CN110971434B

Movatterモバイル変換

Info

Publication number: CN110971434B
Application number: CN201811155331.7A
Authority: CN
Inventors: 李科
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-09-30
Filing date: 2018-09-30
Publication date: 2021-11-09
Anticipated expiration: 2038-09-30
Also published as: CN110971434A

Abstract

Translated fromChinese

本申请提供了一种管理内网网络设备的方法，包括：云协同器从用户设备接收携带网络设备的标识的第一指示信息，第一指示信息用于指示云协同器为网络设备创建数据通道，其中，用户设备位于外网，网络设备位于内网；云协同器根据第一指示信息为网络设备创建数据通道；云协同器向用户设备发送第一反馈信息，第一反馈信息用于表示数据通道创建完成。云协同器根据用户设备的指示为内网网络设备创建数据通道，使得内网网络设备和位于外网中的用户设备通过该数据通道进行通信，无需为内网网络设备的每一项业务开发对应的网络传输协议接口，从而减少了管理内网网络设备的工作量。

The present application provides a method for managing an intranet network device, including: the cloud coordinator receives first indication information carrying an identifier of the network device from a user equipment, where the first indication information is used to instruct the cloud coordinator to create a data channel for the network device , where the user equipment is located on the external network, and the network equipment is located on the internal network; the cloud coordinator creates a data channel for the network device according to the first indication information; the cloud coordinator sends first feedback information to the user equipment, and the first feedback information is used to represent data The channel creation is complete. The cloud coordinator creates a data channel for the intranet network device according to the instructions of the user equipment, so that the intranet network device and the user equipment located in the external network can communicate through the data channel, and there is no need to develop corresponding services for each service of the intranet network device. The network transmission protocol interface, thus reducing the workload of managing intranet network equipment.

Description

Method, device and system for managing intranet network equipment

Technical Field

The present application relates to the field of computers, and in particular, to a method, an apparatus, and a system for managing an intranet network device.

Background

Network devices are an important component of computer networks, which are capable of providing shared information resources and services to users in the network. A wide variety of network devices, such as switches, wireless controllers, firewalls, and routers, belong to the network devices. The operation and maintenance personnel can manage and maintain the network equipment through the management software running on the network equipment.

Due to the isolation of the intranet from the extranet, the network devices in the intranet cannot directly communicate with the network devices in the extranet. In order to manage the network devices in the intranet through the extranet, one method is to connect the intranet network devices and a controller through a network transmission protocol (e.g., network configuration protocol (Netconf)), and deploy the controller on the cloud, thereby realizing management of the intranet network devices through the extranet.

However, the above method requires each service (or function) of the network device to provide an interface of the network transmission protocol, and requires a lot of adaptation work for the existing network device and controller, which adversely affects the software development of the network device and the controller.

Disclosure of Invention

The application provides a method, a device and a system for managing intranet network equipment, which can solve the problems.

In a first aspect, a method for managing an intranet network device is provided, including: the method comprises the steps that user equipment sends first indication information carrying an identifier of the network equipment to a cloud coordinator, wherein the first indication information is used for indicating the cloud coordinator to establish a data channel for the network equipment and the user equipment, the user equipment is located in an outer network, and the network equipment is located in an inner network; the user equipment receives first feedback information from the cloud coordinator, wherein the first feedback information is used for indicating that the data channel is completely established; the user equipment interacts information with the network equipment through the data channel.

The user equipment instructs the cloud coordinator to create a data channel for the intranet network equipment and the user equipment, so that the intranet network equipment and the user equipment located in an extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

Optionally, the first feedback information includes an external network address of the data channel, and before the user equipment interacts information with the network equipment through the data channel, the method further includes: the user equipment sends request information to the external network address, and the request information is used for requesting to open a management page of the network equipment; the user equipment receives response information from the external network address, wherein the response information is used for indicating that the content of the request information request is accepted; and the user equipment opens a management page of the network equipment according to the response information, and the management page is used for exchanging information with the network equipment.

The user equipment can open the existing intranet network equipment management page through the data channel, control the intranet network equipment by using the existing intranet network equipment management system, and do not need to develop the network equipment management system again, so that the workload of managing the intranet network equipment can be reduced

Optionally, the method further comprises: the user equipment sends second indication information to the cloud coordinator, wherein the second indication information is used for indicating that the data channel is closed; the user equipment receives second feedback information from the cloud coordinator, wherein the second feedback information is used for indicating that the data channel is closed.

After the maintenance work of the intranet network equipment is finished, the user equipment can instruct the cloud collaborator to destroy the data channel and release the network resources occupied by the data channel, so that the utilization rate of the network resources is improved.

