CN104601431A - Access method of VPN business and network device - Google Patents

Abstract

The present invention provides a method for accessing a VPN service and a network device. The method includes: the network device receives a first access request sent by a first edge device, and the first access request is used to request that the second A first user site connected to an edge device accesses the VPN service; determines that a second user site requests access to the VPN service; configures the first edge device and the second user site connected to the second user site The edge device is configured to connect the first user site and the second user site to the VPN service. It can be seen that in the present invention, when it is determined that the first user site can transmit data with the second user site after accessing the VPN service, the first user site and the second user site are connected to the VPN. services, so as to avoid as much as possible the situation that the resources of the first edge device are occupied but the first user site cannot transmit data, thus reducing the waste of resources.

Description

A VPN service access method and network equipment

technical field

The invention relates to communication technology, in particular to a VPN service access method and network equipment.

Background technique

Virtual Private Network (English: Virtual Private Network, referred to as: VPN) is a technology to build a private network on a public data network. These private networks are isolated from each other, and the data of one private network will not be transmitted to another private network. In order to enable user sites to use the VPN for data transmission, it is first necessary to connect the user sites to the VPN service.

At present, the usual method of connecting user sites to VPN services is that operators and users manually negotiate all user sites that need to access the VPN service, and then manually configure the edge devices connected to each of the user sites, so that Each of the user sites is connected to the VPN service.

However, since the edge device connected to the user site needs to be configured when the user site accesses the VPN service, resources of the edge device will inevitably be occupied. That is to say, even if the user site cannot transmit data after accessing the VPN service, the operator will still access the user site to the VPN service, thereby causing waste of resources.

Contents of the invention

The technical problem solved by the present invention is to provide a VPN service access method and network equipment, so as to realize user sites accessing VPN services on demand, thereby reducing waste of resources.

For this reason, the technical scheme that the present invention solves technical problem is:

In a first aspect, the present invention provides a method for accessing a virtual private network (VPN) service, comprising:

The network device receives a first access request sent by the first edge device, where the first access request is used to request a first user site connected to the first edge device to access the VPN service;

The network device determines that a second user site requests to access the VPN service;

The network device configures the first edge device and the second edge device connected to the second user site, so as to connect the first user site and the second user site to the VPN service.

In a first possible implementation manner of the first aspect, the network device configures the first edge device and the second edge device connected to the second user site, so that the first user site and the The second user site accessing the VPN service includes:

The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device, the first edge device The head end of a VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, the head end of the second VPN tunnel is associated with the second port, the The tail end of the second VPN tunnel is associated with the first port, the first port is the port connected to the first user site on the first edge device, and the second port is the second edge A port on the device connected to the second user site.

In combination with the first possible implementation of the first aspect, the second possible implementation of the first aspect further includes:

The network device receives a second access request sent by a third edge device, where the second access request is used to request a third user site connected to the third edge device to access the VPN service;

determining, by the network device, that the first user site and the second user site access the VPN service;

The network device deploys a third VPN tunnel from the first edge device to the third edge device, and deploys a fourth VPN tunnel from the third edge device to the first edge device, the first edge device The head end of the three VPN tunnels is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, the head end of the fourth VPN tunnel is associated with the third port, and the fourth VPN tunnel is associated with the third port. The tail end of the VPN tunnel is associated with the first port, and the third port is a port connected to the third user site on the third edge device;

The network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a sixth VPN tunnel from the third edge device to the second edge device, the first The head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, the head end of the sixth VPN tunnel is associated with the third port, and the The tail end of the sixth VPN tunnel is associated with the second port.

With reference to the first or second possible implementation of the first aspect, in a third possible implementation of the first aspect, the method further includes:

The network device assigns a VPN tunnel identifier to the VPN service;

Deploying, by the network device, a first VPN tunnel from the first edge device to the second edge device, and deploying a second VPN tunnel from the second edge device to the first edge device, includes:

The network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device ;

The network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device .

With reference to the first or second possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the network device deploys and deploying a second VPN tunnel from the second edge device to the first edge device, comprising:

The network device sends a request for deploying the first VPN tunnel and the second VPN tunnel to the controller, and the request for deploying the first VPN tunnel and the second VPN tunnel includes the first port The port ID of the second port, the device ID of the first edge device, and the device ID of the second edge device.

In combination with any of the first to fourth possible implementations of the first aspect, the fifth possible implementation of the first aspect further includes:

The network device receives the first exit request sent by the first edge device or the second exit request sent by the second edge device, where the first exit request is used to request to exit the first user site from the For a VPN service, the second exit request is used to request that the second user site exit the VPN service;

The network device revokes the first VPN tunnel and the second VPN tunnel.

In combination with the fifth possible implementation of the first aspect, the sixth possible implementation of the first aspect further includes:

The network device acquires relevant information indicating the deployment time of the first VPN tunnel and the second VPN tunnel;

The network device sends the related information to the charging device.

With reference to any one of the first to sixth possible implementations of the first aspect, in a seventh possible implementation of the first aspect, the first access request further includes the first user site request an account for accessing the VPN service;

The method also includes:

The network device acquires the QoS corresponding to the account;

The network device deploying a first VPN tunnel from the first edge device to the second edge device includes:

The network device deploys the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account.

In combination with the first aspect and any one of the first to seventh possible implementations of the first aspect, the eighth possible implementation of the first aspect further includes:

After the network device receives the first access request, store the information that the first user site requests to access the VPN service;

The network device determines that a second user site requests to access the VPN service, including:

The network device determines that information that the second user site requests to access the VPN service is stored.

In combination with the first aspect and any one of the first to eighth possible implementations of the first aspect, the ninth possible implementation of the first aspect further includes:

The first edge device sends the first access request to the network device after receiving the online request of the first user site.

In a second aspect, the present invention provides a network device, including:

A receiving unit, configured to receive a first access request sent by a first edge device, where the first access request is used to request a first user site connected to the first edge device to access a virtual private network (VPN) service;

a processing unit, configured to, when the receiving unit receives the first access request, determine that there is a second user site requesting to access the VPN service, configure the first edge device and communicate with the second user A second edge device connected to the site, so as to connect the first user site and the second user site to the VPN service.

In a first possible implementation manner of the second aspect, when configuring the first edge device and the second edge device connected to the second user site, the first user site and the second When a user site accesses the VPN service, the processing unit is specifically configured to deploy a first VPN tunnel from the first edge device to the second edge device, and deploy a tunnel from the second edge device to the The second VPN tunnel of the first edge device, the head end of the first VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, and the second VPN tunnel The head end of the second VPN tunnel is associated with the second port, the tail end of the second VPN tunnel is associated with the first port, and the first port is connected to the first user site on the first edge device port, where the second port is a port on the second edge device connected to the second user site.

With reference to the first possible implementation of the second aspect, in a second possible implementation of the second aspect, the receiving unit is further configured to receive a second access request sent by a third edge device, the The second access request is used to request a third user site connected to the third edge device to access the VPN service;

The processing unit is further configured to, when the receiving unit receives the second access request, determine that the first user site and the second user site access the VPN service, and deploy the deploying a third VPN tunnel from the first edge device to the third edge device, deploying a fourth VPN tunnel from the third edge device to the first edge device, and deploying a fourth VPN tunnel from the second edge device to the a fifth VPN tunnel for a third edge device, and deploying a sixth VPN tunnel from said third edge device to said second edge device;

The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, so The tail end of the fourth VPN tunnel is associated with the first port, the head end of the fifth VPN tunnel is associated with the second port, and the tail end of the fifth VPN tunnel is associated with the third port, The head end of the sixth VPN tunnel is associated with the third port, the tail end of the sixth VPN tunnel is associated with the second port, and the third port is connected to the third port on the third edge device. The port on which the third user site connects.

