the VPN service to set the VPN service as a point-to-point service type, the first edge device and the first A VPN tunnel is deployed between the two edge devices to access the VPN service. This will be specifically described below by way of an embodiment.
请参阅图7,本发明实施例提供了网络设备700的另一种装置实施例。与其他实施例的不同的是,本实施例重点说明通过在所述第一边缘设备和所述第二边缘设备之间部署VPN隧道的方式接入所述VPN业务。Referring to FIG. 7, an embodiment of the present invention provides another apparatus embodiment of the network device 700. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.
本实施例的网络设备700包括:接收单元701和处理单元702。The network device 700 of this embodiment includes: a receiving unit 701 and a processing unit 702.
所述接收单元701用于,接收所述第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的所述第一用户站点接入所述VPN业务。The receiving unit 701 is configured to receive a first access request sent by the first edge device, where the first access request is used to request to access the first user station that is connected to the first edge device. The VPN service.
所述处理单元702用于,当所述接收单元701接收所述第一接入请求时,确定出有所述第二用户站点请求接入所述VPN业务,所述第二用户站点为与所述第一用户站点不同的用户站点。The processing unit 702 is configured to: when the receiving unit 701 receives the first access request, determine that the second user station requests to access the VPN service, where the second user site is A different user site of the first user site.
所述接收单元701和所述处理单元702的以上功能与图6所示的实施例中的所述接收单元601和所述处理单元602的相关功能类似,因此描述较为简单,相关之处请参见图6所示的实施例。The functions of the receiving unit 701 and the processing unit 702 are similar to those of the receiving unit 601 and the processing unit 602 in the embodiment shown in FIG. 6, so the description is relatively simple. The embodiment shown in Figure 6.
所述处理单元702还用于,当确定出有所述第二用户站点请求接入所述 VPN业务时,部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道。The processing unit 702 is further configured to: when it is determined that the second user site requests to access the During the VPN service, a first VPN tunnel from the first edge device to the second edge device is deployed, and a second VPN tunnel from the second edge device to the first edge device is deployed.
其中,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联。所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,即所述第一用户站点的接入端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口,即所述第二用户站点的接入端口。The head end of the first VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, and the head end of the second VPN tunnel is opposite to the second A port association, the tail end of the second VPN tunnel being associated with the first port. The first port is a port that is connected to the first user site on the first edge device, that is, an access port of the first user site, and the second port is on the second edge device. The port to which the second user site is connected, that is, the access port of the second user site.
下面介绍本发明实施例中,VPN隧道的头端或者尾端与端口关联的一种实现方式。所述第一VPN隧道的头端与所述第一端口关联,可以具体表现为在所述第一边缘设备上存储所述第一端口和所述第一VPN隧道的映射关系,从而使得所述第一边缘设备根据该映射关系,将从所述第一端口接收到的数据通过所述第一VPN隧道进行传输。所述第一VPN隧道的尾端与所述第二端口关联,可以具体表现为在所述第二边缘设备上存储所述第二端口和所述第一VPN隧道的映射关系,从而使得所述第二边缘设备根据该映射关系,将所述第一VPN隧道传输的数据向所述第二端口输出。An implementation manner in which a head end or a tail end of a VPN tunnel is associated with a port in the embodiment of the present invention is described below. The first end of the first VPN tunnel is associated with the first port, and the mapping relationship between the first port and the first VPN tunnel is stored on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship. The trailing end of the first VPN tunnel is associated with the second port, and the mapping relationship between the second port and the first VPN tunnel is stored on the second edge device, so that the The second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.
类似地,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联也可以具体表现为上述实现方式,这里不再赘述。Similarly, the head end of the second VPN tunnel is associated with the second port, and the end of the second VPN tunnel is associated with the first port, which may be specifically implemented in the foregoing manner, and details are not described herein.
由于在本发明实施例中,所述接收单元701接收到所述第一接入请求后,所述处理单元702并不是直接将所述第一用户站点接入所述VPN业务,而是确定是否有所述第二用户站点请求接入所述VPN业务,如果是,则所述处理单元702实际上获取到接入所述VPN业务的两个用户站点,所述处理单元702可以通过部署所述第一VPN隧道和所述第二VPN隧道的方式将该两个用户站点接入所述VPN业务。In the embodiment of the present invention, after the receiving unit 701 receives the first access request, the processing unit 702 does not directly access the first user station to the VPN service, but determines whether The second user site requests access to the VPN service, and if so, the processing unit 702 actually acquires two user sites that access the VPN service, and the processing unit 702 can deploy the The two VPN sites access the VPN service in a manner of the first VPN tunnel and the second VPN tunnel.
可见,本实施例介绍所述第二种配置方式的实现方式,即通过在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道,将所述第一用户站点和所述第二用户站点接入了所述VPN业务。实际上,所述第一VPN隧道和所述第二VPN隧道是所述第一用户站点和所述第二用户站点之间,已知对端的点到点VPN隧道,因此相比于所述第一种配置方 式,即,将所述第一用户站点和所述第二用户站点独立接入所述VPN业务,所述第二种配置方式无需自动发现站点,因此无需运行复杂的发现协议,对边缘设备的设备要求较低,并且出错率较低。It can be seen that, in this embodiment, the implementation manner of the second configuration manner is implemented, that is, the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device. The first user site and the second user site are connected to the VPN service. In fact, the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels between the first user site and the second user site, and thus are compared to the first Configuration side The first user site and the second user site are independently connected to the VPN service, and the second configuration mode does not need to automatically discover the site, so there is no need to run a complicated discovery protocol, and the edge device is Equipment requirements are lower and the error rate is lower.