In a second aspect, the present application further provides a method for managing an intranet network device, including: the method comprises the steps that a cloud coordinator receives first indication information carrying an identifier of network equipment from user equipment, wherein the first indication information is used for indicating the cloud coordinator to establish a data channel for the network equipment and the user equipment, the user equipment is located in an outer network, and the network equipment is located in an inner network; the cloud coordinator establishes a data channel according to the first indication information; the cloud coordinator sends first feedback information to the user equipment, wherein the first feedback information is used for indicating that the data channel is completely established.

The cloud coordinator establishes a data channel for the intranet network equipment and the user equipment according to the indication of the user equipment, so that the intranet network equipment and the user equipment in the extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

Optionally, the creating, by the cloud coordinator, a data channel for the network device according to the first indication information includes: the cloud coordinator allocates network resources for the network equipment according to the first indication information, wherein the network resources comprise an internal network address and an external network address which are required by the creation of the data channel; and the cloud coordinator sends third indication information to the network equipment, wherein the third indication information is used for indicating the network equipment to create a data channel.

The cloud coordinator may indicate to the network device the network resources that the network device may use in order for the network device to be able to successfully create the data channel.

Optionally, the allocating, by the cloud coordinator, network resources for the network device according to the first indication information includes: the cloud coordinator selects an internal network address and an external network address from the network address resource pool; and the cloud coordinator records the corresponding relation between the intranet network address and the extranet network address.

According to the scheme, the network security can be improved, for example, when the cloud coordinator receives a verification request which is sent by the server and carries the intranet network address and the extranet network address, the network addresses in the verification request are determined to be safe network addresses according to the corresponding relation recorded by the cloud coordinator, and verification passing information is returned to the server.

Optionally, the method further comprises: the cloud coordinator records the used information of the intranet network address and the extranet network address.

The scheme can avoid the use of the same internal network address and the external network address by a plurality of data channels.

Optionally, the method further comprises: the cloud coordinator receives verification information from the server, and the verification information is used for verifying the security of the network equipment; and the cloud coordinator sends verification passing information to the server.

Optionally, the method further comprises: the cloud coordinator scans a server, wherein the server is equipment for bearing a data channel; when the state of the server is an abnormal state, the cloud coordinator releases the network resource; or when the state of the server is a normal state, the cloud coordinator does not release the network resources.

When a server bearing a data channel is abnormal, the data channel may not be used, the cloud coordinator scans the server regularly or irregularly, the data channel can be closed when the state of the server is abnormal, network resources occupied by the data channel are released, and the utilization rate of the network resources is improved.

Optionally, the method further comprises: and the cloud coordinator updates the corresponding relation between the intranet network address and the extranet network address.

The corresponding relation between the intranet network address and the extranet network address is beneficial to reducing the time of exposing the intranet network address in the extranet and enhancing the safety of the intranet.

Optionally, the sending, by the cloud coordinator, third indication information carrying a network address to the network device includes: the cloud coordinator sends third indication information to the network device based on any one of the following three communication modes: netconf, Simple Network Management Protocol (SNMP), or secure telnet (stellnet) protocol.

Optionally, the method further comprises: the cloud coordinator receives second indication information from the user equipment, wherein the second indication information is used for indicating that the data channel is closed; the cloud coordinator releases the network resources of the data channel according to the second indication information; and the cloud coordinator sends second feedback information to the user equipment, wherein the second feedback information is used for indicating that the data channel is closed.

After the maintenance work of the intranet network equipment is finished, the cloud coordinator can destroy the data channel according to the indication of the user equipment, and release network resources occupied by the data channel, so that the utilization rate of the network resources is improved.

In a third aspect, the present application further provides a method for managing an intranet network device, including: the network equipment receives third indication information from the cloud coordinator, wherein the third indication information is used for indicating the network equipment to create a data channel, and the network equipment is located in an intranet; the network equipment sends a connection request to the server according to the third indication information, wherein the connection request is used for requesting to create a data channel; the network equipment receives response information from the server, wherein the response information is used for indicating that the data channel is completely established; the network device interacts information with the user device through a data channel, wherein the user device is located in an extranet.

The intranet network equipment requests the server to create a data channel according to the indication of the cloud coordinator, so that the intranet network equipment and the user equipment located in the extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

In a fourth aspect, the present application further provides a method for managing an intranet network device, including: the method comprises the steps that a server receives a connection sending request from network equipment, wherein the connection request is used for requesting to create a data channel, and the data channel is used for information interaction between user equipment and the network equipment, wherein the user equipment is located in an extranet, and the network equipment is located in an intranet; the server creates the data channel according to the connection request; and the server sends response information to the network equipment, wherein the response information is used for indicating that the data channel is completely established.

The server establishes a data channel according to the indication of the intranet network equipment, so that the intranet network equipment and the user equipment positioned in the extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

Optionally, before the server creates the data channel according to the connection request, the method further includes: the server sends verification information to the cloud coordinator, and the verification information is used for verifying the security of the network equipment; the server creates a data channel according to the connection request, and the method comprises the following steps: and when the security check of the network equipment passes, the server creates a data channel according to the connection request.