In combination with the first or second possible implementation of the second aspect, in a third possible implementation of the second aspect, further comprising: a sending unit;

The processing unit is further configured to assign a VPN tunnel identifier to the VPN service;

When deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device, the processing unit Specifically, sending a first configuration parameter to the first edge device through the sending unit, and sending a second configuration parameter to the second edge device through the sending unit;

The first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the device identifier of the second edge device; the second configuration parameter includes: the VPN tunnel identifier, the The port identifier of the second port, and the device identifier of the first edge device.

In combination with the first or second possible implementation of the second aspect, in a fourth possible implementation of the second aspect, further comprising: a sending unit;

When deploying a first VPN tunnel from the first edge device to the second edge device and deploying a second VPN tunnel from the second edge device to the first edge device, the processing unit Specifically, it is configured to send a request for deploying the first VPN tunnel and the second VPN tunnel to the controller through the sending unit, where the request for deploying the first VPN tunnel and the second VPN tunnel includes the The port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the device identifier of the second edge device.

With reference to any one of the first to fourth possible implementation manners of the second aspect, in a fifth possible implementation manner of the second aspect, the receiving unit is further configured to receive the The first exit request sent by the second edge device or the second exit request sent by the second edge device, the first exit request is used to request that the first user site exit the VPN service, and the second exit request is used to request withdrawing the second user site from the VPN service;

The processing unit is further configured to, when the receiving unit receives the first exit request or the second exit request, revoke the deployed first VPN tunnel and the second VPN tunnel.

With reference to the fifth possible implementation manner of the second aspect, in the sixth possible implementation manner of the second aspect, further comprising: a sending unit;

The processing unit is further configured to acquire relevant information indicating the deployment time of the first VPN tunnel and the second VPN tunnel;

The sending unit is configured to send the relevant information to a charging device.

With reference to any one of the first to sixth possible implementations of the second aspect, in a seventh possible implementation of the second aspect, the first access request further includes the first user site request an account for accessing the VPN service;

The processing unit is further configured to acquire the QoS corresponding to the account;

When deploying the first VPN tunnel from the first edge device to the second edge device, the processing unit is specifically configured to deploy the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account. The first VPN tunnel of the two edge devices.

With reference to the second aspect and any one of the first to seventh possible implementations of the second aspect, in an eighth possible implementation of the second aspect, the processing unit is further configured to, when the receiving When the unit receives the first access request, store the information that the first user site requests to access the VPN service;

When it is determined that a second user site requests to access the VPN service, the processing unit is specifically configured to determine that information that the second user site requests to access the VPN service is stored.

With reference to the second aspect and any one of the first to eighth possible implementation manners of the second aspect, in a ninth possible implementation manner of the second aspect, the first edge device receives the first A device that sends the first access request to the network device after the online request of the user site.

It can be seen from the above technical solution that when the network device in the present invention receives the first access request for requesting the first user site to access the VPN service, it does not directly connect the first user site to the VPN service, but It is determined that a second user site different from the first user site requests to access the VPN service, that is, it indicates that the first user site can transmit data with the second user site after accessing the VPN service When , configure the first edge device connected to the first user site and the second edge device connected to the second user site, so as to connect the first user site and the second user site to the VPN business. It can be seen that in the present invention, when it is determined that the first user site can transmit data with the second user site after accessing the VPN service, the first user site and the second user site are connected to the VPN. services, that is, the first user site can access the VPN service on demand, thereby avoiding as much as possible the situation that resources of the first edge device are occupied but the first user site cannot transmit data, Resource waste is thus reduced.

Description of drawings

Fig. 1 is a schematic flow diagram of a method embodiment provided by the present invention;

Fig. 2 is a kind of network topology used in the embodiment of the present invention;

FIG. 3 is a schematic flow diagram of another method embodiment provided by the present invention;

Fig. 4 is another network topology used in the embodiment of the present invention;

Fig. 5 is a specific path of the first VPN tunnel acquired by the controller;

FIG. 6 is a schematic structural diagram of an apparatus embodiment of a network device provided by the present invention;

FIG. 7 is a schematic structural diagram of another device embodiment of a network device provided by the present invention;

FIG. 8 is a schematic structural diagram of another device embodiment of a network device provided by the present invention.

Detailed ways

In order to use the VPN for data transmission between user sites, it is necessary to first connect the user sites to VPN services. Among them, the user site is the user-side device, and each user site is generally connected to the edge device of the operator through a physical connection, and the edge devices of the operator can transmit data through the backbone network.

At present, the usual practice of connecting user sites to VPN services is that operators and users manually negotiate all user sites that need to access the VPN service, and when all user sites are determined, the edge The device is manually configured so that each user site is connected to the VPN service.

However, the inventor found through research that because the user site needs to configure the edge device connected to the user site when accessing the VPN service, it will inevitably occupy the resources of the edge device. Access to the VPN service, that is to say, even if the user site accesses the VPN service and cannot transmit data, the operator will still access the user site to the VPN service. As a result, even if the resources of the edge device connected to the user site are occupied, the user site cannot transmit data, thereby causing waste of resources. An example is used below to illustrate, assuming that there are three user sites: user site 01, user site 02, and user site 03, if user site 02 and user site 03 are offline or do not access VPN services, then even if user site 01 is connected to In the above VPN service, user site 01 cannot transmit data with user site 02 and user site 03, but because the above access method still configures the edge device connected to user site 01 to access the above VPN service, Thus causing a waste of resources.

However, in the embodiment of the present invention, a VPN service access method and network equipment are provided, so as to enable user sites to access VPN services on demand, thereby reducing waste of resources.

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts fall within the protection scope of the present invention.

The terms "first", "second", "third" and "fourth" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily to describe a specific order or sequentially. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence or unit need not be limited to those explicitly listed or elements, but may include other or elements not expressly listed or inherent to the process, method, product or apparatus.

Referring to FIG. 1 , an embodiment of the present invention provides a method embodiment of a VPN service access method.

In order to better understand the technical solution of the embodiment of the present invention, an optional network topology used in this embodiment is described below through FIG. 2 . It should be noted that FIG. 2 is only an exemplary illustration, and its specific structure does not limit the embodiment of the present invention.

As shown in FIG. 2 , the first edge device and the second edge device belong to the operator's edge devices and are connected through a backbone network. The first edge device is connected to the first user site through a physical connection. In this field, it may also be called that the first user site is attached to the first edge device. Wherein, the first port connected to the first user site on the first edge device may be referred to as an access port of the first user site. Similarly, the second edge device is connected to the second user site, and the second port on the second edge device connected to the second user site may be called an access port of the second user site. The VPN data of the first user site and the second user site need to be transmitted by using the first edge device, the backbone network, and the second edge device. It should be noted that, in FIG. 2 and FIG. 4 of the present invention, the solid line represents the physical connection, and the dotted line represents the logical relationship, that is, it indicates that control information is exchanged between devices.

The method of this embodiment includes:

101: A network device receives a first access request sent by the first edge device, where the first access request is used to request the first user site connected to the first edge device to access the VPN service .

In this embodiment of the present invention, when it is determined by the first edge device that the first user site needs to access the VPN service, for example, after receiving the online request of the first user site, the The network device sends the first access request. Wherein, this embodiment may further include that the first edge device sends the first access request to the network device after receiving the online request of the first user site.

During specific implementation, the user may apply for opening the VPN service in advance, for example, the user may apply for opening the VPN service on the operator's website. The VPN service may correspond to one registered account, or may correspond to multiple registered accounts. The network device saves the corresponding relationship between the opened VPN service and the registered account. After the VPN service is opened, the user can send an online request including a registered account to the first edge device, and the first edge device determines that the first user site needs to connect to the VPN according to the registered account in the online request. Enter the VPN service, so as to send the first access request to the network device. Wherein, the first edge device may also send the registered account to the authentication device for authentication, and then send the first access request after passing the authentication.

