Disclosure of Invention
In order to solve the problems in the prior art, the embodiment of the specification provides a method and a system for accessing an SD-WAN network by a mobile terminal, which solve the problem that the mobile terminal is more stably and safely connected to the SD-WAN network in the prior art.
The embodiment of the specification provides a method for a mobile terminal to access an SD-WAN network, which comprises the following steps of,
The SD-WAN controller receives a connection request of the mobile terminal;
the SD-WAN controller generates connection information according to the connection request and sends the connection information to an access PoP node to perform tunnel route configuration;
The SD-WAN controller sends tunnel access information to the mobile terminal so that the mobile terminal accesses the access PoP node according to the tunnel access information;
And after the access PoP node performs tunnel route configuration, establishing SD-WAN tunnel connection between the mobile terminal and the target CPE.
As a further aspect of the present specification, the connection request includes at least information of the mobile terminal and user information.
As a further aspect of the present specification, the connection information includes at least information of the mobile terminal and target CPE information.
As still further aspects of the present specification, the connection information further includes policy information and tunnel configuration information.
As another further aspect of the present specification, the SD-WAN controller generates connection information according to the connection request, and transmits the connection information to an access PoP node for further inclusion in the tunnel routing configuration,
Determining, by the SD-WAN controller, the access PoP node and sending the connection information to the access PoP node.
As another further aspect of the present specification, the tunnel access information includes at least information of the mobile terminal, information of an access PoP node, and tunnel information.
As another further aspect of the present disclosure, the tunnel access information further includes link monitoring configuration information, and the mobile terminal configures the mobile terminal according to the link monitoring configuration information, so that the mobile terminal generates a link monitoring message of the SD-WAN tunnel between the mobile terminal and the target CPE.
As another further aspect of the present specification, after the access PoP node performs tunnel routing configuration, establishing an SD-WAN tunnel connection between the mobile terminal and the target CPE further includes,
The SD-WAN controller receives link quality data generated by the link monitoring message and sent by the mobile terminal;
And the SD-WAN controller switches the SD-WAN tunnel connection path according to the link quality data.
As another further aspect of the present specification, the SD-WAN controller receiving a link supervision message of the mobile terminal from the mobile terminal to the SD-WAN tunnel between the target CPE further comprises,
The mobile terminal sends a keep-alive message to the target CPE;
the target CPE feeds back a response message to the mobile terminal;
The mobile terminal generates link quality data of an SD-WAN tunnel between the mobile terminal and the target CPE according to the response message;
and sending the link quality data to the SD-WAN controller.
As another further aspect of the present specification, the SD-WAN controller further includes in switching the SD-WAN tunnel connection path according to the link quality data,
And when the SD-WAN controller analyzes according to the link quality data to obtain that the SD-WAN tunnel link quality between the mobile terminal and the access PoP node does not meet the link quality requirement, switching the mobile terminal to a new access PoP node.
As another further aspect of the present description,
The SD-WAN controller further comprises in switching the SD-WAN tunnel connection path according to the link quality data,
And when the SD-WAN controller analyzes according to the link quality data to obtain that the SD-WAN tunnel between the mobile terminal and the target CPE does not meet the link quality requirement on the whole, generating connection information comprising new tunnel configuration information, and switching the SD-WAN tunnel connection path between the mobile terminal and the target CPE.
As another further aspect of the present specification, the SD-WAN controller generates connection information according to the connection request, and transmits the connection information to an access PoP node for further inclusion in the tunnel routing configuration,
The access PoP node creates virtual machines corresponding to the connection requests one by one according to the connection information;
and carrying out corresponding strategy control on the message of the mobile terminal by utilizing the virtual machine.
As another further aspect of the present disclosure, performing, with the virtual machine, a corresponding policy control on the message of the mobile terminal further includes,
The message enters the virtual machine through an uplink channel, wherein the uplink channel comprises a first virtual network port and a second virtual network port, and the message enters the first virtual network port of a corresponding virtual machine through a physical network port of the access PoP node;
The method comprises the steps that a message processed by strategy information corresponding to a process of a user state of a virtual machine is output through a downlink channel, wherein the downlink channel comprises a third virtual network port and a fourth virtual network port, the TUN equipment converts the processed message of the user state into a message of a kernel state, the third virtual network port obtains the message of the kernel state, and the fourth virtual network port sends the message of the kernel state to a physical network port of an access PoP node.
As another further aspect of the present specification, the upstream channel further includes,
After 2 layers of forwarding are carried out on the message passing through the physical network port of the access PoP node through a first network bridge, the message enters the first virtual network port;
the downstream channel may further comprise a channel-down channel,
And after the message passing through the fourth virtual network port is forwarded in a layer 2 manner through the second network bridge, the message enters the physical network port of the access PoP node.
As another further aspect of the present specification, the upstream channel and the downstream channel respectively belong to different network segments.
As another further aspect of the present specification, the SD-WAN controller sends tunnel access information to the mobile terminal, to cause the mobile terminal to access the access PoP node according to the tunnel access information, further comprising,
And the SD-WAN controller sends a primary access control list to the mobile terminal, so that the mobile terminal only sends the message related to the target CPE to the access PoP node according to the primary access control list.