According to the scheme, the network security can be improved, for example, when the cloud coordinator receives a verification request which is sent by the server and carries the intranet network address and the extranet network address, the network addresses in the verification request are determined to be safe network addresses according to the corresponding relation recorded by the cloud coordinator, verification passing information is returned to the server, and then the server creates a data channel according to the verification passing information.

In a fifth aspect, the present application further provides a device for managing an intranet network device, where the device may implement functions corresponding to the steps in the method according to the first aspect, and the functions may be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible design, the apparatus includes a processor configured to support the apparatus to perform the corresponding functions in the method according to the first aspect. The apparatus may also include a memory, coupled to the processor, that retains program instructions and data necessary for the apparatus. Optionally, the apparatus further comprises a transceiver and/or a communication interface for supporting communication between the apparatus and other network elements.

In a sixth aspect, the present application further provides a device for managing an intranet network device, where the device may implement functions corresponding to the steps in the method according to the second aspect, where the functions may be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible design, the apparatus includes a processor configured to support the apparatus to perform the corresponding functions in the method according to the second aspect. The apparatus may also include a memory, coupled to the processor, that retains program instructions and data necessary for the apparatus. Optionally, the apparatus further comprises a transceiver and/or a communication interface for supporting communication between the apparatus and other network elements.

In a seventh aspect, the present application further provides a device for managing an intranet network device, where the device may implement functions corresponding to the steps in the method according to the third aspect, where the functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible design, the apparatus includes a processor configured to support the apparatus to perform the corresponding functions in the method according to the third aspect. The apparatus may also include a memory, coupled to the processor, that retains program instructions and data necessary for the apparatus. Optionally, the apparatus further comprises a transceiver and/or a communication interface for supporting communication between the apparatus and other network elements.

In an eighth aspect, the present application further provides a device for managing an intranet network device, where the device may implement functions corresponding to each step in the method according to the fourth aspect, where the functions may be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible design, the apparatus includes a processor configured to support the apparatus to perform the corresponding functions in the method according to the fourth aspect. The apparatus may also include a memory, coupled to the processor, that retains program instructions and data necessary for the apparatus. Optionally, the apparatus further comprises a transceiver and/or a communication interface for supporting communication between the apparatus and other network elements.

In a ninth aspect, the present application provides a computer program product comprising: computer program code for causing a user equipment to perform the method according to the first aspect when the computer program code is run by a communication unit, processing unit or transceiver, processor of the user equipment.

In a tenth aspect, the present application provides a computer program product comprising: computer program code which, when executed by a communication unit, a processing unit or a transceiver, a processor of a cloud coordinator, causes the cloud coordinator to perform the method of the second aspect.

In an eleventh aspect, the present application provides a computer program product comprising: computer program code which, when run by a communication unit, a processing unit or a transceiver, a processor of the intranet network device, causes the intranet network device to perform the method according to the third aspect.

In a twelfth aspect, the present application provides a computer program product comprising: computer program code for causing a server to perform the method of the fourth aspect when said computer program code is run by a communication unit, a processing unit or a transceiver, a processor of the server.

In a thirteenth aspect, the present application provides a system for managing an intranet network device, including the apparatus in the fifth aspect to the eighth aspect.

Drawings

Fig. 1 is a schematic diagram of a network system suitable for use in the technical solution of the present application;

FIG. 2 is a schematic diagram of a method for managing an intranet network device according to the present application;

FIG. 3 is a schematic diagram of a method for creating a data channel provided herein;

FIG. 4 is a schematic diagram of a method of monitoring a server provided herein;

FIG. 5 is a schematic diagram of another method for managing intranet network devices provided by the present application;

FIG. 6 is a schematic diagram of an apparatus for managing an intranet network device according to the present application;

FIG. 7 is a schematic diagram of another apparatus for managing an intranet network device according to the present disclosure;

FIG. 8 is a schematic diagram of yet another apparatus for managing an intranet network device according to the present application;

FIG. 9 is a schematic diagram of yet another apparatus for managing an intranet network device according to the present application;

FIG. 10 is a schematic diagram of yet another apparatus for managing an intranet network device according to the present application;

FIG. 11 is a schematic diagram of yet another apparatus for managing an intranet network device according to the present application;

FIG. 12 is a schematic diagram of yet another apparatus for managing an intranet network device according to the present application;

fig. 13 is a schematic diagram of another apparatus for managing an intranet network device according to the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

Fig. 1 is a schematic diagram of a network system suitable for use in the technical solution of the present application.

