CN104734986A - Message forwarding method and device - Google Patents
Message forwarding method and device Download PDFInfo
- Publication number
- CN104734986A CN104734986A CN201310704097.XA CN201310704097A CN104734986A CN 104734986 A CN104734986 A CN 104734986A CN 201310704097 A CN201310704097 A CN 201310704097A CN 104734986 A CN104734986 A CN 104734986A
- Authority
- CN
- China
- Prior art keywords
- message
- territory
- outbound port
- acl strategy
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the invention discloses a message forwarding method and device. An input exchanger obtains a message introduced by an ACL strategy; according to a pre-configured corresponding relation between the ACL strategy and a VN domain, the VN domain corresponding to the ACL strategy is obtained; VxLAN packaging is performed on the obtained message to obtain a packaged message; the packaged message is forwarded to a corresponding output exchanger according to a VxLAN standard. When network flow is detected, the corresponding relation between the ACL strategy and the VN domain and a corresponding relation between the VN domain and an output port are pre-configured, and in this way, the message introduced according by the ACL strategy is forwarded to the output port through a VxLAN protocol; when an output port needs to be added or deleted for the message introduced according to the ACL strategy, it is only needed to revise information of the output port corresponding to the VN domain of the ACL strategy, and therefore the expandability of a flow monitored network is greatly improved.
Description
Technical field
The present invention relates to internet arena, particularly relate to a kind of message forwarding method and device.
Background technology
Network is the bridge that information is transmitted, pass through network, user can send or obtaining information easily, but, on network except useful information, also have user or group to scatter some illegal information by network, so the network information security must include law-based control in, in normal message repeating process, carry out effective information monitoring, retrieve flame with this, purification network.
And flow refers to the data volume be made up of message, that is, it is in fact exactly the business monitoring of the message to composition flow to the business monitoring of flow, the existing business monitoring for the online message forwarded, generally adopt Access Control List (ACL) (English: Access Control List, abbreviation: ACL) strategy is undertaken by the mode be redirected, such as, if whether the message content that department needs monitoring website to forward is legal, first by the mode collocation strategy route of ACL, the outgoing message of this website is redirected to the outbound port that this department specifies, portion is copied by described outgoing message, the message copied is sent to the outbound port that this department specifies, then by the single device connecting this outbound port, business monitoring is carried out to the flow received.
But, along with monitored item object is enriched constantly, single device is difficult to the demand meeting business monitoring, when needing to add miscellaneous equipment or need other department's cooperative monitoring, just policybased routing can only be reconfigured to the equipment newly added by ACL strategy, network size is difficult to expansion, and network construction cost is very high.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of message forwarding method and device, by using the effective expanding monitoring network size of VxLAN agreement, improve the extensibility of monitor network.
The invention discloses following technical scheme:
On the one hand, the invention provides a kind of message forwarding method, described method comprises:
Input switch obtains the message introduced by access control list ACL strategy;
Described input switch, according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Described input switch carries out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained and obtains encapsulated message, comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Described encapsulated message is forwarded to corresponding output switch according to VxLAN standard by described input switch.
In the first possible implementation of first aspect, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
In conjunction with the first possible implementation of first aspect and first aspect, in the implementation that the second is possible, the address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
In conjunction with the implementation that the first or the second of first aspect and first aspect are possible, in the implementation that the third is possible, before described input switch obtains the message introduced by ACL strategy, described method also comprises:
Described input switch carries out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
Second aspect, the invention provides a kind of input switch, comprising:
Receive message unit, for obtaining the message introduced by ACL strategy;
Determining unit, for according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Encapsulation unit, obtains encapsulated message for carrying out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained, and comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Transmitting element, for being forwarded to corresponding output switch by described encapsulated message according to VxLAN standard.