In this embodiment of the present invention, the first access request may include the identifier of the first user site and the identifier of the VPN service. Wherein, the identifier of the first user site may specifically be a port identifier of the first port. Specifically, the identifier of the VPN service may be assigned by the network device. Wherein the first access request may be included in the billing carbon copy information to the network device.

102: The network device determines that the second user site requests to access the VPN service. Wherein, the second user site is a user site different from the first user site.

In this embodiment of the present invention, after the network device receives the first access request, it does not directly connect the first user site to the VPN service, but further determines whether there is a connection with the first access request. The second user site that is different from the user site accesses the VPN service, if yes, it means that the network device determines that the second user site requests to access the VPN service.

If the network device determines that the second user site requests access to the VPN service, it means that both the first user site and the second user site request access to the VPN service. After the first user site and the second user site access the VPN service, the first user site can transmit data with the second user site.

It should be noted that, in the embodiment of the present invention, the second user site refers to any user site different from the first user site. That is, when the network device in this document determines that any user site different from the first user site accesses the VPN service, it uses the any user site as the second user site.

103: The network device configures the first edge device and the second edge device connected to the second user site, so as to connect the first user site and the second user site to the VPN business.

In the embodiment of the present invention, when the network device determines that the second user site different from the first user site requests to access the VPN service, it can further determine that the first user site accesses the VPN service. The VPN service can transmit data with the second user site, so the first edge device and the second edge device are configured to connect the first user site and the second user site to the VPN service described above.

Optionally, this embodiment further includes: if the network device determines that no user site other than the first user site accesses the VPN service, indicating that the first user site accesses the VPN service When the data cannot be transmitted after the service, then step 103 is not executed, but the process of this embodiment can be ended directly, or after a preset period, it can be re-determined whether there is a second user site different from the first user site. The user site accesses the VPN service.

It can be seen from the above technical solution that when the network device in the embodiment of the present invention receives the first access request for requesting the first user site to access the VPN service, it does not directly A user site accesses the VPN service, but it is determined that the second user site different from the first user site requests to access the VPN service, which means that the first user site accesses the VPN service. When the VPN service can transmit data with the second user site, configure the first edge device connected to the first user site and the second edge device connected to the second user site, so as to The first user site and the second user site access the VPN service. It can be seen that in the present invention, when it is determined that the first user site can transmit data with the second user site after accessing the VPN service, the first user site and the second user site are connected to the VPN. services, that is, the first user site can access the VPN service on demand, thereby avoiding as much as possible the situation that resources of the first edge device are occupied but the first user site cannot transmit data, Resource waste is thus reduced.

In the embodiment of the present invention, the network device may be a collaborative device, an orchestrator (English: orchestrator), a network management device, and other devices with a collaborative management function. The first edge device and the second edge device may be broadband network gateways (English: Broadband Network Gateway, BNG for short). The first user site and the second user site may be customer premises equipment (CPE for short).

In this embodiment of the present invention, the network device receives the first access request sent by the first edge device, and may also store the information that the first user site requests to access the VPN service, for example, the specific Storing the corresponding relationship between the VPN service and the port identifier of the first port, after receiving the access request sent by other edge devices again, it can be determined according to the stored information that the first user site access Information about the VPN service. Therefore, the network device determining in 102 that a second user site requests to access the VPN service may include: the network device determining that the information that the second user site requests to access the VPN service is stored .

In this embodiment of the present invention, when the network device receives the first access request and determines that the second user site requests to access the VPN service, configure the first edge device and the second Two edge devices, for connecting the first user site and the second user site to the VPN service. When the network device configures the first edge device and the second edge device, there are two configuration methods, the first configuration method is to separate the first user site and the second user site Accessing the VPN service means that each user site does not know other user equipments accessing the VPN service after accessing the VPN service. The second configuration manner is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site. The two configuration methods are described below.

The first configuration manner: the network device may separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service.

For example, the network device sends configuration parameters to the first edge device, and the configuration parameters only include configuration parameters for connecting the first user site to the VPN service, such as the port identifier of the first port , excluding configuration parameters related to the second user site. The port identifier of the first port may be obtained from the first access request. In some scenarios, the network device may also send to the first edge device: the first route target parameter (English: Route Target, RT for short) and the first route target parameter (English: Route Target, RT for short) allocated by the network device to the first user site A route distinguisher parameter (English: Route Ditinguiher, RD for short). Similarly, the configuration parameters sent by the network device to the second edge device only include configuration parameters for connecting the second user site to the VPN service, such as the port identifier of the second port, and Configuration parameters related to the first user site are not included. The port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service. In some scenarios, the network device may also send to the second edge device: the second RT and the second RD allocated by the network device to the second user site. The first edge device and the second edge device respectively independently access the VPN service to the first edge device and the second edge device according to configuration parameters sent by the network device.

The second configuration method: In fact, in some scenarios, for example, when the user applies for the VPN service and sets the VPN service as a point-to-point service type, the second configuration method above can be used, that is, through the access the VPN service by deploying a VPN tunnel between the first edge device and the second edge device. The following will be specifically described through an embodiment.

Referring to FIG. 3 , the embodiment of the present invention provides another method embodiment of a VPN service access method. Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.

The method in this embodiment includes 301 to 303, wherein 301 and 302 are similar to 101 and 102 in the embodiment shown in FIG. 1 , so the description is relatively simple. For related details, please refer to the embodiment shown in FIG. 1 . This embodiment focuses on description 303.

301: The network device receives a first access request sent by the first edge device, where the first access request is used to request that the first user site connected to the first edge device access the VPN business.

302: The network device determines that the second user site requests access to the VPN service, and the second user site is a user site different from the first user site.

303: The network device deploys a first VPN tunnel from the first edge device to the second edge device, and deploys a second VPN tunnel from the second edge device to the first edge device.

Wherein, the head end of the first VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, and the head end of the second VPN tunnel is associated with the second port. port association, the tail end of the second VPN tunnel is associated with the first port. The first port is a port connected to the first user site on the first edge device, that is, an access port of the first user site, and the second port is a port on the second edge device connected to the first user site. The port to which the second user site is connected is the access port of the second user site.

The following introduces an implementation manner of associating a head end or tail end of a VPN tunnel with a port in the embodiment of the present invention. The head end of the first VPN tunnel is associated with the first port, which may be embodied as storing a mapping relationship between the first port and the first VPN tunnel on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship. The tail end of the first VPN tunnel is associated with the second port, which may be embodied as storing a mapping relationship between the second port and the first VPN tunnel on the second edge device, so that the The second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.

Similarly, the head end of the second VPN tunnel is associated with the second port, and the tail end of the second VPN tunnel is associated with the first port may also be embodied in the above implementation manner, which will not be repeated here.

Because in the embodiment of the present invention, after the network device receives the first access request, it does not directly connect the first user site to the VPN service, but determines whether there is the second user A site requests to access the VPN service, if so, the network device actually obtains two user sites that access the VPN service, and the network device can deploy the first VPN tunnel and the second VPN tunnel The two user sites are connected to the VPN service in a manner of two VPN tunnels.

It can be seen that this embodiment introduces the implementation of the second configuration mode, that is, by deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device , connecting the first user site and the second user site to the VPN service. In fact, the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels with known peers between the first user site and the second user site, so compared to the first A configuration method, that is, the first user site and the second user site are independently connected to the VPN service, and the second configuration method does not need to automatically discover sites, so there is no need to run complex discovery protocols. Edge devices have lower equipment requirements and have a lower error rate.