The network system includes a user equipment, a centralized management system, a switch, and a radio controller. The centralized management system is, for example, a controller deployed on a cloud, and the controller is, for example, a Network Cloud Engine (NCE) cloud park (CloudCampus) controller manufactured by hua corporation. The centralized management system is located in the external network, can communicate with the user equipment in the external network, receives the instruction of the user equipment and sends information to the user equipment. The centralized management system can communicate with the user equipment through the base station or the ethernet, and the user equipment is, for example, a personal computer or a handheld device or a wearable device used by operation and maintenance personnel.

The switch and the wireless controller are two intranet network devices located in a park, and the park can be an industrial park, an office building or a laboratory. The present application is not limited to the specific form of the campus, the network devices on the campus may be other types of network devices, the number of network devices on the campus is not limited to the number shown in fig. 1, and the switches and the wireless controllers are only examples.

The centralized management system can communicate with the switch and the wireless controller located in the intranet through Netconf, or can communicate with the switch and the wireless controller located in the intranet through other communication protocols, such as SNMP or stellnet protocols.

The network device is deployed in an intranet and cannot directly access an extranet. After the network device is registered on line in the centralized management system, the centralized management system allocates a unique identifier to the network device. The identifier may be an Internet Protocol (IP) address of the network device, a hardware serial number of the network device, or other information that can uniquely identify the network device.

In the present application, the intranet and the extranet are two concepts having an association relationship, and alternatively, the intranet and the extranet may be interpreted as having the following meanings: the intranet is a local area network of the extranets.

For example, when the external network is the Internet, the internal network may be a network formed by network devices in an industrial park, or may be a network formed by network devices in an office building in the industrial park.

For another example, when the external network is a network composed of network devices in an industrial park, the internal network may be a network composed of network devices in an office building in the industrial park, or may be a network composed of network devices in a laboratory in the office building.

It should be understood that the above explanations of the intranet and the extranet are only examples, and should not be construed as limiting the application scenarios of the present application.

Based on the network system shown in fig. 1, the present application provides a method for managing intranet network devices, as shown in fig. 2.

In the method, when an operation and maintenance person needs to manage a network device in a campus, the operation and maintenance person may send, to a centralized management system through a user device, first indication information carrying an identifier of the network device, where the first indication information is used to indicate a cloud coordinator (a module in the centralized management system) to create a data channel for the network device, that is, the user device executes S210 shown in fig. 2.

The "first indication information" may have other names as well, for example, request information. The present application is not limited to the specific form thereof.

After receiving the first indication information, the centralized management system may select the cloud coordinator B to process the first indication information according to a load sharing mechanism, for example, the centralized management system includes a plurality of cloud coordinators, and if the load of the cloud coordinator B at the current time is small, the centralized management system may select the cloud coordinator B from the plurality of cloud coordinators to process the first indication information after receiving the first indication information. The load sharing mechanism may be implemented by an Elastic Load Balancing (ELB) server or a Linux Virtual Server (LVS).

After the cloud coordinator B obtains the first indication information, a data channel is created for the network device according to the content indicated by the first indication information, where the data channel is, for example, a security layer (SSH) tunnel, and the specific form of the data channel is not limited in the present application.

It should be noted that, in the present application, the adjectives "first", "second", etc., are used only to distinguish different individuals in the same kind of objects, and should not be interpreted in other meanings. For example, the "first indication information" and the "second indication information" are two indication information having different contents, and the difference between the two indication information is only the same.

The cloud coordinator B may perform the steps shown in fig. 3 to allocate network resources required for creating the data channel for the network device, for example, allocate a network address required for creating the data channel for the network device.

S301, inquiring the configuration file, and establishing a resource pool containing the external network address.

S302, inquiring the configuration file, and establishing a resource pool containing the intranet network address.

In the present application, the network address may be an IP address and a port number, but the network address may also include information other than the IP address and the port number, for example, a version number of a transport protocol.

The cloud coordinator B creates an intranet network address resource pool and an extranet network address resource pool according to the configuration file, and may select a network address from the two resource pools when the network address needs to be allocated, for example, "112.80.248.76: 64004" may be selected from the extranet network address resource pool as an extranet network address of the SSH tunnel, where "112.80.248.76" represents an IP address, and "64004" represents a port number of the IP address. For another example, "192.168.1.9: 64450" may be selected from the intranet network address resource pool as the intranet network address of the SSH tunnel, where "192.168.1.9" represents an IP address and "64450" represents a port number of the IP address.

S303, inquiring the state of the SSH server. For example, an SSH server with a smaller load, such as SSH server a shown in fig. 2, may be determined from a plurality of SSH servers according to the load conditions of the SSH servers.

S304, reading the database, and inquiring the used network address to avoid using the used network address when allocating the network address for the SSH tunnel.

S305, writing the database, and writing the network address allocated to the SSH tunnel into the database so as to avoid the network address being allocated to other data channels.

For example, cloud coordinator B may tag the network address used by the SSH tunnel in the database, where the tag indicates that the network address has been used.