The embodiments of the present specification also provide an SD-WAN network system, comprising,
An SD-WAN controller, a mobile terminal, an access PoP node and a target CPE;
The SD-WAN controller receives a connection request of the mobile terminal, generates connection information according to the connection request and sends the connection information to an access PoP node, the access PoP node carries out tunnel route configuration according to the connection information, the SD-WAN controller sends tunnel access information to the mobile terminal, the mobile terminal accesses the access PoP node according to the tunnel access information, and after the access PoP node carries out tunnel route configuration, SD-WAN tunnel connection is established between the mobile terminal and a target CPE.
The embodiments of the present specification also provide a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the above method when executing the computer program.
The present description also provides a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the above-described method.
The present description embodiment also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described method.
By using the embodiment of the specification, the mobile terminal is brought into the SD-WAN controller for management, the mobile terminal executes the access function of the original access PoP node, and the access PoP node only carries out strategy control on the message, so that the end-to-end control from the mobile terminal to the target CPE in the SD-WAN tunnel link can be realized, and the communication is more stable and safer.
Detailed Description
The technical solutions of the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is apparent that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
The following presents a simplified summary of some concepts related to the embodiments of the disclosure and is not intended to limit such concepts:
SD-WAN, software defined wide area network, the central controller controls the networking of the cross wide area network;
CPE is hardware equipment and software application deployed in user site for connecting user local network and SD-WAN network;
PoP, which is a network node of the SD-WAN service provider, is typically operated and maintained by the service provider at a dedicated data center or network aggregation point;
docker, a container, refers to a virtualization manner provided by an operating system, and the operating system provides an independent running environment for the container, so that application programs running in the environment can run in isolation from each other.
With the rise of mobile office, the enterprise network demand is changed significantly, and the mobile terminal cannot be guaranteed to be on the inner side of the CPE, so that a series of effects are generated on SD-WAN network evolution. If a common vpn client is used on a mobile terminal to establish a tunnel to connect to an access PoP node, a message is forwarded to other CPE/PoP through the access PoP node, link quality monitoring, networking strategies, security strategies and the like are carried out on the access PoP node, the mobile terminal is connected to the access PoP node and is not managed by an SD-WAN controller, network security, transmission quality and the like in the user communication process cannot be guaranteed, if software for replacing the CPE/PoP is installed and executed on the mobile terminal, the SD-WAN networking and flow control security strategies are issued to the mobile terminal, and due to the limitation of an operating system of the mobile terminal, the software of the mobile terminal cannot obtain corresponding rights and resources on the operating system, so that the mobile terminal cannot execute the functions of the CPE/PoP, and due to the fact that the data processing capacity of the mobile terminal is limited or is influenced by energy consumption and the like, the user experience of the mobile terminal is reduced.
In the embodiment of the present disclosure, a method for accessing an SD-WAN network by a mobile terminal is provided, as shown in fig. 1, which is a flowchart of a method for accessing an SD-WAN by a mobile terminal in the embodiment of the present disclosure, in this diagram, splitting a function of accessing a PoP node is described, a part of functions are placed in a mobile terminal, another part of functions are placed in an access PoP node, after the two functions are combined, the purpose of accessing an SD-WAN by a mobile terminal can be completed, the problem that the mobile terminal is not under management control after accessing an SD-WAN by the mobile terminal is solved, and stability and security of communication by the mobile terminal through the SD-WAN are improved, and the method specifically includes:
step 101, an SD-WAN controller receives a connection request of a mobile terminal;
Step 102, the SD-WAN controller generates connection information according to the connection request, and sends the connection information to an access PoP node to perform tunnel route configuration;
step 103, the SD-WAN controller sends tunnel access information to the mobile terminal, so that the mobile terminal accesses the access PoP node according to the tunnel access information;
and step 104, after the access PoP node performs tunnel route configuration, establishing an SD-WAN tunnel connection between the mobile terminal and the target CPE.
By the method in the embodiment of the specification, the SD-WAN controller can control the mobile terminal to be connected to the access PoP node and the subsequent SD-WAN tunnel, and can more comprehensively manage and control the reliability and flexibility of the end-to-end link in the SD-WAN network.
In this embodiment of the present disclosure, the connection request includes at least information of the mobile terminal and user information.
In this embodiment, the information of the mobile terminal includes at least an IP address, and the user information includes at least information for authentication such as a user name and a password.
In this embodiment of the present disclosure, the connection information includes at least information of the mobile terminal and target CPE information.
In this embodiment, the target CPE information includes at least an ID (unique identifier) or an IP address of the target CPE. The connection information may further include policy information, where the policy information includes, for example, a security policy, a service policy, a link quality policy, a networking policy, a flow control policy, etc., and is used to control network services after the access PoP node and other corresponding PoP nodes establish an SD-WAN tunnel connection between the current mobile terminal and the target CPE. The SD-WAN controller may further send the policy information to PoP nodes included in the connection information, so that all relevant PoP nodes in the SD-WAN tunnel link formed according to the connection information may process and control a packet transmitted between the mobile terminal and the target CPE according to the policy information.
The connection information may further include tunnel configuration information, which is generated by the SD-WAN controller, and the access PoP node may perform tunnel routing configuration, that is, configure a traffic path in an SD-WAN tunnel, and if multiple PoP nodes are required to implement forwarding, relaying, etc. of a packet between the mobile terminal and the target CPE, the access PoP node may configure each PoP node in the SD-WAN network according to the tunnel configuration information. The traffic in the embodiment of the present specification refers to traffic formed by a large number of messages.