In the first possible implementation of second aspect, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
In conjunction with the first possible implementation of second aspect and second aspect, in the implementation that the second is possible, the address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
In conjunction with the implementation that the first or the second of second aspect and second aspect are possible, in the implementation that the third is possible, also comprise:
ACL matching unit, for carrying out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
The third aspect, the invention provides a kind of message forwarding method, and described method comprises:
Export the encapsulated message that switch receives the transmission of input switch, in the outer head of encapsulation of described encapsulated message, comprise the address information in virtual easily extensible local net network VN territory;
Described output switch searches pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Described output switch, by the decapsulation of described encapsulated message, obtains the message after decapsulation, and the message after described decapsulation is the message that input switch is introduced by ACL strategy, and the message after described decapsulation is sent to described outbound port.
In the first possible implementation of the third aspect, in the corresponding relation of described VN territory and outbound port:
A VN territory is corresponding with at least one outbound port.
In conjunction with the first possible implementation of the third aspect and the third aspect, in the implementation that the second is possible,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
In conjunction with the first possible implementation of the third aspect, in the implementation that the third is possible, encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port the message introduced by ACL strategy and comprise:
Described output switch is when getting N number of outbound port, and described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number;
Described output switch sends portion respectively to each described outbound port and encapsulates flow, and by the decapsulation of described encapsulated message before sending to outbound port, obtains to make described outbound port the message introduced by ACL strategy.
Fourth aspect, the invention provides a kind of output switch, comprising:
Receiving element, for receiving the encapsulated message that input switch sends, comprises the address information in virtual easily extensible local net network VN territory in the outer head of encapsulation of described encapsulated message;
Outbound port acquiring unit, for searching pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Transmitting element, for encapsulated message described in sending to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
In the first possible implementation of fourth aspect, the corresponding relation of described VN territory and outbound port is specially:
A VN territory is corresponding with at least one outbound port.
In conjunction with the first possible implementation of fourth aspect and fourth aspect, in the implementation that the second is possible,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
In conjunction with the first possible implementation of fourth aspect, in the implementation that the third is possible, described transmitting element specifically for:
When described outbound port acquiring unit gets N number of outbound port, described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number, portion encapsulated message is sent respectively to each described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port the message introduced by ACL strategy.
As can be seen from technique scheme, technical solution of the present invention is when detecting network traffics, corresponding relation between pre-configured ACL strategy and VN territory and the corresponding relation between VN territory and outbound port, the mode of VxLAN agreement is used to carry out being forwarded to outbound port the message introduced by ACL strategy, when needing increase the message introduced according to ACL strategy or delete outbound port, only need amendment to should the outbound port information in VN territory of ACL strategy, substantially increase the extensibility of traffic monitoring network thus.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 be ACL of the present invention strategy with VxLAN agreement in conjunction with schematic diagram;
Fig. 2 is one of method flow diagram of a kind of message forwarding method of the present invention;
Fig. 3 is the method flow diagram two of a kind of message forwarding method of the present invention;
Fig. 4 is message repeating schematic diagram of the present invention;
Fig. 5 is one of a kind of structure drawing of device inputting switch of the present invention;
Fig. 6 is a kind of structure drawing of device two inputting switch of the present invention;
Fig. 7 is that the hardware of a kind of switch of the present invention forms schematic diagram;
Fig. 8 is a kind of structure drawing of device exporting switch of the present invention;
Fig. 9 is that the hardware of a kind of switch of the present invention forms schematic diagram.
Embodiment
Embodiments provide a kind of message forwarding method and device.By (English: Virtual eXtensible LAN with virtual easily extensible local area network (LAN) for ACL strategy, abbreviation: VxLAN) agreement carries out combining needs at least to carry out corresponding expansion to the message output port of the detection server of the message inlet port on network and this flow of direct detection, refer to Fig. 1, its for ACL of the present invention strategy with VxLAN agreement in conjunction with schematic diagram, the ACL strategy needing pre-configured introducing message to use is (English: VxLAN Network with virtual easily extensible local net network, abbreviation: the VN) corresponding relation in territory and the corresponding relation of VN territory and outbound port, here the outbound port corresponding to VN territory is exactly connect by should the port of detection server that detects of the message of ACL strategy introducing in VN territory.Thus the outbound port that VN territory can set in advance flexibly is organically combined with the outbound port of message, when for a message to be monitored, because of the needs of business monitoring or other situations need to add other monitoring messages equipment or need other department's cooperative monitoring time, only need adjustment to introduce the information of the outbound port in the VN territory corresponding to ACL strategy that this message uses.