在本实施例中,在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道后,若有其他的用户站点请求接入所述VPN业务,则可以将其他的用户站点所连接的边缘设备,分别与所述第一边缘设备和所述第二边缘设备部署VPN隧道。具体实现方式是,所述接收单元701还用于,接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;所述处理单元702还用于,当所述接收单元701接收到所述第二接入请求时,确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务,部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,部署从所述第二边缘设备至所述第三边缘设备的第五VPN隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道。所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联。其中,端口与隧道的头端或尾端关联的具体表现方式,具体请参见所述第一VPN隧道的头端与所述第一端口关联,以及所述第二VPN隧道的尾端与所述第二端口关联的具体表现方式。这里不再赘述。In this embodiment, after the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device, if other user sites request to access the VPN For the service, the edge device connected to the other user site may be deployed with the first edge device and the second edge device respectively. The receiving unit 701 is further configured to receive a second access request sent by the third edge device, where the second access request is used to request a third user site that connects the third edge device. Accessing the VPN service; the processing unit 702 is further configured to: when the receiving unit 701 receives the second access request, determine that the first user site and the second user site are connected Deploying the VPN service, deploying a third VPN tunnel from the first edge device to the third edge device, and deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying a slave And a fifth VPN tunnel from the second edge device to the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device. The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port. The trailing end of the fourth VPN tunnel is associated with the first port, the head end of the fifth VPN tunnel is associated with the second port, and the tail end of the fifth VPN tunnel is associated with the third port. The head end of the sixth VPN tunnel is associated with the third port, and the tail end of the sixth VPN tunnel is associated with the second port. The specific manner of the port is associated with the head end or the tail end of the tunnel. For details, refer to that the head end of the first VPN tunnel is associated with the first port, and the tail end of the second VPN tunnel is The specific representation of the second port association. I won't go into details here.
需要说明的是,处理单元702可以是通过直接配置所述第一边缘设备和所述第二边缘设备以实现部署所述第一VPN隧道和所述第二VPN隧道,例如向所述第一边缘设备和所述第二边缘设备发送配置参数。处理单元702还可以间接配置所述第一边缘设备和所述第二边缘设备,例如通过向其他设备发送请求的方式,由其他设备部署所述第一VPN隧道和所述第二VPN隧道。下面分别说明。It should be noted that the processing unit 702 may be configured to directly deploy the first edge device and the second edge device to implement the first VPN tunnel and the second VPN tunnel, for example, to the first edge. The device and the second edge device send configuration parameters. The processing unit 702 can also indirectly configure the first edge device and the second edge device, for example, deploying the first VPN tunnel and the second VPN tunnel by other devices by sending a request to other devices. The following are explained separately.
首先说明直接配置的方式。本实施例的所述网络设备700还包括发送单元。所述处理单元702还用于,为所述VPN业务分配VPN隧道标识。其中,VPN隧道标识唯一的表示一条VPN隧道,VPN隧道指的是用于承载VPN业务的 VPN隧道。First explain the way of direct configuration. The network device 700 of this embodiment further includes a sending unit. The processing unit 702 is further configured to allocate a VPN tunnel identifier for the VPN service. The VPN tunnel identifier uniquely represents a VPN tunnel, and the VPN tunnel refers to the VPN service. VPN tunnel.
当在所述第一边缘设备和所述第二边缘设备之间部署所述VPN业务的第一VPN隧道和所述第二VPN隧道时,所述处理单元702具体用于通过所述发送单元向所述第一边缘设备发送第一配置参数,以及通过所述发送单元向所述第二边缘设备发送第二配置参数;所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、和所述第二边缘设备的设备标识;所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。When the first VPN tunnel and the second VPN tunnel of the VPN service are deployed between the first edge device and the second edge device, the processing unit 702 is specifically configured to use the sending unit to The first edge device sends a first configuration parameter, and sends a second configuration parameter to the second edge device by using the sending unit; the first configuration parameter includes: the VPN tunnel identifier, the first port The port identifier, and the device identifier of the second edge device; the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device.
可见,在向所述第一边缘设备发送的所述第一配置参数中包括与所述第二用户站点相关的配置参数:所述第二边缘设备的设备标识,并且向所述第二边缘设备发送的所述第二配置参数中包括与所述第一用户站点相关的配置参数:所述第一边缘设备的设备标识。其中所述第一边缘设备和所述第二边缘设备根据所述第一配置参数和所述第二配置参数部署所述第一VPN隧道和所述第二VPN隧道,可以根据目前任一种VPN隧道部署方式,本发明实施例对此并不加以限定。在某些场景下,所述处理单元702还可以用于通过所述发送单元向所述第一边缘设备发送为所述第一用户站点分配的第一RT和第一RD,并向所述第二边缘设备发送为所述第二用户站点分配的第二RT和第二RD。It can be seen that the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: a device identifier of the second edge device, and the second edge device is The second configuration parameter that is sent includes a configuration parameter related to the first user site: a device identifier of the first edge device. The first edge device and the second edge device deploy the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, and may be according to any current VPN. The tunnel deployment mode is not limited in this embodiment of the present invention. In some scenarios, the processing unit 702 may be further configured to send, by using the sending unit, the first RT and the first RD allocated to the first user site to the first edge device, and to the first The two edge devices send the second RT and the second RD allocated for the second user site.