In this embodiment, after the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device, if other user sites request to access the VPN For services, edge devices connected to other user sites may deploy VPN tunnels with the first edge device and the second edge device respectively. The specific implementation is that the network device receives the second access request sent by the third edge device, and the second access request is used to request that the third user site connected to the third edge device access the VPN service; the network device determines that the first user site and the second user site access the VPN service; the network device deploys the first edge device to the third edge device Three VPN tunnels, and a fourth VPN tunnel deployed from the third edge device to the first edge device, the head end of the third VPN tunnel is associated with the first port, and the head end of the third VPN tunnel is associated with The tail end is associated with the third port, the head end of the fourth VPN tunnel is associated with the third port, the tail end of the fourth VPN tunnel is associated with the first port, and the third port is the A port on the third edge device connected to the third user site; the network device deploys a fifth VPN tunnel from the second edge device to the third edge device, and deploys a fifth VPN tunnel from the third edge device To the sixth VPN tunnel of the second edge device, the head end of the fifth VPN tunnel is associated with the second port, the tail end of the fifth VPN tunnel is associated with the third port, and the fifth VPN tunnel is associated with the third port. Head ends of the six VPN tunnels are associated with the third port, and tail ends of the sixth VPN tunnel are associated with the second port. Wherein, for the specific representation of the association between the port and the head end or tail end of the tunnel, please refer to the association between the head end of the first VPN tunnel and the first port, and the association between the tail end of the second VPN tunnel and the The specific representation of the second port association. I won't go into details here.

It should be noted that the network device may deploy the first VPN tunnel and the second VPN tunnel by directly configuring the first edge device and the second edge device, for example, to the first The edge device and the second edge device send configuration parameters. The network device may also indirectly configure the first edge device and the second edge device, for example, by sending a request to other devices, and the other devices deploy the first VPN tunnel and the second VPN tunnel. Instructions are given below.

First, the method of direct configuration is explained. This embodiment may further include: the network device assigning a VPN tunnel identifier to the VPN service. 303 in this embodiment includes 3031 and 3032. Wherein, the VPN tunnel identifier is used to uniquely represent the VPN tunnel. A VPN tunnel refers to a VPN tunnel for carrying VPN services, such as an MPLS LSP tunnel, an MPLS TE tunnel, an L2TP tunnel, a GRE tunnel, an IPSEC tunnel, etc., which are not limited in this embodiment of the present invention.

3031: The network device sends a first configuration parameter to the first edge device, where the first configuration parameter includes: the VPN tunnel identifier, the port identifier of the first port, and the Equipment Identity. The device identifier of the second edge device may specifically be the IP address of the second edge device.

3032: The network device sends a second configuration parameter to the second edge device, where the second configuration parameter includes: the VPN tunnel identifier, the port identifier of the second port, and the Equipment Identity. The device identifier of the first edge device may specifically be the IP address of the first edge device.

It can be seen that the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: the device identifier of the second edge device, and the configuration parameter sent to the second edge device The sent second configuration parameters include a configuration parameter related to the first user site: a device identifier of the first edge device. Wherein the first edge device and the second edge device deploy the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, it can be based on any current VPN The tunnel deployment mode is not limited in this embodiment of the present invention. In some scenarios, the network device may also send the first RT and the first RD allocated for the first user site to the first edge device, and send the first RT and the first RD allocated for the first user site to the second edge device. The second RT and the second RD assigned by the second user site.

The manner of indirect configuration is described below, specifically by sending a request to other devices to deploy the first VPN tunnel and the second VPN tunnel. Please refer to FIG. 4 , 303 of this embodiment may specifically include: the network device sending the controller 401 to deploy the first VPN tunnel between the first edge device and the second edge device and the The request for the second VPN tunnel, the request for deploying the first VPN tunnel and the second VPN tunnel includes the port identifier of the first port, the port identifier of the second port, the first The device identifier of the edge device and the device identifier of the second edge device. The request for deploying the first VPN tunnel and the second VPN tunnel may further include the identifier of the VPN service.

After receiving the request, the controller 401 deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request. When the controller 401 deploys the first VPN tunnel and the second VPN tunnel, it can obtain the first VPN according to the device identifier of the first edge device and the device identifier of the second edge device. The specific path of the tunnel and the second VPN tunnel is to determine the path device of the first VPN tunnel and the second VPN tunnel. Afterwards, according to the path, the port identifier of the first port, and the port identifier of the second port, a forwarding entry is generated and delivered to each of the path devices, so that each of the path devices according to the Forwarding entries transmit data. The controller 401 may be an SDN controller.

The forwarding entry may include the label assigned by the controller 401 and the output port. The deployment manner of the first VPN tunnel is described below through a specific example. As shown in FIG. 5 , the path devices of the first VPN tunnel obtained by the controller 401 sequentially include: BNG1 , Router1 , Router2 and BNG2 . Wherein the BNG1 and the BNG2 are respectively the first edge device and the second edge device.

The request sent by the network device to the controller 401 is:

port1/BNG1-->port2/BNG2

The forwarding entry sent by the controller 401 to the BNG1 is:

port1-->port3, with Label100

The forwarding entry sent by the controller 401 to the Router1 is:

port4withlabel100-->port5withlabel200

The forwarding entry sent by the controller 401 to the Router2 is:

port6with label 200-->port7with label 100

The forwarding entry sent by the controller 401 to the BNG2 is:

port8with label 100-->port2

Wherein, the port1 is the first port, the port2 is the second port, the port3 and port4 are the ports connecting the BNG1 and the Router1, and the port5 and port6 are the ports connecting the Router1 and the Router1 The port connected to the Router2, the port7 and port8 are the ports connected to the Router2 and the BNG2.

It can be seen that by the controller 401 delivering the forwarding entry to each of the path devices, the deployment of the first VPN tunnel between the first edge device and the second edge device is implemented. Wherein, the path device includes the first edge device and the second edge device. The deployment manner of the second VPN tunnel is similar to the deployment manner of the first VPN tunnel, and will not be repeated here.

Optionally, in this embodiment, since the VPN service may correspond to one or more accounts, and each account may correspond to a different QoS, when deploying the first VPN tunnel, it may also be based on the QoS used by the user. Qos corresponding to the account number. Specifically, the first access request further includes an account for which the first user site requests to access the VPN service; this embodiment may further include: the network device obtaining the QoS corresponding to the account; the network The device deploying the first VPN tunnel from the first edge device to the second edge device includes: the network device deploying the first VPN tunnel from the first edge device to the second edge device based on the QoS corresponding to the account. The first VPN tunnel. Wherein, the account of the second user site requesting to access the VPN service may be further obtained, and the second VPN tunnel is deployed according to the QoS corresponding to the account. The first VPN tunnel and the second VPN tunnel that are finally deployed may have different QoS.

Further optionally, in this embodiment, when deploying the first VPN tunnel and the second VPN tunnel, bandwidth may also be reserved for the first VPN tunnel and the second VPN tunnel, and when the When the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests to go offline, the first VPN tunnel and the the second VPN tunnel to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel. During specific implementation, the network device receives the first exit request sent by the first edge device or the second exit request sent by the second edge device, and the first exit request is used to request that the first user The site exits the VPN service, and the second exit request is used to request that the second user site exit the VPN service; the network device cancels the deployment between the first edge device and the second edge device The first VPN tunnel and the second VPN tunnel.

At present, when charging for VPN services, since on-demand access to VPN services cannot be realized, charging is generally performed according to the QoS of the enabled VPN services. Further optionally, in this embodiment, since the first VPN tunnel and the second VPN tunnel are deployed and withdrawn on demand, the The deployment time, that is, the actual time when the first user site accesses the VPN service is charged. During specific implementation, this embodiment further includes: the network device acquiring related information indicating the deployment time of the first VPN tunnel and the second VPN tunnel; the network device sending the related information to the computer A charging device, the charging device may obtain the deployment time of the first VPN tunnel and the second VPN tunnel according to the relevant information, so as to perform charging according to the deployment time. Wherein, the relevant information may specifically be the deployment time of the first VPN tunnel and the second VPN tunnel, or may also be the time of deploying the first VPN tunnel and the second VPN tunnel and the time for revocation. The timing of the first VPN tunnel and the second VPN tunnel, and the billing device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two timings.