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, are described in detail the embodiment of the present invention below in conjunction with accompanying drawing.
Embodiment one
The present embodiment for executive agent with the input switch of message inlet port, is described technical scheme of the present invention, refers to Fig. 2, and it is one of method flow diagram of a kind of message forwarding method of the present invention, and the method comprises the following steps:
S201: input switch obtains the message introduced by ACL strategy;
Here it should be noted that, the message introduced by ACL strategy is not only comprised in the flow that input switch receives, also comprise other network messages, in this case, input switch is needed effectively to mate the message received, therefrom determine which is the message introduced by ACL strategy, a kind of method of preferred matching message is provided in technical scheme of the present invention, screened by the message five-tuple mating the message received, meet the message being namely confirmed as being introduced by ACL strategy of matched rule, message five-tuple described here comprises the source IP of described message, object IP, source port number, destination slogan and protocol number.This matching process is only a preferred example, message five-tuple is the information on message L2 ~ L3 layer, also can mate other information being in message L2 ~ L7 layer and can be used in mating ACL strategy, the present invention does not limit the method how matching the message introduced by ACL strategy.
S202: described input switch, according to the corresponding relation of pre-configured ACL strategy with virtual easily extensible local net network VN territory, obtains the VN territory sent corresponding to described ACL strategy;
Here it should be noted that, pre-define different ACL strategy and the corresponding relation between different VN territory, wherein can set one or more equal corresponding same VN territory of ACL strategy according to actual conditions, the flow forwarded by these ACL strategies so all can be mapped to in a VN territory according to this corresponding relation, that is, a corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.In actual network environment, this step presetting corresponding relation does not need all to perform in the process E-Packeted at every turn.
S203: described input switch carries out VxLAN encapsulation to the described message obtained and obtains encapsulated message, comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Here it should be noted that, this packaged type is different from the packaged type of existing VxLAN standard, what first encapsulate is the message introduced by ACL strategy, then encapsulate, the address information comprising described VN territory is added, so that the output switch receiving this encapsulated message can determine port according to the address information in VN territory in the outer head of message after packaging.The address information in described VN territory at least will comprise the mark VNI in VN territory and the IP address in VN territory, the mark in VN territory is the numerical value be within the scope of certain numerical value, such as 20,30 or 40, export switch to identify according to this, determined the information of the outbound port corresponding to this VN territory by the corresponding relation of pre-configured VN territory and outbound port.The IP address in VN territory is generally the form of multicast ip address in the prior art, such as 239.0.0.2 etc., belongs to the object IP of this encapsulated message, and encapsulated message is mapped in this VN territory by input switch thus.
S204: described encapsulated message is forwarded to corresponding output switch according to VxLAN standard by described input switch.
The forwarding of this step uses VxLAN standard to carry out, and repeats no more here.As for being forwarded to the concrete treatment step exporting switch, will be described in embodiment two.
As can be seen from the present embodiment, technical solution of the present invention is when detecting network traffics, corresponding relation between pre-configured ACL and VN territory, the mode of VxLAN agreement is used to forward the message introduced by ACL strategy, when needing increase the message introduced according to ACL strategy or delete outbound port, only need amendment to should the outbound port information in VN territory of ACL strategy, substantially increase the extensibility of traffic monitoring network thus.