下面说明间接配置的方式,具体由通过向其他设备发送请求部署所述第一VPN隧道和所述第二VPN隧道。本实施例的所述网络设备700还包括发送单元,当在所述第一边缘设备和所述第二边缘设备之间部署所述VPN业务的第一VPN隧道和所述第二VPN隧道时,所述处理单元702具体用于通过所述发送单元向控制器发送在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。所述部署所述第一VPN隧道和所述第二VPN隧道的请求中还可以包括:所述VPN业务的标识。The manner of indirect configuration is described below, specifically by deploying the first VPN tunnel and the second VPN tunnel by sending a request to other devices. The network device 700 of this embodiment further includes a sending unit, when the first VPN tunnel and the second VPN tunnel of the VPN service are deployed between the first edge device and the second edge device, The processing unit 702 is specifically configured to send, by using the sending unit, a request for deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device to a controller, where The request for deploying the first VPN tunnel and the second VPN tunnel includes a port identifier of the first port, a port identifier of the second port, a device identifier of the first edge device, and the The device identifier of the second edge device. The request for deploying the first VPN tunnel and the second VPN tunnel may further include: an identifier of the VPN service.
所述控制器在接收到所述请求后,根据所述请求在所述第一边缘设备和所述第二边缘设备之间部署所述第一VPN隧道和所述第二VPN隧道。其中所述控制器在部署所述第一VPN隧道和所述第二VPN隧道时,可以根据所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识获取所述第一VPN 隧道和所述第二VPN隧道的具体路径,即确定所述第一VPN隧道和所述第二VPN隧道的途径设备。之后根据所述路径、所述第一端口的端口标识和所述第二端口的端口标识,生成并为每个所述途径设备下发转发表项,以使得每个所述途径设备根据所述转发表项传输数据。其中所述转发表项中可以包括所述控制器401分配的标签以及输出端口。所述控制器与所述网络设备700的连接关系可以如图4所示。所述控制器具体可以为SDN控制器。After receiving the request, the controller deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request. The controller may obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device when the first VPN tunnel and the second VPN tunnel are deployed. The specific path of the tunnel and the second VPN tunnel, that is, the path device of the first VPN tunnel and the second VPN tunnel. And generating, according to the path, the port identifier of the first port, and the port identifier of the second port, a forwarding entry for each path device, so that each of the path devices is configured according to the The forwarding entry transmits data. The label and the output port allocated by the controller 401 may be included in the forwarding entry. The connection relationship between the controller and the network device 700 can be as shown in FIG. 4. The controller may specifically be an SDN controller.
可选的,在本实施例中,由于所述VPN业务可以对应一个或多个账号,而每个账号可以对应不同的QoS,因此在部署所述第一VPN隧道时,还可以基于用户所使用的账号所对应的Qos。具体地,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;所述处理单元702还用于,获取所述账号对应的QoS;当在部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道时,所述处理单元702具体用于基于所述账号对应的QoS,部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道。其中,所述处理单元702还可以用于获取所述第二用户站点请求接入所述VPN业务的账号,并且根据该账号对应的QoS部署所述第二VPN隧道。最终部署的所述第一VPN隧道和所述第二VPN隧道可以具有不同的QoS。Optionally, in this embodiment, the VPN service may correspond to one or more accounts, and each account may correspond to different QoS. Therefore, when the first VPN tunnel is deployed, the user may also use the VPN tunnel. Qos corresponding to the account number. Specifically, the first access request further includes an account that the first user station requests to access the VPN service; the processing unit 702 is further configured to acquire a QoS corresponding to the account; When the first edge device is connected to the first VPN tunnel of the second edge device, the processing unit 702 is specifically configured to deploy the first edge device to the second edge device based on the QoS corresponding to the account The first VPN tunnel. The processing unit 702 is further configured to obtain an account that the second user station requests to access the VPN service, and deploy the second VPN tunnel according to the QoS corresponding to the account. The first VPN tunnel and the second VPN tunnel that are ultimately deployed may have different QoS.
进一步可选的,在本实施例中,部署所述第一VPN隧道和所述第二VPN隧道时,还可以为所述第一VPN隧道和所述第二VPN隧道预留带宽,而当所述第一用户站点或者所述第二用户站点需要退出所述VPN业务时,比如所述第一用户站点或者所述第二用户站点请求离线时,还可以进一步撤销所述第一VPN隧道和所述第二VPN隧道,以释放为所述第一VPN隧道和所述第二VPN隧道预留的带宽。具体实现时,所述接收单元701还用于,接收所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;所述处理单元702还用于,所述接收单元701接收到所述第一退出请求或者所述第二退出请求时,撤销所述第一边缘设备和所述第二边缘设备之间部署的所述第一VPN隧道和所述第二VPN隧道。Further, in this embodiment, when the first VPN tunnel and the second VPN tunnel are deployed, bandwidth may be reserved for the first VPN tunnel and the second VPN tunnel, and When the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests offline, the first VPN tunnel and the office may be further revoked. The second VPN tunnel is configured to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel. In a specific implementation, the receiving unit 701 is further configured to receive a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request The first user site is logged out of the VPN service, and the second quit request is used to request the second user site to quit the VPN service. The processing unit 702 is further configured to receive, by the receiving unit 701, And canceling, by the first exit request or the second exit request, the first VPN tunnel and the second VPN tunnel deployed between the first edge device and the second edge device.