S306, binding the incidence relation between the intranet network address and the extranet network address.

And after the cloud coordinator B allocates the intranet network address and the extranet network address to the data channel, recording the corresponding relation between the two network addresses. Optionally, as shown in the refreshing step of fig. 2, the cloud coordinator B may also periodically refresh Network Address Translation (NAT) configuration information, so as to reduce the time for exposing the network address of the internal network to the external network, and enhance the security of the internal network.

S307, the Netconf message is sent to the network device, and the Netconf message can carry the intranet network address of the SSH tunnel, so that the network device can create the SSH tunnel.

In an optional implementation manner of the Netconf message, that is, the third indication information indicates that the network device creates an SSH tunnel. S307 is S202 shown in fig. 2.

After determining that the SSH tunnel is created by the SSH server a, the cloud coordinator B may send, to the network device, a Netconf message including a network address of a southbound NAT node, where the southbound NAT node is a node having an association relationship with the SSH server a. After receiving the Netconf message, the network device sends a connection request to the southbound NAT node according to the network address of the southbound NAT node carried in the Netconf message, where the connection request is used to request for creating an SSH tunnel, that is, the network device executes S203 shown in fig. 2. The Netconf message may also carry a network address of the network device, for example, "172.16.1.2: 8443," where "172.16.1.2" is an IP address of the network device, and "8443" is a port number of the IP address.

The southbound NAT node may be a module located in the same device as the SSH server a, or a module located in a different device from the SSH server a, and may be implemented by an ELB, an LVS, or an IP table (tables).

After receiving the connection request, the southbound NAT node forwards the connection request to the SSH server A, so that the SSH server A creates an SSH tunnel. The southbound NAT node also records the correspondence between the network address of the network device and the network address of the southbound NAT node (e.g., "112.80.248.77: 40024") to facilitate subsequent forwarding of information from the SSH tunnel to the network device and forwarding of information sent by the network device to the SSH tunnel.

After receiving the connection request, the SSH server a may directly establish an SSH tunnel based on the connection request, or may establish an SSH tunnel after verifying the security of the network device.

For example, SSH server a may send check information including the port number of the southbound NAT node (40024) to cloud coordinator B, requesting cloud coordinator B to determine whether 40024 is the port number specified by cloud coordinator B; the cloud coordinator B determines that the port number 40024 is designated by the cloud coordinator B, and then the cloud coordinator B sends verification passing information to the SSH server A; and after obtaining the verification passing information, the SSH server A creates an SSH tunnel for the network equipment.

After the SSH tunnel is created by the SSH server a, information indicating that the SSH tunnel creation is completed may be sent to the cloud coordinator B and the network device (i.e., S204 is performed), and then the cloud coordinator B may send first feedback information to the user device, where the first feedback information is used to indicate that the SSH tunnel creation is completed, i.e., the cloud coordinator B performs S205 illustrated in fig. 2.

Optionally, the first feedback information includes an external network address "112.80.248.76: 64004" of the SSH tunnel, and after receiving the first feedback information, the user equipment generates request information, sends the request information to the external network address, and requests to open a management page of the network device. When the user equipment receives the response information from the external network address, the management page of the network equipment can be opened.

Subsequently, the user equipment may perform S206, transmitting configuration information to the network device or receiving information from the network device.

When the user equipment needs to close the SSH tunnel, the user equipment may send second indication information to the cloud coordinator B, instruct the cloud coordinator B to close the SSH tunnel, and release the network resource of the SSH tunnel according to the second indication information by the cloud coordinator B, for example, instruct the SSH server a to no longer monitor theport 64450, and/or instruct the northbound NAT node and the southbound NAT node to delete the network address related to the SSH tunnel. And after the network resources of the SSH tunnel are released, the cloud coordinator B sends second feedback information to the user equipment to indicate that the SSH tunnel is closed.

As an optional example, after the cloud coordinator B allocates the network resource to the SSH tunnel, the state of the SSH server a may be scanned, that is, the monitoring step shown in fig. 2 is executed, so that the network resource is released in time when the state of the SSH server a is in an abnormal state, and the utilization rate of the network resource is improved.

The cloud coordinator B may perform the monitoring step according to the method shown in fig. 4.

S401, when the monitoring timer is triggered, the cloud coordinator B inquires the configuration file and acquires an IP list of the SSH server in the centralized management system.

S402, inquiring the state of the SSH server A through the IP list.

S403, determines whether the state of the SSH server a is abnormal or normal.

And if the state of the SSH server A is a normal state, not releasing the network resources of the SSH tunnel, and ending.

If the status of SSH server a is abnormal, S404 is executed.

S404, sending an instruction for closing the SSH tunnel to the network equipment.

S405, sends an instruction to close the SSH tunnel to the SSH server a. This step is an optional step and may be performed simultaneously with S404.