In another embodiment, the tunnel configuration information may also be generated by an access PoP node according to the connection information, for example, according to the information of the mobile terminal, the target CPE information, selecting a PoP node in the SD-WAN network that is relatively stable, free or closest to the mobile terminal, thereby forming an SD-WAN tunnel from the mobile terminal to the target CPE.
In the embodiment of the present specification, the SD-WAN controller generates connection information according to the connection request, and sends the connection information to an access PoP node, so as to perform tunnel routing configuration further including,
Determining, by the SD-WAN controller, the access PoP node and sending the connection information to the access PoP node.
In this embodiment, there may be multiple access PoP nodes, and the SD-WAN controller may select one access PoP node, for example, may select, according to the distance between the mobile terminal and the PoP node, a PoP node closest to the mobile terminal as the access PoP node, or may also comprehensively select, according to the workload of the PoP node, the distance, and other conditions, one PoP node as the access PoP node, where the selected access PoP node may establish an SD-WAN tunnel between the mobile terminal and the target CPE according to the information of the mobile terminal, so that the mobile terminal and the target CPE may implement end-to-end stable and secure communication.
In this embodiment of the present disclosure, the tunnel access information includes at least information of the mobile terminal, information of an access PoP node, and tunnel information.
In this embodiment, the tunnel access information may be generated by the SD-WAN controller or may be generated by an access PoP node, where the tunnel access information includes information for enabling the mobile terminal to establish a tunnel connection with the access PoP node, for example, an IP address of the mobile terminal, an IP address of the access PoP node, a tunnel protocol used, and the like.
The tunnel access information may further include link monitoring configuration information, and the mobile terminal configures the mobile terminal according to the link detection configuration information, so that the mobile terminal may generate a link monitoring message of the SD-WAN tunnel between the mobile terminal and the target CPE, where the link monitoring message further includes a response message fed back by the target CPE.
In the embodiment of the present specification, after the access PoP node performs tunnel routing configuration, after establishing the SD-WAN tunnel connection between the mobile terminal and the target CPE, the method further includes,
The SD-WAN controller receives link quality data generated by the link monitoring message and sent by the mobile terminal;
And the SD-WAN controller switches the SD-WAN tunnel connection path according to the link quality data.
In this embodiment, the link quality data may be used to reflect the link quality between the mobile terminal and the target CPE through the SD-WAN tunnel, where the link quality data includes the number of transmission packets, and packet delay time, jitter, and the like.
The link quality data may also be used to reflect the link quality between any two PoP nodes, including, for example, the number of messages transmitted between any two PoP nodes, and the delay time, jitter, etc. of the messages.
And the SD-WAN controller judges that the link quality does not meet the link quality requirement according to the link quality data, and controls the SD-WAN tunnel to carry out link switching.
The SD-WAN controller judges that the number of transmitted messages and/or the message delay time exceeds a preset threshold value, for example, when the number of transmitted messages and/or the message delay time between an access PoP node and other PoP nodes exceeds the preset threshold value, new tunnel configuration information is generated to control related PoP nodes to switch SD-WAN tunnel links, or when the number of transmitted messages and/or the message delay time between the mobile terminal and the access PoP node exceeds the preset threshold value, new access PoP nodes are selected to switch.
In the embodiment of the present specification, the SD-WAN controller receives the link quality data generated by the link monitoring message and sent by the mobile terminal further includes,
The mobile terminal sends a keep-alive message to the target CPE;
the target CPE feeds back a response message to the mobile terminal;
The mobile terminal generates link quality data of an SD-WAN tunnel between the mobile terminal and the target CPE according to the response message;
and sending the link quality data to the SD-WAN controller.
In this step, the keep-alive message is a keep-alive message sent according to a predetermined time interval, the response message includes response information for the keep-alive message, and the sending time of the response message, etc., where the link quality data includes information indicating the link quality of the SD-WAN tunnel, for example, the link quality data includes information including the number of keep-alive messages sent by the mobile terminal, the time of sending the keep-alive message, the number of response messages fed back by the target CPE and the sending time of the response message, etc., and the SD-WAN controller may count the number of messages sent by the mobile terminal, the packet loss rate, the message delay time, the jitter, etc. according to the link quality data, so that the SD-WAN controller may determine the quality of the SD-WAN tunnel link between the mobile terminal and the target CPE according to the link quality data, and may switch the SD-WAN tunnel link quality between the mobile terminal and the target CPE when the SD-WAN tunnel link quality does not meet the link quality requirement (for example, carrier promise quality, SLA).
In this embodiment of the present specification, the SD-WAN controller further includes, in switching the SD-WAN tunnel connection path according to the link quality data,
And when the SD-WAN controller analyzes according to the link quality data to obtain that the SD-WAN tunnel link quality between the mobile terminal and the access PoP node does not meet the link quality requirement, switching the mobile terminal to a new access PoP node.