目前在对VPN业务进行计费时,由于不能实现按需接入VPN业务,因此一般是根据开通的VPN业务的QoS进行计费。进一步可选的,在本实施例中,由于实现了按需部署和撤销所述第一VPN隧道和所述第二VPN隧道,因此可 以根据所述第一VPN隧道和所述第二VPN隧道的部署时间,即所述第一用户站点的接入VPN业务的实际时间进行计费。具体实现时,本实施例的所述网络设备700,还包括:发送单元;所述处理单元702还用于,获取用于表示所述第一VPN隧道和所述第二VPN隧道的部署时间的相关信息;所述发送单元,用于将所述相关信息发送至计费设备。其中,所述相关信息,具体可以为所述第一VPN隧道和所述第二VPN隧道的部署时间,或者也可以为部署所述第一VPN隧道和所述第二VPN隧道的时刻和撤销所述第一VPN隧道和所述第二VPN隧道的时刻,由所述计费设备根据该两个时刻计算出所述第一VPN隧道和所述第二VPN隧道的部署时间。Currently, when charging a VPN service, since the VPN service cannot be accessed on demand, the QoS is generally performed according to the QoS of the opened VPN service. Further, in this embodiment, since the first VPN tunnel and the second VPN tunnel are deployed and revoked on demand, The charging is performed according to the deployment time of the first VPN tunnel and the second VPN tunnel, that is, the actual time of accessing the VPN service of the first user station. In a specific implementation, the network device 700 of this embodiment further includes: a sending unit; the processing unit 702 is further configured to: acquire, for indicating a deployment time of the first VPN tunnel and the second VPN tunnel, The sending unit is configured to send the related information to the charging device. The related information may be the deployment time of the first VPN tunnel and the second VPN tunnel, or may be the time and the revocation of the first VPN tunnel and the second VPN tunnel. At the time of the first VPN tunnel and the second VPN tunnel, the charging device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two moments.
上面从模块化功能实体的角度对本发明实施例中的网络设备的装置实施例进行描述。下面将从硬件处理的角度对本发明实施例中的网络设备的装置实施例进行描述。The device embodiment of the network device in the embodiment of the present invention is described above from the perspective of a modular functional entity. The device embodiment of the network device in the embodiment of the present invention will be described below from the perspective of hardware processing.
请参考图8,本发明实施例提供了网络设备的另一种装置实施例。本实施例的网络设备800可以是微处理计算机。例如:所述网络设备800可以是通用计算机、客户定制机、手机终端或平板机等便携设备中的一种。所述网络设备800包括:处理器804、存储器806、通信接口802和总线808。所述处理器804、所述存储器806和所述通信接口802通过所述总线808连接并完成相互间的通信。Referring to FIG. 8, an embodiment of the present invention provides another apparatus embodiment of a network device. The network device 800 of this embodiment may be a microprocessor computer. For example, the network device 800 can be one of a portable device such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet. The network device 800 includes a processor 804, a memory 806, a communication interface 802, and a bus 808. The processor 804, the memory 806, and the communication interface 802 are connected by the bus 808 and complete communication with each other.
所述总线808可以是工业标准体系结构(Industry Standard Architecture,简称为ISA)总线或外部设备互连(Peripheral Component,简称为PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,简称为EISA)总线等。所述总线808可以分为地址总线、数据总线、控制总线中的一种或多种。为便于表示,图8中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 808 may be an Industry Standard Architecture (ISA) bus or a Peripheral Component (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc. The bus 808 can be divided into one or more of an address bus, a data bus, and a control bus. For ease of representation, only one thick line is shown in Figure 8, but it does not mean that there is only one bus or one type of bus.
所述存储器806用于存储可执行程序代码,该程序代码包括计算机操作指令。当所述网络设备800执行该程序代码时,所述网络设备800可以完成图1或者图3所示的实施例的,也可以实现图6或者图7所示的实施例中网络设备的所有功能。存储器806可以包含高速RAM(Ramdom Access Memory)存储器。可选地,所述存储器806还可以还包括非易失性存储器(non-volatile memory)。例如所述存储器806可以包括磁盘存储器。 The memory 806 is for storing executable program code, the program code including computer operating instructions. When the network device 800 executes the program code, the network device 800 can complete the embodiment shown in FIG. 1 or FIG. 3, and can also implement all the functions of the network device in the embodiment shown in FIG. 6 or FIG. 7. . The memory 806 can include a high speed RAM (Ramdom Access Memory) memory. Optionally, the memory 806 may further include a non-volatile memory. For example, the memory 806 can include a disk storage.
所述处理器804可以是一个中央处理器(Central Processing Unit,简称为CPU),或者所述处理器804可以是特定集成电路(Application Specific Integrated Circuit,简称为ASIC),或者所述处理器804可以是被配置成实施本发明实施例的一个或多个集成电路。The processor 804 may be a central processing unit (CPU), or the processor 804 may be an application specific integrated circuit (ASIC), or the processor 804 may Is one or more integrated circuits that are configured to implement embodiments of the present invention.
所述通信接口802,用于执行图1和图3所示的实施例中的接收第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的第一用户站点接入所述VPN业务。The communication interface 802 is configured to perform the first access request sent by the first edge device in the embodiment shown in FIG. 1 and FIG. 3, where the first access request is used to request the first edge The first user station connected to the device accesses the VPN service.
所述处理器804,用于读取存储器806中存储的指令,从而执行图1和图3所示的实施例中的确定出有第二用户站点请求接入所述VPN业务,所述第二用户站点为与所述第一用户站点不同的用户站点,配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。The processor 804 is configured to read an instruction stored in the memory 806, so as to perform, in the embodiment shown in FIG. 1 and FIG. 3, that the second user site requests to access the VPN service, the second The user site is a user site different from the first user site, and the first edge device and a second edge device connected to the second user site are configured to use the first user site and the second The user site accesses the VPN service.
值得说明的是,本发明提供的网络设备的各功能单元,可以是基于图1或者图3所示实施例的方法和图6或者图7所示实施例的装置所具备的功能的具体实现,术语的定义和说明与图1、图3、图6和图7所示的实施例保持一致,此处不再赘述。It should be noted that each functional unit of the network device provided by the present invention may be a specific implementation based on the method of the embodiment shown in FIG. 1 or FIG. 3 and the function of the apparatus shown in FIG. 6 or FIG. The definitions and descriptions of the terms are consistent with the embodiments shown in FIGS. 1, 3, 6, and 7, and are not described herein again.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。 The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。 The above embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the embodiments are modified, or some of the technical features are replaced by equivalents; and the modifications or substitutions do not deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims (20)