S406, the NAT configuration information is refreshed, and the corresponding relation between the intranet network address and the extranet network address is released.

S407, releasing the network resource. For example, the used states of the intranet network address and the extranet network address in the database are set to be unused states.

Based on the method for managing intranet network devices described above, the timing relationship of each step of the technical solution provided by the present application is described below by taking fig. 5 as an example.

As shown in fig. 5, after opening a User Interface (UI) of the centralized management system in a browser of a personal computer, an operation and maintenance worker selects a network device to be configured, clicks a button for opening a network management UI of the network device, and the user device obtains operation information of the clicked button and executes S501.

S501, sending first indication information to the cloud coordinator, wherein the first indication information carries an identifier of the network device selected by the operation and maintenance personnel and is used for indicating that a data channel is created for the network device and the user device.

S502, the cloud coordinator allocates a network resource to the network device according to the first indication information, for example, allocates a port with a port number 8443 to the network device.

S503, the cloud coordinator sends update configuration information to the northbound NAT node according to the network resources allocated to the network device, for example, the update configuration information is used for adding a corresponding relation between an external network address "112.80.248.76: 64004" and an internal network address "192.168.1.9: 64450" in the northbound NAT node.

S504, the cloud coordinator sends a Netconf message to the network device, the message indicates the network device to create an SSH tunnel, the message also carries a port number 8443, a network address of the southbound NAT node '112.80.248.77: 40024' and amonitoring port number 64450, wherein the port number 8443 is a port number which needs to be used when the network device sends a connection request and uses the SSH tunnel for communication, the network address of the southbound NAT node is a destination address of the connection request sent by the network device, and themonitoring port number 64450 is a port number used by a designated SSH server.

And S505, the network equipment sends a connection request to the southbound NAT node to request to establish an SSH tunnel. The connection request carries the network address "172.16.1.2: 8443" and the listeningport number 64450 of the network device.

And S506, after the southbound NAT node receives the connection request, recording the corresponding relation between '172.16.1.2: 8443' and '40024', so that the data received by the 40024 port is forwarded to '172.16.1.2: 8443' after the SSH tunnel is established, and the data received from '172.16.1.2: 8443' is forwarded to the SSH server through the 40024 port.

S507, the southbound NAT node sends a connection request to the SSH server, wherein the connection request comprises the network address '112.80.248.77: 40024' and themonitoring port number 64450 of the southbound NAT node.

And S508, after the SSH server receives the connection request sent by the southbound NAT node, recording the corresponding relation between '112.80.248.77: 40024' and '64450', so that the data received by the 64450 port is sent to '112.80.248.77: 40024' after the SSH tunnel is established, and the data received from '112.80.248.77: 40024' is forwarded to the northbound NAT node through the 64450 port.

After the SSH tunnel is established, the SSH server may send an SSH tunnel establishment completion message to each relevant device (e.g., the cloud coordinator).

S509, after determining that the SSH tunnel is established, the cloud coordinator sends first feedback information to the centralized management system UI (i.e., the user equipment), where the first feedback information indicates that the SSH tunnel is established, and the first feedback information further includes an external network address "112.80.248.76: 64004" of the SSH tunnel, where the external network address may be considered as a network address of the northbound NAT node.

And S510, the centralized management system UI creates a new window, namely, the network management UI of the network equipment according to the first feedback information.

S511, the network management UI (i.e. the user equipment) of the network device sends data to the NAT node, where the destination address of the data is "112.80.248.76: 64004".

And S512, after receiving the data through the 64004 port, the northbound NAT node forwards the data to 192.168.1.9:64450 according to the corresponding relation configured in the S503.

S513, after the SSH server receives the data through the 64450 port, the SSH server forwards the data to 112.80.248.77:40024 according to the corresponding relation recorded in S508.

And S514, after receiving the data through the 40024 port, the southbound NAT node forwards the data to 172.16.1.2:8443 according to the corresponding relation recorded in S506.

The way of forwarding the data sent by the network device to the user equipment by the southbound NAT node, the SSH server and the northbound NAT node is similar to the flow shown in S512-S514.

And S515, after completing the maintenance work of the network device, the operation and maintenance personnel click a button for closing a network management UI of the network device, and after obtaining the operation information of the clicked button, the UI of the centralized management system sends second indication information for closing the SSH tunnel to the cloud coordinator, wherein the second indication information carries the identifier of the network device.

And S516, after receiving the second indication information, the cloud coordinator sends a Netconf message to the network equipment, wherein the message indicates the network equipment to close the SSH tunnel.

S517, the cloud coordinator releases the network resource of the SSH tunnel, for example, the used states of the external network address and the internal network address of the SSH tunnel in the database are set to be unused states.

And S518, sending the information of deleting the configuration to the northbound NAT node, and commanding the northbound NAT node to delete the corresponding relationship configured in the S503.