The embodiments of the method for accessing VPN services in the embodiments of the present invention are described above, and the apparatus embodiments of the network equipment in the embodiments of the present invention will be described below from the perspective of modular functional entities.

Referring to FIG. 6 , an embodiment of the present invention provides an apparatus embodiment of a network device 600 .

In order to better understand the technical solution of the embodiment of the present invention, an optional network topology used by the network device in this embodiment is described below through FIG. 2 . It should be noted that FIG. 2 is only an exemplary illustration, and its specific structure does not limit the embodiment of the present invention. As shown in FIG. 2 , network devices are respectively connected to a first edge device and a second edge device. The first edge device and the second edge device belong to an operator's edge device and are connected through a backbone network. The first edge device is connected to the first user site through a physical connection. The second edge device is connected to the second user site through a physical connection.

The network device 600 in this embodiment includes: a receiving unit 601 and a processing unit 602 .

The receiving unit 601 is configured to receive a first access request sent by the first edge device, where the first access request is used to request the first user site connected to the first edge device to access VPN business.

In this embodiment of the present invention, when it is determined by the first edge device that the first user site needs to access the VPN service, for example, after receiving the online request of the first user site, the The network device 600 sends the first access request. Wherein, the first edge device may be a device that sends the first access request to the network device 600 after receiving the online request of the first user site.

During specific implementation, the user may apply for opening the VPN service in advance, for example, the user may apply for opening the VPN service on the operator's website. The VPN service may correspond to one registered account, or may correspond to multiple registered accounts. The network device 600 saves the corresponding relationship between the opened VPN service and the registered account. After the VPN service is opened, the user can send an online request including a registered account to the first edge device, and the first edge device determines that the first user site needs to connect to the VPN according to the registered account in the online request. Enter the VPN service, so as to send the first access request to the network device 600. Wherein, the first edge device may also send the registered account to the authentication device for authentication, and then send the first access request after passing the authentication.

In this embodiment of the present invention, the first access request may include the identifier of the first user site and the identifier of the VPN service. Wherein, the identifier of the first user site may specifically be a port identifier of the first port. Specifically, the identifier of the VPN service may be assigned by the network device 600 .

The processing unit 602 is configured to determine that a second user site requests to access the VPN service when the receiving unit 601 receives the first access request. Wherein, the second user site is a user site different from the first user site.

In this embodiment of the present invention, after the receiving unit 601 receives the first access request, the processing unit 602 does not directly connect the first user site to the VPN service, but further determines whether There is the second user site different from the first user site accessing the VPN service, if yes, it means that the processing unit 602 determines that the second user site requests access to the VPN service.

If the processing unit 602 determines that the second user site requests access to the VPN service, it means that both the first user site and the second user site request access to the VPN service. After the first user site and the second user site access the VPN service, the first user site can transmit data with the second user site.

It should be noted that, in the embodiment of the present invention, the second user site refers to any user site different from the first user site. That is, the processing unit 602 is specifically configured to use any user site as the second user site when it is determined that any user site different from the first user site accesses the VPN service.

The processing unit 602 is further configured to, when it is determined that the second user site requests to access the VPN service, configure the first edge device and the second edge connected to the second user site The device is configured to connect the first user site and the second user site to the VPN service.

In this embodiment of the present invention, when the processing unit 602 determines that the second user site different from the first user site requests to access the VPN service, it can be further determined that the first user site receives After entering the VPN service, it can transmit data with the second user site, so the first edge device and the second edge device are configured to connect the first user site and the second user site to The VPN service.

The processing unit 602 may also be configured to: if it is determined that no user site other than the first user site accesses the VPN service, it means that the first user site cannot transmit the VPN service even after accessing the VPN service. data, the first user site will not be connected to the VPN service, but the work can be finished, and it can also be re-determined whether there is a second user site different from the first user site after a preset period. The user site accesses the VPN service.

It can be seen from the above technical solutions that when the receiving unit 601 in the embodiment of the present invention receives the first access request for requesting the first user site to access the VPN service, the processing unit 602 does not The first user site is not directly connected to the VPN service, but it is determined that the second user site different from the first user site requests to access the VPN service, that is, the first When the user site can transmit data with the second user site after accessing the VPN service, configuring the first edge device connected to the first user site and the second edge device connected to the second user site Two edge devices, for connecting the first user site and the second user site to the VPN service. It can be seen that in the present invention, when it is determined that the first user site can transmit data with the second user site after accessing the VPN service, the first user site and the second user site are connected to the VPN. services, that is, the first user site can access the VPN service on demand, thereby avoiding as much as possible the situation that resources of the first edge device are occupied but the first user site cannot transmit data, Resource waste is thus reduced.

In the embodiment of the present invention, the network device 600 may be a device with a collaborative management function, such as a collaboration device, an orchestration device, and a network management device. The first edge device and the second edge device may be BNGs, and the first user site and the second user site may be CPEs.

In this embodiment of the present invention, when the receiving unit 601 receives the first access request sent by the first edge device, the processing unit 602 may also be configured to store the first user site request access Enter the information of the VPN service, for example, specifically store the corresponding relationship between the VPN service and the port identifier of the first port, and when the receiving unit 601 receives the access request sent by other edge devices again, the processing unit At 602, it may be determined according to the stored information that the first user site has access to the VPN service. Therefore, when it is determined that the second user site requests to access the VPN service, the processing unit 602 may be specifically configured to determine that information that the second user site requests to access the VPN service is stored.

In this embodiment of the present invention, when the receiving unit 601 receives the first access request, and the processing unit 602 determines that the second user site requests to access the VPN service, the processing unit 602 configuring the first edge device and the second edge device to connect the first user site and the second user site to the VPN service. When the processing unit 602 configures the first edge device and the second edge device, there are two configuration methods. The first configuration method is to configure the first user site and the second user site The VPN service is accessed independently, that is, each user site does not know other user equipments accessing the VPN service after accessing the VPN service. The second configuration manner is to connect the first user site and the second user site to the VPN service by deploying a VPN tunnel between the first user site and the second user site. The two configuration methods are described below.

The first configuration mode: the processing unit 602 may separately configure the first edge device and the second edge device, so that the first user site and the second user site independently access the VPN service .

For example, the network device 600 may further include a sending unit, through which the processing unit 602 sends configuration parameters to the first edge device, where the configuration parameters only include The configuration parameters of the VPN service, such as the port identifier of the first port, do not include configuration parameters related to the second user site. The port identifier of the first port may be obtained from the first access request. In some scenarios, the processing unit 602 may also send to the first edge device through the sending unit: the first RT and the first RD allocated by the network device 600 to the first user site. Similarly, the configuration parameters sent by the processing unit 602 to the second edge device through the sending unit only include configuration parameters for connecting the second user site to the VPN service, for example, the The port identifier of the second port, excluding configuration parameters related to the first user site. The port identifier of the second port may be obtained from an access request for requesting the second user site to access the VPN service. In some scenarios, the processing unit 602 may also send to the second edge device through the sending unit: the second RT and the second RD allocated by the network device 600 to the second user site. The first edge device and the second edge device respectively independently access the VPN service according to the configuration parameters sent by the network device 600 .

The second configuration method: in fact, in some scenarios, for example, when the user applies for the VPN service and sets the VPN service as a point-to-point service type, the first edge device and the second edge device can The VPN service is accessed by deploying a VPN tunnel between the two edge devices. The following will be specifically described through an embodiment.