Embodiment two
The present embodiment by using the output switch of the flow output port of the detection server as this flow of direct detection for executive agent, technical scheme of the present invention is described, refer to Fig. 3, it is the method flow diagram two of a kind of message forwarding method of the present invention, and the method comprises the following steps:
S301: export the encapsulated message that switch receives the transmission of input switch, comprises the address information in VN territory in the outer head of encapsulation of described encapsulated message;
Here the encapsulated message received forwards according to VxLAN standard in step S204 in embodiment one, and being forwarded to reception is all carry out according to VxLAN standard, repeats no more here.
S302: described output switch searches pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Mentioned in the step S203 of embodiment one, the address information in described VN territory at least will comprise the mark VNI in VN territory and the IP address in VN territory, the mark in VN territory is the numerical value be within the scope of certain numerical value, such as 20,30 or 40, export switch to identify according to this, determined the information of the outbound port corresponding to this VN territory by the corresponding relation of pre-configured VN territory and outbound port.It should be noted that, predefined corresponding relation mentioned here, refer to and can set one or more outbound port corresponding to a VN territory according to actual conditions, here actual conditions mainly refer to which detection business the message that one or more ACL strategies corresponding with this VN territory are introduced all needs by, need which detects server by other words to detect, the particular location of the outbound port in this VN territory and information will detect server according to these and set.That is, detect if the message introduced of ACL strategy corresponding to this VN territory only needs one to detect server, then only need set an outbound port be connected with this detection server.If need multiple stage to detect server to detect, then need to set the outbound port detecting server respectively with this multiple stage and be connected.The corresponding relation of VN territory and outbound port can with the form of outbound port list, as shown in the table:
| VNI | Outbound port list |
| 20 | Port1、Port2 |
| 40 | Port3、Port4 |
The outbound port that VNI is corresponding can be one or more.
S303: encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make described outbound port.
Here it should be noted that, if mention in step S302 determine the situation of multiple outbound port time, by duplicated many parts encapsulated message send portion encapsulated message respectively to each outbound port, and by encapsulated message deblocking before sending to outbound port, be reduced into original message, the detection business that can obtain the complete message introduced by ACL strategy to make each detection server and carry out being correlated with.A kind of execution mode that can be implemented as multiple outbound port transmission message is in addition, first encapsulated message is carried out decapsulation, be reduced into the original message introduced by ACL strategy, and then this message is copied many parts, duplicated message being sent to corresponding multiple outbound ports, a complete message can both being obtained for carrying out the detection of being correlated with to make each detection server.That is, in the inventive solutions, both first encapsulated message can have been copied and be sent to the multiple outbound port places determined respectively afterwards, then deblocking before outbound port, or also can first by encapsulated message deblocking, be reduced to the original message introduced by ACL strategy, and then be copied into many parts and be sent to described multiple outbound port place respectively, adopt first solution to be honored as a queen the mode copying and still first copy again deblocking on earth, can set in advance or decide according to the application scenarios of reality.
As can be seen from the present embodiment, technical solution of the present invention is when detecting network traffics, corresponding relation between pre-configured VN territory and outbound port, the mode of VxLAN agreement is used to forward the message introduced by ACL strategy, when needing increase the message introduced according to ACL strategy or delete outbound port, only need amendment to should the outbound port information in VN territory of ACL strategy, substantially increase the extensibility of traffic monitoring network thus.
Embodiment three
In conjunction with the embodiments one and embodiment two input switch and export the part of switch, with whole from receiving the message introduced by ACL strategy to this message being sent to the flow process detecting server, citing is described.Refer to Fig. 4, it is message repeating schematic diagram of the present invention:
Suppose, the input switch 401 of configuration matches two message A and B introduced by ACL strategy from the message received, and wherein, the source IP address of message A is: 2.2.2.2, and the source IP address of message B is: 3.3.3.3.
The IP address of equipment of input switch 401 is: 1.1.1.3; Input switch is by the corresponding relation of pre-configured ACL strategy with VN territory, and that determines the VN territory corresponding to message A that source IP address is 2.2.2.2 is designated 20, and multicast ip address is 239.0.0.1; That determines the VN territory corresponding to message B that source IP address is 3.3.3.3 is designated 40, and multicast ip address is 239.0.0.2.