And S519, sending information for destroying the SSH tunnel to the SSH server, and commanding the SSH server to destroy the SSH tunnel.

S520, sending second feedback information to the UI, wherein the second feedback information indicates that the SSH tunnel of the network equipment is closed.

The above provides an example of a method for managing an intranet network device. It is understood that, in order to implement the above functions, the apparatus for managing the intranet network device includes a hardware structure and/or a software module corresponding to each function. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The present application may divide the functional units of the apparatus for managing the intranet network device according to the above method example, for example, each function may be divided into each functional unit, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the units in the present application is schematic, and is only one division of logic functions, and there may be another division manner in actual implementation.

Fig. 6 shows a schematic structure of a possible apparatus for managing an intranet network device provided by the present application, in the case of using an integrated unit. Theapparatus 600 comprises: aprocessing unit 601, a receivingunit 602 and a transmittingunit 603.Processing unit 601 is configured to controlapparatus 600 to perform the steps of the method for managing intranet network devices shown in fig. 5. Theprocessing unit 601 may also be used to perform other processes for the techniques described herein. Theapparatus 600 may also include a storage unit for storing program codes and data of theapparatus 600.

For example, theprocessing unit 601 is configured to control the sendingunit 603 to perform:

and sending first indication information carrying the identifier of the network equipment to the cloud coordinator, wherein the first indication information is used for indicating the cloud coordinator to create a data channel for the network equipment and the user equipment, the user equipment is located in an outer network, and the network equipment is located in an inner network.

Theprocessing unit 601 is configured to control the receivingunit 602 to perform:

receiving first feedback information from the cloud coordinator, wherein the first feedback information is used for indicating that the data channel is completely established;

theprocessing unit 601 is further configured to control the transmittingunit 603 and the receivingunit 602 to perform:

and exchanging information with the network equipment through the data channel.

Theprocessing unit 601 may be a processor or a controller, such as a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The transmittingunit 602 and the receivingunit 603 are transceivers, for example, and the storage unit may be a memory.

When processingsection 601 is a processor, transmittingsection 602 and receivingsection 603 are transceivers, and the storage section is a memory, the apparatus for managing an intranet network device according to the present invention may be an apparatus shown in fig. 7.

Referring to fig. 7, theapparatus 700 includes: aprocessor 701, atransceiver 702, and a memory 703 (optional). Theprocessor 701, thetransceiver 702, and thememory 703 may communicate with each other via internal connection paths, passing control and/or data signals.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the apparatuses and units described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

Thedevice 600 and thedevice 700 for managing intranet network equipment provided by the application establish a data channel for the intranet network equipment through the indication cloud coordinator, so that the intranet network equipment and user equipment located in an extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

In the case of an integrated unit, fig. 8 shows a schematic structure of a possible apparatus for managing an intranet network device provided by the present application. Theapparatus 800 comprises: aprocessing unit 801, a receivingunit 802 and a transmittingunit 803.Processing unit 801 is configured to controlapparatus 800 to perform the steps of the method for managing an intranet network device shown in fig. 5. Theprocessing unit 801 may also be used to perform other processes for the techniques described herein. Theapparatus 800 may also include a storage unit for storing program codes and data of theapparatus 800.

For example, theprocessing unit 801 is configured to control the receivingunit 802 to perform:

receiving first indication information carrying the identifier of the network equipment from the user equipment, wherein the first indication information is used for indicating the cloud coordinator to create a data channel for the network equipment and the user equipment, the user equipment is located in an outer network, and the network equipment is located in an inner network.

Theprocessing unit 801 is configured to perform:

and creating a data channel for the network equipment according to the first indication information.

Theprocessing unit 801 is configured to control the sendingunit 803 to perform:

and sending first feedback information to the user equipment, wherein the first feedback information is used for indicating that the data channel is completely established.

Theprocessing unit 801 may be a processor or controller, for example, a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The transmittingunit 802 and the receivingunit 803 are transceivers, for example, and the storage unit may be a memory.

When processingunit 801 is a processor, transmittingunit 802 and receivingunit 803 are communication interfaces, and the storage unit is a memory, the apparatus for managing an intranet network device according to the present application may be the apparatus shown in fig. 9.

Referring to fig. 9, theapparatus 900 includes: aprocessor 901, acommunication interface 902, and a memory 903 (optional). Theprocessor 901, thetransceiver 902 and thememory 903 may communicate with each other via internal connection paths to transfer control and/or data signals.