Referring to FIG. 7 , the embodiment of the present invention provides another device embodiment of a network device 700 . Different from other embodiments, this embodiment focuses on accessing the VPN service by deploying a VPN tunnel between the first edge device and the second edge device.

The network device 700 in this embodiment includes: a receiving unit 701 and a processing unit 702 .

The receiving unit 701 is configured to receive a first access request sent by the first edge device, where the first access request is used to request the first user site connected to the first edge device to access The VPN service.

The processing unit 702 is configured to, when the receiving unit 701 receives the first access request, determine that the second user site requests to access the VPN service, and the second user site is connected to the VPN service. A user site different from the first user site.

The above functions of the receiving unit 701 and the processing unit 702 are similar to those of the receiving unit 601 and the processing unit 602 in the embodiment shown in FIG. The embodiment shown in Figure 6.

The processing unit 702 is further configured to deploy a first VPN tunnel from the first edge device to the second edge device when it is determined that the second user site requests to access the VPN service, and Deploying a second VPN tunnel from the second edge device to the first edge device.

Wherein, the head end of the first VPN tunnel is associated with the first port, the tail end of the first VPN tunnel is associated with the second port, and the head end of the second VPN tunnel is associated with the second port. port association, the tail end of the second VPN tunnel is associated with the first port. The first port is a port connected to the first user site on the first edge device, that is, an access port of the first user site, and the second port is a port on the second edge device connected to the first user site. The port to which the second user site is connected is the access port of the second user site.

The following introduces an implementation manner of associating a head end or tail end of a VPN tunnel with a port in the embodiment of the present invention. The head end of the first VPN tunnel is associated with the first port, which may be embodied as storing a mapping relationship between the first port and the first VPN tunnel on the first edge device, so that the The first edge device transmits the data received from the first port through the first VPN tunnel according to the mapping relationship. The tail end of the first VPN tunnel is associated with the second port, which may be embodied as storing a mapping relationship between the second port and the first VPN tunnel on the second edge device, so that the The second edge device outputs the data transmitted by the first VPN tunnel to the second port according to the mapping relationship.

Similarly, the head end of the second VPN tunnel is associated with the second port, and the tail end of the second VPN tunnel is associated with the first port may also be embodied in the above implementation manner, which will not be repeated here.

In this embodiment of the present invention, after the receiving unit 701 receives the first access request, the processing unit 702 does not directly connect the first user site to the VPN service, but determines whether The second user site requests to access the VPN service, if so, the processing unit 702 actually acquires two user sites that access the VPN service, and the processing unit 702 may deploy the The two user sites are connected to the VPN service through the first VPN tunnel and the second VPN tunnel.

It can be seen that this embodiment introduces the implementation of the second configuration mode, that is, by deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device, The first user site and the second user site are connected to the VPN service. In fact, the first VPN tunnel and the second VPN tunnel are point-to-point VPN tunnels with known peers between the first user site and the second user site, so compared to the first A configuration method, that is, the first user site and the second user site are independently connected to the VPN service, and the second configuration method does not need to automatically discover sites, so there is no need to run complex discovery protocols. Edge devices have lower equipment requirements and have a lower error rate.

In this embodiment, after the first VPN tunnel and the second VPN tunnel are deployed between the first edge device and the second edge device, if other user sites request to access the VPN For services, edge devices connected to other user sites may deploy VPN tunnels with the first edge device and the second edge device respectively. The specific implementation manner is that the receiving unit 701 is further configured to receive a second access request sent by a third edge device, and the second access request is used to request a third user site to which the third edge device is connected. access the VPN service; the processing unit 702 is further configured to, when the receiving unit 701 receives the second access request, determine that the first user site and the second user site are connected Enter the VPN service, deploy the third VPN tunnel from the first edge device to the third edge device, deploy the fourth VPN tunnel from the third edge device to the first edge device, and deploy the second VPN tunnel from the third edge device to the first edge device. A fifth VPN tunnel from the second edge device to the third edge device, and deploying a sixth VPN tunnel from the third edge device to the second edge device. The head end of the third VPN tunnel is associated with the first port, the tail end of the third VPN tunnel is associated with the third port, and the head end of the fourth VPN tunnel is associated with the third port, so The tail end of the fourth VPN tunnel is associated with the first port, the head end of the fifth VPN tunnel is associated with the second port, and the tail end of the fifth VPN tunnel is associated with the third port, A head end of the sixth VPN tunnel is associated with the third port, and a tail end of the sixth VPN tunnel is associated with the second port. Wherein, for the specific representation of the association between the port and the head end or tail end of the tunnel, please refer to the association between the head end of the first VPN tunnel and the first port, and the association between the tail end of the second VPN tunnel and the The specific representation of the second port association. I won't go into details here.

It should be noted that the processing unit 702 may implement the deployment of the first VPN tunnel and the second VPN tunnel by directly configuring the first edge device and the second edge device, for example, to the first edge device The device and the second edge device send configuration parameters. The processing unit 702 may also indirectly configure the first edge device and the second edge device, for example, by sending a request to other devices, and the other devices deploy the first VPN tunnel and the second VPN tunnel. Instructions are given below.

First, the method of direct configuration is explained. The network device 700 in this embodiment further includes a sending unit. The processing unit 702 is further configured to allocate a VPN tunnel identifier for the VPN service. Wherein, the VPN tunnel identifier uniquely indicates a VPN tunnel, and the VPN tunnel refers to a VPN tunnel for carrying VPN services.

When deploying the first VPN tunnel and the second VPN tunnel of the VPN service between the first edge device and the second edge device, the processing unit 702 is specifically configured to send The first edge device sends a first configuration parameter, and sends a second configuration parameter to the second edge device through the sending unit; the first configuration parameter includes: the VPN tunnel identifier, the first port The port identifier of the second edge device, and the device identifier of the second edge device; the second configuration parameters include: the VPN tunnel identifier, the port identifier of the second port, and the device identifier of the first edge device.

It can be seen that the first configuration parameter sent to the first edge device includes a configuration parameter related to the second user site: the device identifier of the second edge device, and the configuration parameter sent to the second edge device The sent second configuration parameters include a configuration parameter related to the first user site: a device identifier of the first edge device. Wherein the first edge device and the second edge device deploy the first VPN tunnel and the second VPN tunnel according to the first configuration parameter and the second configuration parameter, it can be based on any current VPN The tunnel deployment mode is not limited in this embodiment of the present invention. In some scenarios, the processing unit 702 may also be configured to send the first RT and the first RD allocated for the first user site to the first edge device through the sending unit, and send the first RT and the first RD allocated to the first user site to the first edge device. The two edge devices send the second RT and the second RD allocated for the second user site.

The manner of indirect configuration is described below, specifically by sending a request to other devices to deploy the first VPN tunnel and the second VPN tunnel. The network device 700 in this embodiment further includes a sending unit, when the first VPN tunnel and the second VPN tunnel of the VPN service are deployed between the first edge device and the second edge device, The processing unit 702 is specifically configured to send a request for deploying the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device to the controller through the sending unit, The request for deploying the first VPN tunnel and the second VPN tunnel includes the port identifier of the first port, the port identifier of the second port, the device identifier of the first edge device, and the Device ID of the second edge device. The request for deploying the first VPN tunnel and the second VPN tunnel may further include: an identifier of the VPN service.

After receiving the request, the controller deploys the first VPN tunnel and the second VPN tunnel between the first edge device and the second edge device according to the request. Wherein, when the controller deploys the first VPN tunnel and the second VPN tunnel, it may obtain the first VPN tunnel according to the device identifier of the first edge device and the device identifier of the second edge device and the specific path of the second VPN tunnel, that is, determine the path devices of the first VPN tunnel and the second VPN tunnel. Afterwards, according to the path, the port identifier of the first port, and the port identifier of the second port, a forwarding entry is generated and delivered to each of the path devices, so that each of the path devices according to the Forwarding entries transfer data. The forwarding entry may include the label assigned by the controller 401 and the output port. The connection relationship between the controller and the network device 700 may be as shown in FIG. 4 . The controller may specifically be an SDN controller.