After determining the VN territory corresponding to these two messages introduced by ACL strategy, message A and message B is carried out VxLAN encapsulation by input switch 401, the mark 20 in corresponding VN territory is encapsulated in the outer head of encapsulated message A, the IP address of equipment 1.1.1.3 of multicast ip address 239.0.0.1 and input switch, the mark 40, multicast ip address 239.0.0.2 in corresponding VN territory and the IP address of equipment 1.1.1.3 of input switch is encapsulated in the outer head of encapsulated message B.
Then input switch 401 according to the VxLAN agreement of standard message A and B encapsulated to be mapped in corresponding VN territory respectively and to carry out multicast forwarding.
After encapsulated message A arrives corresponding output switch 402, export switch 402 obtains VN territory mark 20 by the outer head analyzing encapsulated message A, then determine the outbound port in VN territory having two according to the corresponding relation of pre-configured VN territory and outbound port, be Port1 and Port2 respectively, these two outbound ports connect respectively needs two to message A detects to detect server.
After encapsulated message B arrives corresponding output switch 403, export switch 403 obtains VN territory mark 40 by the outer head analyzing encapsulated message B, then determine the outbound port in VN territory having two according to the corresponding relation of pre-configured VN territory and outbound port, be Port3 and Port4 respectively, these two outbound ports connect respectively needs two to message B detects to detect server.
Export switch 402 and encapsulated message A is copied as two parts, be sent to Port1 and Port2 place respectively, and by this encapsulated message A decapsulation before arriving Port1 and Port2 place, be reduced to original message A.First decapsulation can certainly obtain original message A, then copy message A, then direct message A is sent to two outbound port Port1 and Port2 respectively, the present invention does not limit this.
Export switch 403 and encapsulated message B is copied as two parts, be sent to Port3 and Port4 place respectively, and by this encapsulated message B decapsulation before arriving Port3 and Port4 place, be reduced to original message B.First decapsulation can certainly obtain original message B, then copy message B, then direct message B is sent to two outbound port Port3 and Port4 respectively, the present invention does not limit this.
Embodiment three
The present embodiment is the device embodiment of corresponding embodiment one, refers to Fig. 5, and it is one of a kind of structure drawing of device inputting switch of the present invention, and described input switch comprises:
Receive message unit 501, for obtaining the message introduced by ACL strategy;
Determining unit 502, for according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Encapsulation unit 503, obtains encapsulated message for carrying out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained, and comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Transmitting element 504, for being forwarded to corresponding output switch by described encapsulated message according to VxLAN standard.
Wherein, preferably, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
Preferably,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
Preferably, can further include ACL matching unit at the input switch of previous embodiment protection, be illustrated in figure 6 in input switch as shown in fig. 5 and also comprise:
ACL matching unit 601, for carrying out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
Further, the embodiment of the present invention additionally provides a kind of switch, for realizing the method shown in Fig. 2.Refer to Fig. 7, it is the hardware formation schematic diagram of a kind of switch of the present invention, the processor 703 that described switch comprises memory 701, receiver 702 and transmitter 704 and is connected with memory 701, receiver 702 and transmitter 704 respectively:
Described memory 701, for storing pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory;
Described receiver 702, for obtaining the message introduced by access control list ACL strategy;
Described processor 703, for according to ACL pre-configured in memory 701 strategy and the corresponding relation in VN territory, obtains the VN territory corresponding to described ACL strategy; Virtual easily extensible local area network (LAN) VxLAN encapsulation is carried out to the described message obtained and obtains encapsulated message, in the outer head of encapsulation of described encapsulated message, comprise the address information in described VN territory;
Described transmitter 704, for being forwarded to corresponding output switch by described encapsulated message according to VxLAN standard.