  1. 一种虚拟专用网VPN业务的接入方法,其特征在于,包括:A method for accessing a VPN service of a virtual private network, comprising:
    网络设备接收第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的第一用户站点接入所述VPN业务;Receiving, by the network device, a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the VPN service;
    所述网络设备确定出有第二用户站点请求接入所述VPN业务;Determining, by the network device, that the second user station requests to access the VPN service;
    所述网络设备配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。The network device configures the first edge device and a second edge device connected to the second user site to access the VPN service by the first user site and the second user site.
  2. 根据权利要求1所述的方法,其特征在于,所述网络设备配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务,包括:The method of claim 1, wherein the network device configures the first edge device and a second edge device connected to the second user site to place the first user site and the The second user site accesses the VPN service, including:
    所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联,所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口。The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, where A head end of a VPN tunnel is associated with the first port, a tail end of the first VPN tunnel is associated with the second port, and a head end of the second VPN tunnel is associated with the second port, The second port of the second VPN tunnel is associated with the first port, the first port is a port connected to the first user site on the first edge device, and the second port is the second edge The port on the device that is connected to the second user site.
  3. 根据权利要求2所述的方法,其特征在于,还包括:The method of claim 2, further comprising:
    所述网络设备接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;Receiving, by the network device, a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN service;
    所述网络设备确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务;Determining, by the network device, that the first user site and the second user site access the VPN service;
    所述网络设备部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,以及部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第三端口为所述第三边缘设备上与所述第三用户站点连接的端口;The network device deploys a third VPN tunnel from the first edge device to the third edge device, and deploys a fourth VPN tunnel from the third edge device to the first edge device, the first The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, the fourth The trailing end of the VPN tunnel is associated with the first port, and the third port is a port connected to the third user station on the third edge device;
    所述网络设备部署从所述第二边缘设备至所述第三边缘设备的第五VPN隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道,所 述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联。The network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a sixth VPN tunnel from the third edge device to the second edge device, The head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, and the head end of the sixth VPN tunnel is associated with the third port. The tail end of the sixth VPN tunnel is associated with the second port.
  4. 根据权利要求2或3所述的方法,其特征在于,所述方法还包括:The method according to claim 2 or 3, wherein the method further comprises:
    所述网络设备为所述VPN业务分配VPN隧道标识;The network device allocates a VPN tunnel identifier to the VPN service;
    所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,包括:The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, including:
    所述网络设备向所述第一边缘设备发送第一配置参数,所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、和所述第二边缘设备的设备标识;The network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device ;
    所述网络设备向所述第二边缘设备发送第二配置参数,所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。The network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device .
  5. 根据权利要求2或3所述的方法,其特征在于,所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,包括:The method according to claim 2 or 3, wherein the network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys from the second edge device to The second VPN tunnel of the first edge device includes:
    所述网络设备向控制器发送部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。The network device sends a request for deploying the first VPN tunnel and the second VPN tunnel to a controller, where the request for deploying the first VPN tunnel and the second VPN tunnel includes the first port The port identifier, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
  6. 根据权利要求2至5任一项所述的方法,其特征在于,还包括:The method according to any one of claims 2 to 5, further comprising:
    所述网络设备接收所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;Receiving, by the network device, a first exit request sent by the first edge device or a second exit request sent by the second edge device, where the first exit request is used to request to withdraw the first user site from the a VPN service, where the second exit request is used to request that the second user site exit the VPN service;
    所述网络设备撤销所述第一VPN隧道和所述第二VPN隧道。The network device revokes the first VPN tunnel and the second VPN tunnel.
  7. 根据权利要求6所述的方法,其特征在于,还包括:The method of claim 6 further comprising:
    所述网络设备获取用于表示所述第一VPN隧道和所述第二VPN隧道的部署时间的相关信息; Obtaining, by the network device, related information used to indicate deployment time of the first VPN tunnel and the second VPN tunnel;