In this embodiment, when the SD-WAN controller analyzes the link quality data to obtain that the link quality of the mobile terminal does not meet the link quality requirement, and simultaneously obtains that the link quality between the access PoP node and other PoP nodes or the target CPE meets the link quality requirement, an instruction may be sent to the mobile terminal to control the mobile terminal to disconnect the tunnel from the access PoP node and reassign a new access PoP node, to control the mobile terminal to establish tunnel connection with the new access PoP node, and the tunnel route configuration between the new access PoP node and other PoP nodes or the target CPE does not need to be changed, which may, of course, also perform adaptive adjustment on the tunnel route configuration between the new access PoP node and other PoP nodes or the target CPE, for example, may perform new tunnel route configuration according to the workload of the PoP node, or the network quality condition.
In this embodiment of the present specification, the SD-WAN controller further includes, in switching the SD-WAN tunnel connection path according to the link quality data,
And when the SD-WAN controller analyzes according to the link quality data to obtain that the SD-WAN tunnel between the mobile terminal and the target CPE does not meet the link quality requirement on the whole, generating connection information comprising new tunnel configuration information, and switching the SD-WAN tunnel connection path between the mobile terminal and the target CPE.
In this embodiment, when the SD-WAN controller analyzes the link quality data to obtain that the SD-WAN tunnel between the mobile terminal and the target CPE does not meet the link quality requirement as a whole, the SD-WAN controller regenerates connection information including tunnel configuration information according to the states of all PoP nodes (or other related network devices) in the SD-WAN network from the mobile terminal to the target CPE, such as network states, load states, distance states, and the like, and sends the connection information to the reselected access PoP node, so that the access PoP node may perform tunnel routing configuration according to the new tunnel configuration information to form a new SD-WAN tunnel connection path.
In the embodiment of the present specification, the SD-WAN controller generates connection information according to the connection request, and sends the connection information to an access PoP node, so as to perform tunnel routing configuration further including,
The access PoP node creates virtual machines corresponding to the connection requests one by one according to the connection information;
and carrying out corresponding strategy control on the message of the mobile terminal by utilizing the virtual machine.
In this embodiment, a virtual machine corresponding to each connection request may be created at the access PoP node for the connection information generated by each connection request, that is, each virtual machine is configured to process a large number of messages (i.e., traffic) in the SD-WAN tunnel between a mobile terminal and a target CPE (or multiple target CPEs), and the virtual machine processes the traffic of the messages in the SD-WAN tunnel using the policy information for the SD-WAN tunnel. The messages in the SD-WAN tunnel established at a later stage are subjected to strategy control through the virtual machines corresponding to the connection requests one by one, so that the services from different mobile terminals or users can be isolated more safely, and the communication based on the SD-WAN network is safer.
In the embodiment of the present disclosure, performing, by using the virtual machine, corresponding policy control on the packet of the mobile terminal further includes,
The message enters the virtual machine through an uplink channel, wherein the uplink channel comprises a first virtual network port and a second virtual network port, and the message enters the first virtual network port of a corresponding virtual machine through a physical network port of the access PoP node;
The method comprises the steps that a message processed by strategy information corresponding to a process of a user state of a virtual machine is output through a downlink channel, wherein the downlink channel comprises a third virtual network port and a fourth virtual network port, the TUN equipment converts the processed message of the user state into a message of a kernel state, the third virtual network port obtains the message of the kernel state, and the fourth virtual network port sends the message of the kernel state to a physical network port of an access PoP node.
In this embodiment, the first virtual network port and the second virtual network port, and the third virtual network port and the fourth virtual network port are matched through corresponding routing policies. The routing policy may include, for example, a correspondence between a virtual network port and a virtual network port, and a correspondence between a virtual network port and a physical network port.
The process of the virtual machine user state can also analyze the messages, and analyze which messages should be forwarded to the target CPE, and which messages should be forwarded to the Internet, i.e. the messages which do not need to be forwarded to the target CPE are forwarded to the Internet, and the transmission resources of the SD-WAN tunnel are not occupied.
In the embodiment of the present disclosure, the upstream channel further includes,
After 2 layers of forwarding are carried out on the message passing through the physical network port of the access PoP node through a first network bridge, the message enters the first virtual network port;
the downstream channel may further comprise a channel-down channel,
And after the message passing through the fourth virtual network port is forwarded in a layer 2 manner through the second network bridge, the message enters the physical network port of the access PoP node.
In the embodiment of the present disclosure, the uplink channel and the downlink channel respectively belong to different network segments.
The security of the SD-WAN network can be further improved by isolating connection requests initiated by different mobile terminals in different virtual machines.
In this embodiment of the present disclosure, the SD-WAN controller sends tunnel access information to the mobile terminal, so that the mobile terminal accesses the access PoP node according to the tunnel access information,
And the SD-WAN controller sends a primary access control list to the mobile terminal, so that the mobile terminal only sends the message related to the target CPE to the access PoP node according to the primary access control list.
In this embodiment, the primary Access Control List (ACL) may only include five-tuple information, that is, a source IP address, a source port number, a destination IP address, a destination port number, and protocol information, and the mobile terminal may determine, according to the primary access control list, whether the destination of the message is on the target CPE side, and if the destination of the message to be sent is not on the target CPE side, not send the message to the access PoP node to enter the SD-WAN tunnel, so that occupation of tunnel resources may be reduced. Because the processing capability of the mobile terminal is limited, and the operating system of a part of the mobile terminal limits the resource occupation amount of an application, the mobile terminal cannot perform comprehensive access control, only can perform limited access control, does not perform analysis of a message, only determines whether to send the message to an access PoP node according to the destination (or message type, etc.) of the message, and can also process other simple access processing work on the mobile terminal, such as generation and reporting of link quality data, initiation of a connection request and tunnel connection with the access PoP node distributed by an SD-WAN controller, and does not perform complex policy control on the mobile terminal, wherein the policy control is processed on the access PoP node and other related PoP nodes.