Embodiment four
The present embodiment is the device embodiment of corresponding embodiment two, refers to Fig. 8, and it is a kind of structure drawing of device exporting switch of the present invention, and described output switch comprises:
Receiving element 801, for for receiving the encapsulated message that input switch sends, comprises the address information in virtual easily extensible local net network VN territory in the outer head of encapsulation of described encapsulated message;
Outbound port acquiring unit 802, for searching pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Transmitting element 803, for encapsulated message described in sending to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
Wherein, preferably, the corresponding relation of described VN territory and outbound port is specially:
A VN territory is corresponding with at least one outbound port.
Preferably, the address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
Preferably, described transmitting element 803 specifically for:
When described outbound port acquiring unit gets N number of outbound port, described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number, portion encapsulated message is sent respectively to each described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port the message introduced by ACL strategy.
Further, the embodiment of the present invention additionally provides a kind of switch, for realizing the method shown in Fig. 3.Refer to Fig. 9, it is the hardware formation schematic diagram of a kind of switch of the present invention, the processor 903 that described switch comprises memory 901, receiver 902 and transmitter 904 and is connected with memory 901, receiver 902 and transmitter 904 respectively:
Described memory 901, for storing pre-configured VN territory and the corresponding relation of outbound port;
Described receiver 902, for receiving the encapsulated message that input switch sends, comprises the address information in virtual easily extensible local net network VN territory in the outer head of encapsulation of described encapsulated message;
Described processor 903, for searching VN territory pre-configured in described memory 901 and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Described transmitter 904, for encapsulated message described in sending to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
As can be seen from the above-described embodiment, technical solution of the present invention is when detecting network traffics, corresponding relation between pre-configured ACL strategy and VN territory and the corresponding relation between VN territory and outbound port, the mode of VxLAN agreement is used to carry out being forwarded to outbound port the message introduced by ACL strategy, when needing increase the message introduced according to ACL strategy or delete outbound port, only need amendment to should the outbound port information in VN territory of ACL strategy, substantially increase the extensibility of traffic monitoring network thus.
It should be noted that, one of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random AccessMemory, RAM) etc.
Above a kind of message forwarding method provided by the present invention and device are described in detail, apply specific embodiment herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (16)
1. a message forwarding method, is characterized in that, described method comprises:
Input switch obtains the message introduced by access control list ACL strategy;
Described input switch, according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Described input switch carries out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained and obtains encapsulated message, comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Described encapsulated message is forwarded to corresponding output switch according to VxLAN standard by described input switch.
2. method according to claim 1, is characterized in that, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
3. method according to claim 1 and 2, is characterized in that,
The address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
4. method as claimed in any of claims 1 to 3, is characterized in that, before described input switch obtains the message introduced by ACL strategy, described method also comprises:
Described input switch carries out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
5. input a switch, it is characterized in that, comprising:
Receive message unit, for obtaining the message introduced by ACL strategy;
Determining unit, for according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Encapsulation unit, obtains encapsulated message for carrying out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained, and comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Transmitting element, for being forwarded to corresponding output switch by described encapsulated message according to VxLAN standard.
6. input switch according to claim 5, is characterized in that, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
7. the input switch according to claim 5 or 6, is characterized in that,
The address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
8., according to the input switch in claim 5 to 7 described in any one, it is characterized in that, also comprise:
ACL matching unit, for carrying out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
9. a message forwarding method, is characterized in that, described method comprises:
Export the encapsulated message that switch receives the transmission of input switch, in the outer head of encapsulation of described encapsulated message, comprise the address information in virtual easily extensible local net network VN territory;
Described output switch searches pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
10. want the method described in 9 according to right, it is characterized in that, in the corresponding relation of described VN territory and outbound port:
A VN territory is corresponding with at least one outbound port.
11. methods according to claim 9 or 10, is characterized in that,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
12. methods according to claim 10, it is characterized in that, encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port and comprised by the message of ACL strategy introducing:
Described output switch is when getting N number of outbound port, and described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number;
Described output switch sends portion respectively to each described outbound port and encapsulates flow, and by the decapsulation of described encapsulated message before sending to outbound port, obtains to make described outbound port the message introduced by ACL strategy.