    所述网络设备将所述相关信息发送至计费设备。The network device sends the related information to the charging device.
  8. 根据权利要求2至7任一项所述的方法,其特征在于,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;The method according to any one of claims 2 to 7, wherein the first access request further comprises an account that the first user station requests to access the VPN service;
    所述方法还包括:The method further includes:
    所述网络设备获取所述账号对应的服务质量QoS;Obtaining, by the network device, a quality of service QoS corresponding to the account;
    所述网络设备部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,包括:The network device deploying the first VPN tunnel from the first edge device to the second edge device, including:
    所述网络设备基于所述账号对应的QoS,部署从所述第一边缘设备至所述第二边缘设备的所述第一VPN隧道。The network device deploys the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account.
  9. 根据权利要求1至8任一项所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 8, further comprising:
    所述网络设备接收所述第一接入请求后,存储所述第一用户站点请求接入所述VPN业务的信息;After receiving the first access request, the network device stores information that the first user station requests to access the VPN service;
    所述网络设备确定出有第二用户站点请求接入所述VPN业务,包括:The network device determines that the second user site requests to access the VPN service, including:
    所述网络设备确定出存储有所述第二用户站点请求接入所述VPN业务的信息。The network device determines that information that the second user site requests to access the VPN service is stored.
  10. 根据权利要求1至9任一项所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 9, further comprising:
    所述第一边缘设备在接收所述第一用户站点的上线请求后,向所述网络设备发送所述第一接入请求。After receiving the online request of the first user station, the first edge device sends the first access request to the network device.
  11. 一种网络设备,其特征在于,包括:A network device, comprising:
    接收单元,用于接收第一边缘设备发送的第一接入请求,所述第一接入请求用于请求将所述第一边缘设备连接的第一用户站点接入虚拟专用网VPN业务;a receiving unit, configured to receive a first access request sent by the first edge device, where the first access request is used to request that the first user station connected to the first edge device access the virtual private network VPN service;
    处理单元,用于当所述接收单元接收到所述第一接入请求时,确定出有第二用户站点请求接入所述VPN业务,配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务。a processing unit, configured to: when the receiving unit receives the first access request, determine that a second user station requests access to the VPN service, and configure the first edge device and the second user a second edge device connected to the site to access the VPN service by the first user site and the second user site.
  12. 根据权利要求11所述的网络设备,其特征在于,The network device according to claim 11, wherein
    当配置所述第一边缘设备和与所述第二用户站点连接的第二边缘设备,以将所述第一用户站点和所述第二用户站点接入所述VPN业务时,所述处理单元具体用于部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道, 以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道,所述第一VPN隧道的头端与所述第一端口关联,所述第一VPN隧道的尾端与所述第二端口关联,所述第二VPN隧道的头端与所述第二端口关联,所述第二VPN隧道的尾端与所述第一端口关联,所述第一端口为所述第一边缘设备上与所述第一用户站点连接的端口,所述第二端口为所述第二边缘设备上与所述第二用户站点连接的端口。When the first edge device and the second edge device connected to the second user site are configured to access the VPN service by using the first user site and the second user site, the processing unit Specifically for deploying a first VPN tunnel from the first edge device to the second edge device, And deploying a second VPN tunnel from the second edge device to the first edge device, where a head end of the first VPN tunnel is associated with the first port, and a tail end of the first VPN tunnel is a second port association, the head end of the second VPN tunnel is associated with the second port, the tail end of the second VPN tunnel is associated with the first port, and the first port is the first port a port on the edge device that is connected to the first user site, and the second port is a port on the second edge device that is connected to the second user site.
  13. 根据权利要求12所述的网络设备,其特征在于,A network device according to claim 12, wherein
    所述接收单元还用于,接收第三边缘设备发送的第二接入请求,所述第二接入请求用于请求将所述第三边缘设备连接的第三用户站点接入所述VPN业务;The receiving unit is further configured to receive a second access request sent by the third edge device, where the second access request is used to request that the third user station connected to the third edge device access the VPN service ;
    所述处理单元还用于,当所述接收单元接收到所述第二接入请求时,确定出有所述第一用户站点和所述第二用户站点接入所述VPN业务,部署从所述第一边缘设备至所述第三边缘设备的第三VPN隧道,部署从所述第三边缘设备至所述第一边缘设备的第四VPN隧道,部署从所述第二边缘设备至所述第三边缘设备的第五VPN隧道,以及部署从所述第三边缘设备至所述第二边缘设备的第六VPN隧道;The processing unit is further configured to: when the receiving unit receives the second access request, determine that the first user site and the second user site access the VPN service, and deploy the Deploying a first edge device to a third VPN tunnel of the third edge device, deploying a fourth VPN tunnel from the third edge device to the first edge device, deploying from the second edge device to the a fifth VPN tunnel of the third edge device, and a sixth VPN tunnel from the third edge device to the second edge device;
    所述第三VPN隧道的头端与所述第一端口关联,所述第三VPN隧道的尾端与第三端口关联,所述第四VPN隧道的头端与所述第三端口关联,所述第四VPN隧道的尾端与所述第一端口关联,所述第五VPN隧道的头端与所述第二端口关联,所述第五VPN隧道的尾端与所述第三端口关联,所述第六VPN隧道的头端与所述第三端口关联,所述第六VPN隧道的尾端与所述第二端口关联,所述第三端口为所述第三边缘设备上与所述第三用户站点连接的端口。The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port. The trailing end of the fourth VPN tunnel is associated with the first port, the head end of the fifth VPN tunnel is associated with the second port, and the tail end of the fifth VPN tunnel is associated with the third port. The head end of the sixth VPN tunnel is associated with the third port, the tail end of the sixth VPN tunnel is associated with the second port, and the third port is the third edge device and the The port to which the third user site is connected.