Fig. 2 is a system configuration diagram of an embodiment of the present disclosure, in which a mobile terminal accesses an SD-WAN network, and in this embodiment, the system configuration diagram describes that the mobile terminal performs SD-WAN network access processing under the control of the SD-WAN controller, where the access PoP node performs policy control, and together establishes an SD-WAN tunnel, in this embodiment, the mobile terminal may be, for example, a mobile phone, a tablet computer, a notebook computer, or other electronic devices, a specific software program is installed on the mobile terminal to perform the SD-WAN network access processing, in this embodiment, the mobile terminal with this specific software program is referred to as a mobile terminal, the access PoP node may be any PoP node in the SD-WAN network, for example, a computer device with a relatively strong data processing capability, a server, etc., where the application server may be a computer device or a server that provides a service, and in the SD-WAN network may have a plurality of CPEs, in this embodiment, only one CPE is shown as a target CPE, and not limited thereto, in this embodiment, the target side is connected to an internal network, and at least one CPE has a computer device or a network access device that performs communication with the mobile terminal based on the mobile terminal and the network access system:
step 201, the mobile terminal initiates a connection request to the SD-WAN controller.
In this step, the mobile terminal may send user authentication information to the SD-WAN controller through the internet, for example, may include authentication information such as a user name, a password, a verification code, and the like.
The connection request may include information of the mobile terminal, information of a user, etc., where the information of the mobile terminal may be, for example, an IP address and/or an MAC address of the mobile terminal, etc., used for communication with the mobile terminal, and the mobile terminal information may also include information of a mobile terminal type (mobile phone, tablet computer, etc.), a performance parameter (memory, storage space, etc.), a system type, etc., and the user information may include information of a user name, a password, etc., for example. The connection request may further include positioning information, such as coordinate information, of the mobile terminal, for determining a location of the mobile terminal. The connection request may also include other information, without limitation.
And 202, after passing the verification, the SD-WAN controller generates connection information.
In this step, the SD-WAN controller verifies the connection request initiated by the mobile terminal, verifies the user authentication information, and after the verification, the SD-WAN controller may generate connection information according to the connection request, where in this embodiment, the connection information may include mobile terminal information and target CPE information for determining to which CPE the mobile terminal is connected, where the target CPE may be determined by the user information, that is, according to a user name, it may be determined to which CPE node or nodes the user is related to, and the CPE node is the target CPE node to which the connection request should be connected; the tunnel configuration information generated by the SD-WAN controller (which may also be generated by the access PoP node in other embodiments) includes information for all PoP nodes between the mobile terminal and the target CPE, and may further include virtual machine configuration information inside the access PoP node, the connection information may further include policy information for each PoP node in the SD-WAN tunnel between the mobile terminal and the target CPE, that is, the SD-WAN controller determines a networking policy (packet destination path) of the PoP node for traffic between the mobile terminal and the target CPE, a complete security policy (DPI, virus protection, attack protection, etc.), a flow control policy (traffic shaping, speed limit, priority protection, etc.), an optimization policy (SD-WAN conventional functions of protocol acceleration, compression, buffering, etc.), and the like, processes and forwards traffic according to the matching result, the connection information may further include tunnel configuration information between the mobile terminal and the access PoP node, for example, information may be configured for IPSec tunnels.
The SD-WAN controller may select an access PoP node adapted to the connection request according to the connection request, for example, may select a PoP node closest to the mobile terminal as an access PoP node according to positioning information of the mobile terminal, may select a PoP node matched with the mobile terminal as an access PoP node according to a system type of the mobile terminal, or may select a PoP node adapted to the mobile terminal as an access PoP node according to a network speed of the mobile terminal (for example, may adapt a PoP node corresponding to a network speed of the mobile terminal with a slower network speed as an access PoP node), or may further select a PoP node specified by a user in the connection request as an access PoP node.
And 203, the SD-WAN controller sends the connection information to the access PoP node for tunnel routing configuration.
In this step, after receiving the connection information sent by the SD-WAN controller, the access PoP node establishes an SD-WAN tunnel with respect to the mobile terminal and the target CPE.
The access PoP node establishes a virtual machine corresponding to the connection request initiated by the mobile terminal, and communicates with the mobile terminal by utilizing the virtual machine, so that the service of the access PoP node can be provided for the virtual machines corresponding to different connection requests, the isolation of communication between the mobile terminals is realized, and the communication is safer.
The access PoP node may also configure the related PoP node or other resources using tunnel configuration information in the connection information to form an SD-WAN tunnel between the mobile terminal and the target CPE. The access PoP node configures policy control to a virtual machine corresponding to the mobile terminal and the target CPE according to the tunnel configuration information, so that the virtual machine is specially responsible for policy control of the mobile terminal and the target CPE, that is, one virtual machine processes message forwarding from one mobile terminal to one or more target CPEs. The access PoP node may connect directly to the target CPE through an SD-WAN tunnel.