Optionally, in this embodiment, since the VPN service may correspond to one or more accounts, and each account may correspond to a different QoS, when deploying the first VPN tunnel, it may also be based on the QoS used by the user. Qos corresponding to the account number. Specifically, the first access request further includes the account for which the first user site requests to access the VPN service; the processing unit 702 is further configured to acquire the QoS corresponding to the account; When connecting the first VPN tunnel from the first edge device to the second edge device, the processing unit 702 is specifically configured to deploy the tunnel from the first edge device to the second edge device based on the QoS corresponding to the account. The first VPN tunnel. Wherein, the processing unit 702 may also be configured to obtain an account of the second user site requesting to access the VPN service, and deploy the second VPN tunnel according to the QoS corresponding to the account. The first VPN tunnel and the second VPN tunnel that are finally deployed may have different QoS.

Further optionally, in this embodiment, when deploying the first VPN tunnel and the second VPN tunnel, bandwidth may also be reserved for the first VPN tunnel and the second VPN tunnel, and when the When the first user site or the second user site needs to exit the VPN service, for example, when the first user site or the second user site requests to go offline, the first VPN tunnel and the the second VPN tunnel to release bandwidth reserved for the first VPN tunnel and the second VPN tunnel. During specific implementation, the receiving unit 701 is further configured to receive the first exit request sent by the first edge device or the second exit request sent by the second edge device, and the first exit request is used to request the The first user site withdraws from the VPN service, and the second withdrawal request is used to request that the second user site withdraw from the VPN service; the processing unit 702 is further configured to, the receiving unit 701 receives When the first logout request or the second logout request is made, revoke the first VPN tunnel and the second VPN tunnel deployed between the first edge device and the second edge device.

At present, when charging for VPN services, since on-demand access to VPN services cannot be realized, charging is generally performed according to the QoS of the enabled VPN services. Further optionally, in this embodiment, since the first VPN tunnel and the second VPN tunnel are deployed and withdrawn on demand, the The deployment time, that is, the actual time when the first user site accesses the VPN service is charged. During specific implementation, the network device 700 of this embodiment further includes: a sending unit; and the processing unit 702 is further configured to acquire the time used to indicate the deployment time of the first VPN tunnel and the second VPN tunnel Related information; the sending unit is configured to send the related information to a charging device. Wherein, the relevant information may specifically be the deployment time of the first VPN tunnel and the second VPN tunnel, or may also be the time of deploying the first VPN tunnel and the second VPN tunnel and the time for revocation. The timing of the first VPN tunnel and the second VPN tunnel, and the billing device calculates the deployment time of the first VPN tunnel and the second VPN tunnel according to the two timings.

The apparatus embodiments of the network device in the embodiments of the present invention are described above from the perspective of modularized functional entities. The apparatus embodiments of the network device in the embodiments of the present invention will be described below from the perspective of hardware processing.

Referring to FIG. 8 , the embodiment of the present invention provides another device embodiment of a network device. The network device 800 in this embodiment may be a microprocessor computer. For example: the network device 800 may be one of portable devices such as a general-purpose computer, a customized machine, a mobile terminal, or a tablet. The network device 800 includes: a processor 804 , a memory 806 , a communication interface 802 and a bus 808 . The processor 804 , the memory 806 and the communication interface 802 are connected through the bus 808 to complete mutual communication.

The bus 808 can be an Industry Standard Architecture (Industry Standard Architecture, referred to as ISA) bus or a Peripheral Component (abbreviated as PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, referred to as EISA) bus etc. The bus 808 can be classified into one or more of an address bus, a data bus, and a control bus. For ease of representation, only one thick line is used in FIG. 8 , but it does not mean that there is only one bus or one type of bus.

The memory 806 is used for storing executable program codes, and the program codes include computer operation instructions. When the network device 800 executes the program code, the network device 800 can complete the embodiment shown in Figure 1 or Figure 3, and can also realize all the functions of the network device in the embodiment shown in Figure 6 or Figure 7 . The memory 806 may include a high-speed RAM (Ramdom Access Memory) memory. Optionally, the memory 806 may further include a non-volatile memory (non-volatile memory). For example, the memory 806 may include disk storage.

The processor 804 may be a central processing unit (Central Processing Unit, referred to as CPU), or the processor 804 may be a specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or the processor 804 may be One or more integrated circuits configured to implement embodiments of the invention.

The communication interface 802 is configured to receive a first access request sent by a first edge device in the embodiments shown in FIG. 1 and FIG. 3 , where the first access request is used to request that the first edge device The first user site connected to the device accesses the VPN service.

The processor 804 is configured to read instructions stored in the memory 806, so as to execute the determination in the embodiment shown in FIG. 1 and FIG. 3 that a second user site requests to access the VPN service, and the second The user site is a user site different from the first user site, and the first edge device and the second edge device connected to the second user site are configured so that the first user site and the second The user site accesses the VPN service.

It is worth noting that each functional unit of the network device provided by the present invention may be based on the specific implementation of the functions of the method in the embodiment shown in FIG. 1 or FIG. 3 and the device in the embodiment shown in FIG. 6 or FIG. 7 , Definitions and descriptions of terms are consistent with the embodiments shown in FIG. 1 , FIG. 3 , FIG. 6 and FIG. 7 , and will not be repeated here.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc and other media that can store program codes.

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still understand the foregoing The technical solutions recorded in each embodiment are modified, or some of the technical features are replaced equivalently; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (20)

1. a cut-in method for virtual private network business, is characterized in that, comprising:

The network equipment receives the first access request that the first edge device sends, and described first access request accesses described VPN traffic for asking the first user website by described first edge device connects;

The described network equipment has determined that the second user site request accesses described VPN traffic;

First edge device described in described network equipments configuration and the second edge device be connected with described second user site, to access described VPN traffic by described first user website and described second user site.

2. method according to claim 1, it is characterized in that, first edge device described in described network equipments configuration and the second edge device be connected with described second user site, so that described first user website and described second user site are accessed described VPN traffic, comprising:

The described network equipment is disposed from described first edge device to the first vpn tunneling of described second edge device, and dispose from described second edge device to the second vpn tunneling of described first edge device, the head end of described first vpn tunneling and described first port association, the tail end of described first vpn tunneling and described second port association, the head end of described second vpn tunneling and described second port association, the tail end of described second vpn tunneling and described first port association, described first port is the port that described first edge device is connected with described first user website, described second port is the port that described second edge device is connected with described second user site.

3. method according to claim 2, is characterized in that, also comprises:

The described network equipment receives the second access request that the 3rd edge device sends, and described second access request accesses described VPN traffic for asking the 3rd user site by described 3rd edge device connects;

The described network equipment has determined that described first user website and described second user site access described VPN traffic;

The described network equipment is disposed from described first edge device to the 3rd vpn tunneling of described 3rd edge device, and the 4th vpn tunneling disposed from described 3rd edge device to described first edge device, the head end of described 3rd vpn tunneling and described first port association, the tail end of described 3rd vpn tunneling and the 3rd port association, the head end of described 4th vpn tunneling and described 3rd port association, the tail end of described 4th vpn tunneling and described first port association, described 3rd port is the port that described 3rd edge device is connected with described 3rd user site;

The described network equipment is disposed from described second edge device to the 5th vpn tunneling of described 3rd edge device, and the 6th vpn tunneling disposed from described 3rd edge device to described second edge device, the head end of described 5th vpn tunneling and described second port association, the tail end of described 5th vpn tunneling and described 3rd port association, the head end of described 6th vpn tunneling and described 3rd port association, the tail end of described 6th vpn tunneling and described second port association.