  14. 根据权利要求12或13所述的网络设备,其特征在于,还包括:发送单元;The network device according to claim 12 or 13, further comprising: a sending unit;
    所述处理单元还用于,为所述VPN业务分配VPN隧道标识;The processing unit is further configured to allocate a VPN tunnel identifier for the VPN service;
    当在部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道时,所述处理单元具体用于通过所述发送单元向所述第一边缘设备发送第一配置参数,以及通过所述发送单元向所述第二边缘设备发送第二配置参数;The processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the first configuration parameter is sent to the first edge device by using the sending unit, and the second configuration parameter is sent to the second edge device by using the sending unit.
    所述第一配置参数包括:所述VPN隧道标识、所述第一端口的端口标识、 和所述第二边缘设备的设备标识;所述第二配置参数包括:所述VPN隧道标识、所述第二端口的端口标识、和所述第一边缘设备的设备标识。The first configuration parameter includes: the VPN tunnel identifier, a port identifier of the first port, And the device identifier of the second edge device; the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device.
  15. 根据权利要求12或13所述的网络设备,其特征在于,还包括:发送单元;The network device according to claim 12 or 13, further comprising: a sending unit;
    当在部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道,以及部署从所述第二边缘设备至所述第一边缘设备的第二VPN隧道时,所述处理单元具体用于通过所述发送单元向控制器发送部署所述第一VPN隧道和所述第二VPN隧道的请求,所述部署所述第一VPN隧道和所述第二VPN隧道的请求中包括所述第一端口的端口标识、所述第二端口的端口标识、所述第一边缘设备的设备标识以及所述第二边缘设备的设备标识。The processing unit when deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device Specifically, the request for deploying the first VPN tunnel and the second VPN tunnel is sent to the controller by using the sending unit, where the request for deploying the first VPN tunnel and the second VPN tunnel includes The port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.
  16. 根据权利要求12至15任一项所述的网络设备,其特征在于,A network device according to any one of claims 12 to 15, wherein
    所述接收单元还用于,所述第一边缘设备发送的第一退出请求或者所述第二边缘设备发送的第二退出请求,所述第一退出请求用于请求将所述第一用户站点退出所述VPN业务,所述第二退出请求用于请求将所述第二用户站点退出所述VPN业务;The receiving unit is further configured to: the first exit request sent by the first edge device or the second exit request sent by the second edge device, where the first exit request is used to request the first user site Exiting the VPN service, the second exit request is used to request that the second user site exit the VPN service;
    所述处理单元还用于,所述接收单元接收到所述第一退出请求或者所述第二退出请求时,撤销部署的所述第一VPN隧道和所述第二VPN隧道。The processing unit is further configured to: when the receiving unit receives the first exit request or the second exit request, cancel the deployed first VPN tunnel and the second VPN tunnel.
  17. 根据权利要求16所述的网络设备,其特征在于,还包括:发送单元;The network device according to claim 16, further comprising: a sending unit;
    所述处理单元还用于,获取用于表示所述第一VPN隧道和所述第二VPN隧道的部署时间的相关信息;The processing unit is further configured to acquire related information used to indicate deployment time of the first VPN tunnel and the second VPN tunnel;
    所述发送单元,用于将所述相关信息发送至计费设备。The sending unit is configured to send the related information to a charging device.
  18. 根据权利要求12至17任一项所述的网络设备,其特征在于,所述第一接入请求还包括所述第一用户站点请求接入所述VPN业务的账号;The network device according to any one of claims 12 to 17, wherein the first access request further includes an account that the first user station requests to access the VPN service;
    所述处理单元还用于,获取所述账号对应的服务质量QoS;The processing unit is further configured to acquire a quality of service QoS corresponding to the account;
    当部署从所述第一边缘设备至所述第二边缘设备的第一VPN隧道时,所述处理单元具体用于基于所述账号对应的QoS,部署从所述第一边缘设备至所述第二边缘设备的所述第一VPN隧道。When the first VPN tunnel from the first edge device to the second edge device is deployed, the processing unit is specifically configured to deploy, according to the QoS corresponding to the account, from the first edge device to the first The first VPN tunnel of the two edge devices.
  19. 根据权利要求11至18任一项所述的网络设备,其特征在于,A network device according to any one of claims 11 to 18, characterized in that
    所述处理单元还用于,当所述接收单元接收所述第一接入请求时,存储所述第一用户站点请求接入所述VPN业务的信息; The processing unit is further configured to: when the receiving unit receives the first access request, store information that the first user station requests to access the VPN service;
    当确定出有第二用户站点请求接入所述VPN业务时,所述处理单元具体用于确定出存储有所述第二用户站点请求接入所述VPN业务的信息。When it is determined that the second user site requests to access the VPN service, the processing unit is specifically configured to determine that the information that the second user site requests to access the VPN service is stored.
  20. 根据权利要求11至19任一项所述的网络设备,其特征在于,所述第一边缘设备为接收所述第一用户站点的上线请求后,向所述网络设备发送所述第一接入请求的设备。 The network device according to any one of claims 11 to 19, wherein the first edge device sends the first access to the network device after receiving an online request of the first user site Requested device.
PCT/CN2015/093091 2014-12-31 2015-10-28 Method for accessing vpn service, and network device WO2016107261A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410850003.4A CN104601431B (en) 2014-12-31 2014-12-31 The cut-in method and the network equipment of a kind of vpn service
CN201410850003.4 2014-12-31