And after the tunnel route configuration of the access PoP node is completed, feeding back to the SD-WAN controller.
Step 204, the SD-WAN controller sends tunnel access information to the mobile terminal.
In this step, the tunnel access information sent by the SD-WAN controller to the mobile terminal includes, for example, information including an IP address and a port number of the access PoP node, and information of the mobile terminal includes, for example, information including an IP address and a port number of the mobile terminal, and the tunnel access information may also include tunnel protocol information used by the mobile terminal and the access PoP node, for example, may use universal tunnel protocols such as IPSec and L2TP, GRE, vxLan, or may use other private tunnel protocols, which is not limited herein.
In this embodiment, the tunnel access information may further include a primary Access Control List (ACL), which may not be able to process complex policy control due to limited hardware processing capability of the mobile terminal or limited by an operating system of the mobile terminal, for example, limited memory usage of an application program in some operating systems, limited authority of the application program, and so on, so that only relatively simple access processing work is performed on the mobile terminal, for example, no Deep Packet Inspection (DPI) is performed on a packet to be sent on the mobile terminal. The primary access control list may be used to primarily screen whether the resource to be accessed needs to be sent to the target CPE through the SD-WAN network for processing, for example, by judging the IP address of the target to be accessed, or by judging whether the message needs to be sent to the access PoP node through the message type, or five-tuple information of the message, etc., so as to enter the SD-WAN network, where the primary access list has a feature that the message needs to be transmitted to the target CPE through the SD-WAN network, for example, includes the IP address of the target CPE, or the IP address of the target terminal in the target CPE side, or information such as the type of the message, etc., if the message that the mobile terminal needs to send is in accordance with the feature in the primary access list, the message is sent to the access PoP node through the tunnel between the mobile terminal and the access PoP node, and if the message that the mobile terminal needs to send is not in accordance with the feature in the primary access list, the message is sent to the target object through the internet, so as to save the data processing resource and bandwidth resource of the access PoP node.
The tunnel access information may further include link monitoring configuration information, the mobile terminal configures according to the link monitoring configuration information, after an SD-WAN tunnel between the mobile terminal and a target CPE is established, a keep-alive message is sent to the target CPE at regular time, the target CPE feeds back a response message to the mobile terminal, and the mobile terminal generates link quality data of the SD-WAN tunnel between the mobile terminal and the target CPE according to the response message, and sends the link quality data to the SD-WAN controller.
In step 205, the mobile terminal creates a tunnel with the access PoP node according to the tunnel access information.
Fig. 3 is a flowchart of a mobile terminal sending a message in an embodiment of the present disclosure, where a process that the mobile terminal intercepts a message that should be sent to an access PoP node and sends the message to the access PoP node is described in the present disclosure, in the present embodiment, the records in the primary access control list are fewer, only some important forwarding features are recorded, the messages with these forwarding features are filtered out and sent to the access PoP node, the non-filtered message is sent to a destination through the ordinary internet, or vice versa, the filtered message is sent to the destination through the ordinary internet, and the non-filtered message is sent to the access PoP node through a tunnel, so that the message processing of the mobile terminal can be further reduced, the hardware and software resources of the mobile terminal are saved, and the problems of high power consumption, slow response and the like of the mobile terminal are not caused, and the method specifically includes:
step 301, intercepting a sending message by a hook node provided by an operating system.
Step 302, the intercepted message is filtered through the primary access control list.
In this step, the hook node provided by the mobile terminal operating system is used to intercept the message to be sent, and the five-tuple information of the message is compared with the record in the primary access control list, so as to determine whether the message to be sent should be sent to the access PoP node.
And 303, encapsulating the screened message which is to be sent to the access PoP node by using a tunneling protocol.
In this step, the mobile terminal encapsulates the screened message by using the tunnel protocol in the received tunnel access information, or encapsulates the screened message by using a preset tunnel protocol.
And step 304, sending the packaged message to a tunnel connected with the PoP node.
In step 305, a message that should not be sent to the access PoP node is sent over the internet.
Fig. 4 is a schematic structural diagram of a virtual machine constructed by an access PoP node in the embodiment of the present disclosure, fig. 5 is a schematic diagram of a virtual machine receiving and sending a message by the access PoP node in the embodiment of the present disclosure, and two diagrams are combined to describe a structure that the access PoP node corresponds each mobile terminal to one tunnel according to a virtual machine configured by connection information, and isolates connection between the mobile terminal and the access PoP node, so that security of the access PoP node can be improved, where the virtual machine can be implemented by technologies such as kvm, docker, esxi, and the flow in the embodiment is a generic term of a message sent or received by the mobile terminal or a target CPE, and the embodiment only describes a processing procedure of the access PoP node sending a message to the mobile terminal, and a message processing flow fed back to the target CPE corresponds to the embodiment, and is not repeated, and the method in the embodiment specifically includes:
step 501, the access PoP node receives a message sent by the mobile terminal.
In this step, the access PoP node receives the message sent by the mobile terminal through the physical network port, where the IP address of the physical network port may be 192.168.1.69, for example.
Step 502 forwards the message to bridge 1.