Thedevice 800 and thedevice 900 for managing intranet network equipment provided by the application create a data channel for the intranet network equipment according to the indication of the user equipment, so that the intranet network equipment and the user equipment located in an extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

Fig. 10 shows a schematic structure of a possible apparatus for managing an intranet network device provided by the present application, in the case of using an integrated unit. Theapparatus 1000 comprises: aprocessing unit 1001, areceiving unit 1002, and atransmitting unit 1003.Processing unit 1001 is configured to controlapparatus 1000 to execute the steps of the method for managing an intranet network device shown in fig. 5. Theprocessing unit 1001 may also be used to perform other processes for the techniques described herein. Theapparatus 1000 may also include a storage unit for storing program codes and data of theapparatus 1000.

For example, theprocessing unit 1001 is configured to control thereceiving unit 1002 to perform:

and receiving third indication information from the cloud coordinator, wherein the third indication information is used for indicating network equipment to create a data channel, and the network equipment is located in an intranet.

Theprocessing unit 1001 is configured to control thetransmitting unit 1003 to perform:

and sending a connection request to the server according to the third indication information, wherein the connection request is used for requesting to create a data channel.

Theprocessing unit 1001 is further configured to control thereceiving unit 1002 to perform:

and receiving response information from the server, wherein the response information is used for indicating that the data channel is completely created.

Theprocessing unit 1001 is further configured to control thereceiving unit 1002 and thetransmitting unit 1003 to perform:

and exchanging information with the user equipment through the data channel, wherein the user equipment is positioned in the external network.

Theprocessing unit 1001 may be a processor or controller, for example, a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. Thetransmitting unit 1002 and thereceiving unit 1003 are transceivers, for example, and the storage unit may be a memory.

When processingsection 1001 is a processor, transmittingsection 1002 and receivingsection 1003 are communication interfaces, and the storage section is a memory, the apparatus for managing an intranet network device according to the present invention may be an apparatus shown in fig. 11.

Referring to fig. 11, theapparatus 1100 includes: aprocessor 1101, acommunication interface 1102, and a memory 1103 (optional). Theprocessor 1101, thetransceiver 1102 and thememory 1103 may communicate with each other via internal connection paths, passing control and/or data signals.

Thedevice 1000 and thedevice 1100 for managing intranet network equipment provided by the application request the server to create the data channel according to the indication of the cloud coordinator, so that the intranet network equipment and the user equipment located in an extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

Fig. 12 shows a schematic structure of a possible apparatus for managing an intranet network device provided by the present application, in case of using an integrated unit. Theapparatus 1200 includes: aprocessing unit 1201, areceiving unit 1202, and atransmitting unit 1203.Processing unit 1201 is configured to controlapparatus 1200 to perform the steps of the method for managing an intranet network device shown in fig. 5. Theprocessing unit 1201 may also be used to perform other processes for the techniques described herein. Theapparatus 1200 may also include a storage unit for storing program codes and data of theapparatus 1200.

For example, theprocessing unit 1201 is configured to control thereceiving unit 1202 to perform:

and receiving a connection request from the network equipment, wherein the connection request is used for requesting to create a data channel, and the data channel is used for information interaction between the user equipment and the network equipment, wherein the user equipment is positioned in an extranet, and the network equipment is positioned in an intranet.

Theprocessing unit 1201 is configured to perform:

and creating the data channel according to the connection request.

Theprocessing unit 1201 is configured to control thetransmitting unit 1203 to perform:

and sending response information to the network equipment, wherein the response information is used for indicating that the data channel is completely created.

Theprocessing unit 1201 may be a processor or controller, for example, a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. Thetransmitting unit 1202 and thereceiving unit 1203 are, for example, transceivers, and the storage unit may be a memory.

When theprocessing unit 1201 is a processor, thetransmitting unit 1202 and thereceiving unit 1203 are communication interfaces, and the storage unit is a memory, the apparatus for managing the intranet network equipment according to the present application may be the apparatus shown in fig. 13.

Referring to fig. 13, theapparatus 1300 includes: aprocessor 1301, acommunication interface 1302, and memory 1303 (optional). Theprocessor 1301, thetransceiver 1302 and thememory 1303 may communicate with each other via internal connection paths to transfer control and/or data signals.

Thedevice 1200 and thedevice 1300 for managing intranet network equipment provided by the application create a data channel according to the indication of the intranet network equipment, so that the intranet network equipment and the user equipment located in an extranet communicate through the data channel, a corresponding network transmission protocol interface does not need to be developed for each service of the intranet network equipment, and the workload of managing the intranet network equipment is reduced.

The apparatus embodiments and the method embodiments fully correspond, for example, the transmitting unit performs the transmitting step in the method embodiments, the receiving unit performs the receiving step in the method embodiments, and steps other than the transmitting step and the receiving step may be performed by the processing unit or the processor. The functions of the specific elements may be referred to corresponding method embodiments and will not be described in detail.

In the embodiments of the present application, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the inherent logic of the processes, and should not limit the implementation processes of the present application.

In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash memory, Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a compact disc read only memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the procedures or functions described in accordance with the present application are generated, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)), or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., Digital Versatile Disk (DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), etc.

The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.