Publications (1)

Publication Number Publication Date
WO2016107261A1 true WO2016107261A1 (en) 2016-07-07

Family

ID=53126952

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/093091 WO2016107261A1 (en) 2014-12-31 2015-10-28 Method for accessing vpn service, and network device

Country Status (2)

Country Link
CN (1) CN104601431B (en)
WO (1) WO2016107261A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601431B (en) * 2014-12-31 2018-04-20 华为技术有限公司 The cut-in method and the network equipment of a kind of vpn service
US10938599B2 (en) 2017-05-22 2021-03-02 Futurewei Technologies, Inc. Elastic VPN that bridges remote islands
CN113778463B (en) * 2020-06-09 2023-01-06 华为技术有限公司 Business service deployment method and device
CN111884903B (en) * 2020-07-15 2022-02-01 迈普通信技术股份有限公司 Service isolation method and device, SDN network system and routing equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912232B1 (en) * 1998-10-19 2005-06-28 At&T Corp. Virtual private network
EP1580939A1 (en) * 2004-03-26 2005-09-28 Nortel Networks Limited Method and apparatus for determining and allocating network resources to layer 1 virtual private networks
CN1708172A (en) * 2004-06-10 2005-12-14 华为技术有限公司 Method for establishing privacy call
CN102457421A (en) * 2010-10-15 2012-05-16 凤凰接触股份有限及两合公司 Process for establishing a VPN connection between two networks
CN103780467A (en) * 2012-10-19 2014-05-07 华为技术有限公司 Communication connection method, communication device and communication system
CN104601431A (en) * 2014-12-31 2015-05-06 华为技术有限公司 Access method of VPN business and network device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100414907C (en) * 2005-03-01 2008-08-27 信息产业部电信研究院 Resource managing method based on signal mechanism in IP telecommunication network system
ATE357805T1 (en) * 2004-09-30 2007-04-15 Cit Alcatel MOBILE AUTHENTICATION FOR NETWORK ACCESS
CN101114972B (en) * 2006-07-26 2011-01-26 成都迈普产业集团有限公司 Method for establishing virtual private network in IP telecommunication network system
JP5223376B2 (en) * 2008-02-29 2013-06-26 日本電気株式会社 Remote access system, method and program
CN101330459B (en) * 2008-07-31 2011-09-21 电子科技大学 Method for controlling VPN consumer wideband based on Hose flexible pipe
CN102055639A (en) * 2009-11-10 2011-05-11 杭州华三通信技术有限公司 Method for establishing remote access virtual private network connection and local access concentrator
CN103001872B (en) * 2011-09-13 2016-03-30 华为技术有限公司 A kind of label distribution method and polymerization unit

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912232B1 (en) * 1998-10-19 2005-06-28 At&T Corp. Virtual private network
EP1580939A1 (en) * 2004-03-26 2005-09-28 Nortel Networks Limited Method and apparatus for determining and allocating network resources to layer 1 virtual private networks
CN1708172A (en) * 2004-06-10 2005-12-14 华为技术有限公司 Method for establishing privacy call
CN102457421A (en) * 2010-10-15 2012-05-16 凤凰接触股份有限及两合公司 Process for establishing a VPN connection between two networks
CN103780467A (en) * 2012-10-19 2014-05-07 华为技术有限公司 Communication connection method, communication device and communication system
CN104601431A (en) * 2014-12-31 2015-05-06 华为技术有限公司 Access method of VPN business and network device

Also Published As

Publication number Publication date
CN104601431B (en) 2018-04-20
CN104601431A (en) 2015-05-06

Similar Documents

Publication Publication Date Title
EP3668011B1 (en) Method, apparatus, computer program product and system for implementing software-defined network sdn
EP3300317B1 (en) Method, device and system for realizing service link
CN106302320B (en) The method, apparatus and system authorized for the business to user
CN103580980B (en) The method and device thereof that virtual network finds and automatically configures automatically
US7934004B2 (en) System and method for multi-service access
WO2019001350A1 (en) Method for generating forwarding table entry, controller, and network device
EP3580897B1 (en) Method and apparatus for dynamic service chaining with segment routing for bng
EP2840743A1 (en) Method and system for realizing virtual network
WO2016107261A1 (en) Method for accessing vpn service, and network device
CN108270690B (en) Method and device for controlling message flow
CN107666419B (en) Virtual broadband access method, controller and system
EP4170939A1 (en) Service processing method and apparatus, and device, and system
CN104468368B (en) Configure the method and device of bgp neighbor
WO2016192608A2 (en) Authentication method, authentication system and associated device
WO2015062354A1 (en) Base station data configuration method and apparatus
WO2017166936A1 (en) Method and device for implementing address management, and aaa server and sdn controller
WO2010048874A1 (en) Method, device and system for identifying ip session
WO2019091088A1 (en) Vxlan configuration method, device and system
CN107547665B (en) Method, equipment and system for allocating DHCP (dynamic host configuration protocol) address
US20230269139A1 (en) Software defined access fabric without subnet restriction to a virtual network
WO2022060914A1 (en) Systems and methods for zero-touch provisioning of a switch in intermediate distribution frames and main distribution frames
WO2018039901A1 (en) Method, device and system for ip address allocation, and computer program product
WO2013159694A1 (en) Label distribution method, device and system
EP3300300B1 (en) Method, device and system for configuring user equipment forwarding table
WO2011147334A1 (en) Method, device and system for providing virtual private network service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15874946

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15874946

Country of ref document: EP

Kind code of ref document: A1