In this step, the message is routed to the virtual port 1 of the bridge 1 by accessing the routing policy preset by the PoP node itself or the routing policy generated by the SD-WAN controller, where the IP address of the virtual port 1 is 172.17.0.1, and the message is forwarded on the bridge 1 in layer 2.
In step 503, bridge 1 forwards the message to the virtual machine.
In this step, the bridge 1 forwards the message from the virtual network port 1 to the virtual network port 2 for 2-layer forwarding, and the message can be directly forwarded to the virtual network port 3 of the virtual machine through the virtual network port 2, where the IP address of the virtual network port 3 is 172.17.0.2, and it can be seen that the virtual network ports 1, 2, 3, and 4 belong to the uplink channels of the message.
Step 504, the message is converted from kernel mode to user mode.
In this step, the routing policy preset by the access PoP node itself or the routing policy generated by the SD-WAN controller routes the kernel-mode message from the virtual network port 3 to the virtual network port 4 of the virtual machine, and converts the kernel-mode message into the user-mode message through the TUN device (transparent network device) in the virtual machine, so as to be read and processed by the user-mode process.
Step 505, the message processing module of the virtual machine processes the message according to the policy information.
In this step, the virtual machine user state message processing module reads the message from the TUN device, and processes the received message by using policy information preset by the access PoP node itself or policy information generated by the SD-WAN controller, where the message processing module processes the message, which may include processing a large amount of traffic formed by the message according to quintuple information of the message, and may further include processing after analyzing the data content carried in the message after deeply analyzing the message, which is not limited herein.
Step 506, converting the message from the user mode to the kernel mode.
In this step, the packet processing module of the virtual machine processes the processed user state packet through the TUN device to become a kernel state packet, and then sends the kernel state packet to the virtual network port 5 through a routing policy preset by the access PoP node itself or a routing policy generated by the SD-WAN controller, where the virtual network port 5 forwards the kernel state packet to the virtual network port 6, and the IP address of the virtual network port 6 is 172.18.0.2.
In step 507, the virtual machine forwards the message to bridge 2.
In this step, the virtual port 6 of the virtual machine directly forwards the processed message to the virtual port 7 of the bridge 2, and the virtual port 7 forwards the message 2 layer to the virtual port 8 of the bridge 2, where the IP address of the virtual port 8 is 182.18.0.1. Therefore, it can be seen that the downlink channel of the message includes virtual network ports 5, 6, 7 and 8, and the network segment of the uplink channel and the network segment of the downlink channel belong to different network segments, so that three-layer message forwarding is performed.
In step 508, the bridge 2 forwards the message to the physical portal accessing the PoP node.
In this step, the message of the bridge 2 is routed to the physical portal of the access PoP node by a routing policy preset by the access PoP node itself or generated by the SD-WAN controller.
Step 509, the access PoP node sends the message.
In this step, according to the analysis and processing result of the message by the message processing module, the message that should be sent to the target CPE is finally forwarded to the target CPE through the tunnel of the SD-WAN network via other PoP nodes, or directly sent to the target CPE, and the message that does not need to be carried by the tunnel of the SD-WAN network (for example, the message sent to other destination) is sent to the corresponding target via the general internet.
Fig. 6 is a flowchart of a link switching in an embodiment of the present disclosure, where after a mobile terminal generates a keep-alive message for link monitoring according to link monitoring configuration information sent by an SD-WAN controller, the mobile terminal sends the keep-alive message to a target CPE, receives a response message of the target CPE (where both the keep-alive message and the response message may be referred to as a link monitoring message), and sends link quality data generated according to the link monitoring message to the SD-WAN controller, so that the SD-WAN controller controls switching of an SD-WAN tunnel between the mobile terminal and the target CPE according to the link quality data, and specifically includes:
In step 601, the mobile terminal sends a keep-alive message to the target CPE at regular time.
In this step, the timing interval may be set according to the link monitoring configuration information, and the keep-alive message may be a message having no practical meaning, or a message with a specific identification bit, which is used to indicate that the purpose of the message is to monitor the SD-WAN tunnel between the mobile terminal and the target CPE.
In step 602, after receiving the keep-alive message, the target CPE feeds back a response message.
In this step, the response message corresponds to the keep-alive message.
Step 603, the mobile terminal generates link quality data according to the response message.
In this step, the link quality data may include information such as the number of keep-alive messages sent by the mobile terminal, the time of sending the keep-alive messages, the number of response messages fed back by the target CPE and the sending time of the response messages.
Step 604, the mobile terminal sends the link quality data to an SD-WAN controller.
In this step, the mobile terminal may send the link quality data to the SD-WAN controller through a tunnel, or may send the link quality data to the SD-WAN controller through the internet.
In other embodiments, the mobile terminal may also calculate whether the current link is full of link quality requirements according to the link quality data, and when not, send the link quality data to the SD-WAN controller.
Step 605, the SD-WAN controller switches links according to the link quality data.
In this step, the SD-WAN controller analyzes the link quality data, and when determining that the SD-WAN tunnel link quality between the mobile terminal and the access PoP node does not meet the link quality requirement, selects a new PoP node as the access PoP node to establish tunnel connection with the mobile terminal.