4. according to the method in claim 2 or 3, it is characterized in that, described method also comprises:

The described network equipment is that described VPN traffic distributes vpn tunneling mark;

The described network equipment is disposed from described first edge device to the first vpn tunneling of described second edge device, and disposes from described second edge device to the second vpn tunneling of described first edge device, comprising:

The described network equipment sends the first configuration parameter to described first edge device, and described first configuration parameter comprises: described vpn tunneling mark, the port-mark of described first port and the device identification of described second edge device;

The described network equipment sends the second configuration parameter to described second edge device, and described second configuration parameter comprises: described vpn tunneling mark, the port-mark of described second port and the device identification of described first edge device.

5. according to the method in claim 2 or 3, it is characterized in that, the described network equipment is disposed from described first edge device to the first vpn tunneling of described second edge device, and disposes from described second edge device to the second vpn tunneling of described first edge device, comprising:

The described network equipment sends the request disposing described first vpn tunneling and described second vpn tunneling to controller, the request of described first vpn tunneling of described deployment and described second vpn tunneling comprises the device identification of the port-mark of described first port, the port-mark of described second port, the device identification of described first edge device and described second edge device.

6. the method according to any one of claim 2 to 5, is characterized in that, also comprises:

The described network equipment receive that described first edge device sends first exit that request or described second edge device send second exit request, described first exits request exits described first user website from described VPN traffic for request, and described second exits request exits described second user site from described VPN traffic for request;

The described network equipment cancels described first vpn tunneling and described second vpn tunneling.

7. method according to claim 6, is characterized in that, also comprises:

The described network equipment obtains the relevant information of the deployment time for representing described first vpn tunneling and described second vpn tunneling;

Described relevant information is sent to counting equipment by the described network equipment.

8. the method according to any one of claim 2 to 7, is characterized in that, described first access request also comprises the account that described first user site requests accesses described VPN traffic;

Described method also comprises:

The described network equipment obtains service quality QoS corresponding to described account;

The described network equipment is disposed from described first edge device to the first vpn tunneling of described second edge device, comprising:

The described network equipment, based on QoS corresponding to described account, disposes described first vpn tunneling from described first edge device to described second edge device.

9. the method according to any one of claim 1 to 8, is characterized in that, also comprises:

The described network equipment stores the information that described first user site requests accesses described VPN traffic after receiving described first access request;

The described network equipment has determined that the second user site request accesses described VPN traffic, comprising:

The described network equipment is determined and is stored the information that described second user site request accesses described VPN traffic.

10. the method according to any one of claim 1 to 9, is characterized in that, also comprises:

Described first edge device, after the request of reaching the standard grade receiving described first user website, sends described first access request to the described network equipment.

11. 1 kinds of network equipments, is characterized in that, comprising:

Receiving element, for receiving the first access request that the first edge device sends, described first access request is for asking the first user website access virtual special network VPN traffic connected by described first edge device;

Processing unit, for when described receiving element receives described first access request, determine that the second user site request accesses described VPN traffic, the second edge device configuring described first edge device and be connected with described second user site, to access described VPN traffic by described first user website and described second user site.

12. network equipments according to claim 11, is characterized in that,

When the second edge device configuring described first edge device and be connected with described second user site, during so that described first user website and described second user site are accessed described VPN traffic, described processing unit is specifically for disposing from described first edge device to the first vpn tunneling of described second edge device, and dispose from described second edge device to the second vpn tunneling of described first edge device, the head end of described first vpn tunneling and described first port association, the tail end of described first vpn tunneling and described second port association, the head end of described second vpn tunneling and described second port association, the tail end of described second vpn tunneling and described first port association, described first port is the port that described first edge device is connected with described first user website, described second port is the port that described second edge device is connected with described second user site.

13. network equipments according to claim 12, is characterized in that,

Described receiving element also for, receive the 3rd edge device send the second access request, described second access request for ask by described 3rd edge device connect the 3rd user site access described VPN traffic;

Described processing unit also for, when described receiving element receives described second access request, determine that described first user website and described second user site access described VPN traffic, dispose from described first edge device to the 3rd vpn tunneling of described 3rd edge device, dispose the 4th vpn tunneling from described 3rd edge device to described first edge device, dispose from described second edge device to the 5th vpn tunneling of described 3rd edge device, and dispose the 6th vpn tunneling from described 3rd edge device to described second edge device;

The head end of described 3rd vpn tunneling and described first port association, the tail end of described 3rd vpn tunneling and the 3rd port association, the head end of described 4th vpn tunneling and described 3rd port association, the tail end of described 4th vpn tunneling and described first port association, the head end of described 5th vpn tunneling and described second port association, the tail end of described 5th vpn tunneling and described 3rd port association, the head end of described 6th vpn tunneling and described 3rd port association, the tail end of described 6th vpn tunneling and described second port association, described 3rd port is the port that described 3rd edge device is connected with described 3rd user site.

14. network equipments according to claim 12 or 13, is characterized in that, also comprise: transmitting element;

Described processing unit also for, be that described VPN traffic distributes vpn tunneling mark;

When disposing from described first edge device to the first vpn tunneling of described second edge device, and when disposing from described second edge device to the second vpn tunneling of described first edge device, described processing unit specifically for sending the first configuration parameter by described transmitting element to described first edge device, and sends the second configuration parameter by described transmitting element to described second edge device;

Described first configuration parameter comprises: described vpn tunneling mark, the port-mark of described first port and the device identification of described second edge device; Described second configuration parameter comprises: described vpn tunneling mark, the port-mark of described second port and the device identification of described first edge device.

15. network equipments according to claim 12 or 13, is characterized in that, also comprise: transmitting element;

When disposing from described first edge device to the first vpn tunneling of described second edge device, and when disposing from described second edge device to the second vpn tunneling of described first edge device, described processing unit is specifically for sending the request disposing described first vpn tunneling and described second vpn tunneling to controller by described transmitting element, the request of described first vpn tunneling of described deployment and described second vpn tunneling comprises the port-mark of described first port, the port-mark of described second port, the device identification of described first edge device and the device identification of described second edge device.

16., according to claim 12 to the network equipment described in 15 any one, is characterized in that,

Described receiving element also for, described first edge device send first exit that request or described second edge device send second exit request, described first exits request exits described first user website from described VPN traffic for request, and described second exits request exits described second user site from described VPN traffic for request;

Described processing unit also for, described receiving element receive described first exit request or described second exit request time, cancel described first vpn tunneling of deployment and described second vpn tunneling.

17. network equipments according to claim 16, is characterized in that, also comprise: transmitting element;

Described processing unit also for, obtain the relevant information of the deployment time for representing described first vpn tunneling and described second vpn tunneling;

Described transmitting element, for being sent to counting equipment by described relevant information.

18., according to claim 12 to the network equipment described in 17 any one, is characterized in that, described first access request also comprises the account that described first user site requests accesses described VPN traffic;

Described processing unit also for, obtain the service quality QoS that described account is corresponding;

When disposing from described first edge device to the first vpn tunneling of described second edge device, described processing unit, specifically for based on QoS corresponding to described account, disposes described first vpn tunneling from described first edge device to described second edge device.

19., according to claim 11 to the network equipment described in 18 any one, is characterized in that,

Described processing unit also for, when described receiving element receives described first access request, store the information that described first user site requests accesses described VPN traffic;

When having determined that the second user site request accesses described VPN traffic, described processing unit has stored specifically for determining the information that described second user site request accesses described VPN traffic.

20., according to claim 11 to the network equipment described in 19 any one, is characterized in that, described first edge device is after the request of reaching the standard grade of the described first user website of reception, sends the equipment of described first access request to the described network equipment.