As an application scenario in this embodiment, when a mobile terminal is in a high-speed mobile vehicle, after the mobile terminal establishes an SD-WAN tunnel connection with a target CPE through a first access PoP node, and when the vehicle moves to a position far from the first access PoP node, the link quality between the mobile terminal and the SD-WAN tunnel of the first access PoP node cannot meet the requirement, the SD-WAN controller may select a suitable PoP node as a second access PoP node according to the position of the mobile terminal (or may also consider the movement direction, the speed, etc.), for example, a PoP node closest to the mobile terminal may be selected as a second access PoP node, or a PoP node matching the movement direction, the speed, the distance of the mobile terminal may be selected as a second access PoP node.
In this embodiment, when a handover access PoP node is required, the SD-WAN controller issues new connection information (including, for example, tunnel configuration information and policy information) to a second access PoP node, so that the second access PoP node performs operations such as tunnel routing configuration, policy processing, and virtual machine establishment, the SD-WAN controller controls the mobile terminal to disconnect from a first access PoP node and immediately controls the mobile terminal to establish tunnel connection with the second access PoP node, and the SD-WAN controller controls the first access PoP node to destroy a tunnel with the mobile terminal, delete corresponding connection information, and enable the first access PoP node to recover virtual machine resources.
In other embodiments, the SD-WAN tunnel between the mobile terminal and the target CPE may pass through a plurality of PoP nodes or other devices (such as an application server, etc.), each node or device may feed back its own network status to the SD-WAN controller at regular time or in a request-response manner, and the SD-WAN controller may acquire the network status of all nodes or devices in the SD-WAN tunnel between the mobile terminal and the target CPE, so as to evaluate the link quality of the SD-WAN tunnel between the mobile terminal and the target CPE, and when the link quality of a certain segment of SD-WAN tunnel link does not meet the requirement, switch the corresponding node or switch the adjustment link.
After the link is switched, the mobile terminal continues to feed back the link quality of the SD-WAN tunnel between the mobile terminal and the target CPE to the SD-WAN controller through the link quality data, and if the link quality after the link is switched still cannot meet the link quality requirement, the SD-WAN controller needs to switch the link again until the whole link quality obtained through analysis according to the link quality data reported by the mobile terminal meets the link quality requirement. The link quality of the whole link can be reflected through the end-to-end link monitoring message and the generated link quality data, the problem that the quality of the whole link is inaccurate is avoided by combined calculation according to the monitoring result of the segmented link, and the link quality of the whole SD-WAN tunnel link between the mobile terminal and the target CPE can be truly reflected, so that the link quality of the whole link can be improved, the stability of the whole link is ensured, and the user experience is improved.
In other embodiments, when the mobile terminal actively disconnects the tunnel with the access PoP node (e.g., after the mobile terminal completes the communication work with the target CPE), or passively disconnects the tunnel with the access PoP node (e.g., network anomaly, failure, etc.), the SD-WAN controller will monitor this situation and notify the access PoP node of the mobile terminal drop message, which destroys the tunnel, deletes the connection information (routing configuration information, policy information, etc.), and stops the virtual machine, thereby recovering the system resources.
Fig. 7 shows a computer device provided in the embodiment of the present disclosure, where the method for accessing an SD-WAN network by a mobile terminal in the embodiment of the present disclosure may be executed by the computer device in the embodiment of the present disclosure, to perform the above method of the present disclosure. The computer device 702 may include one or more processors 704, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 702 may also include any memory 706 for storing any kind of information, such as code, settings, data, etc. By way of non-limiting example, the memory 706 may comprise any one or more combinations of any type of RAM, any type of ROM, a flash memory device, a hard disk, an optical disk, and the like. More generally, any memory may store information using any technique. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 702. In one case, the computer device 702 can perform any of the operations of the associated instructions when the processor 704 executes the associated instructions stored in any memory or combination of memories. The computer device 702 also includes one or more drive mechanisms 708, such as a hard disk drive mechanism, an optical disk drive mechanism, and the like, for interacting with any memory.
The computer device 702 may also include an input/output module 710 (I/O) for receiving various inputs (via an input device 712) and for providing various outputs (via an output device 714). One particular output mechanism may include a presentation device 716 and an associated Graphical User Interface (GUI) 718. In other embodiments, input/output module 710 (I/O), input device 712, and output device 714 may not be included as just one computer device in a network. The computer device 702 can also include one or more network interfaces 720 for exchanging data with other devices via one or more communication links 722. One or more communication buses 724 couple the above-described components together.
Communication link 722 may be implemented in any manner, for example, through a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. Communication link 722 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
The present description also provides computer-readable instructions, wherein the program therein causes the processor to perform the method as described above when the processor executes the instructions.
It should be understood that, in various embodiments of the present disclosure, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation of the embodiments of the present disclosure.
It should also be understood that, in the embodiments of the present specification, the term "and/or" is merely one association relationship describing the association object, meaning that three relationships may exist. For example, A and/or B may mean that A alone, both A and B, and B alone are present. In the present specification, the character "/" generally indicates that the front and rear related objects are an or relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the various example components and steps have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present specification.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this specification, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purposes of the embodiments of the present description.
In addition, each functional unit in each embodiment of the present specification may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present specification is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present specification. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The principles and embodiments of the present invention have been described in the present specification by using specific examples, which are provided to assist in understanding the method and core ideas of the present invention, and modifications will be apparent to those skilled in the art from the teachings of the present invention, and it is intended that the present invention not be limited to these examples.