13. 1 kinds export switch, it is characterized in that, comprising:
Receiving element, for receiving the encapsulated message that input switch sends, comprises the address information in virtual easily extensible local net network VN territory in the outer head of encapsulation of described encapsulated message;
Outbound port acquiring unit, for searching pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Transmitting element, for encapsulated message described in sending to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
14. output switches according to claim 13, is characterized in that, the corresponding relation of described VN territory and outbound port is specially:
A VN territory is corresponding with at least one outbound port.
15. output switches according to claim 13 or 14, is characterized in that,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
16. output switches according to claim 13, is characterized in that, described transmitting element specifically for:
When described outbound port acquiring unit gets N number of outbound port, described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number, portion encapsulated message is sent respectively to each described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port the message introduced by ACL strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310704097.XA CN104734986B (en) | 2013-12-19 | 2013-12-19 | A kind of message forwarding method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310704097.XA CN104734986B (en) | 2013-12-19 | 2013-12-19 | A kind of message forwarding method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104734986A true CN104734986A (en) | 2015-06-24 |
| CN104734986B CN104734986B (en) | 2018-12-25 |
Family
ID=53458433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310704097.XA Active CN104734986B (en) | 2013-12-19 | 2013-12-19 | A kind of message forwarding method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104734986B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591834A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Traffic monitoring method and device in VXLAN |
| CN105939230A (en) * | 2016-04-27 | 2016-09-14 | 杭州迪普科技有限公司 | Multipoint remote monitoring method and device |
| CN106230668A (en) * | 2016-07-14 | 2016-12-14 | 杭州华三通信技术有限公司 | Connection control method and device |
| CN108063718A (en) * | 2017-12-18 | 2018-05-22 | 迈普通信技术股份有限公司 | Message processing method, device and electronic equipment |
| CN108093051A (en) * | 2017-12-20 | 2018-05-29 | 迈普通信技术股份有限公司 | Packet copy method and device |
| CN108616463A (en) * | 2018-04-25 | 2018-10-02 | 新华三技术有限公司 | A kind of message processing method and interchanger |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466340A (en) * | 2002-06-24 | 2004-01-07 | �人��������������ι�˾ | Method for forwarding data by strategic stream mode and data forwarding equipment |
| CN101217539A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A firewall device and method for treatment of secondary forwarding message |
| US20110058549A1 (en) * | 2009-09-09 | 2011-03-10 | Amir Harel | Method and system for layer 2 manipulator and forwarder |
| CN102307136A (en) * | 2011-07-06 | 2012-01-04 | 杭州华三通信技术有限公司 | Method for processing message and device thereof |
| US20120033670A1 (en) * | 2010-08-06 | 2012-02-09 | Alcatel-Lucent, Usa Inc. | EGRESS PROCESSING OF INGRESS VLAN ACLs |
| US20120287786A1 (en) * | 2011-05-14 | 2012-11-15 | International Business Machines Corporation | Priority based flow control in a distributed fabric protocol (dfp) switching network architecture |
| US20130064247A1 (en) * | 2010-05-24 | 2013-03-14 | Hangzhou H3C Technologies Co., Ltd. | Method and device for processing source role information |
| CN103152257A (en) * | 2013-03-14 | 2013-06-12 | 杭州华三通信技术有限公司 | Data transmission method and device |
-
2013
- 2013-12-19 CN CN201310704097.XA patent/CN104734986B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466340A (en) * | 2002-06-24 | 2004-01-07 | �人��������������ι�˾ | Method for forwarding data by strategic stream mode and data forwarding equipment |
| CN101217539A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A firewall device and method for treatment of secondary forwarding message |
| US20110058549A1 (en) * | 2009-09-09 | 2011-03-10 | Amir Harel | Method and system for layer 2 manipulator and forwarder |
| US20130064247A1 (en) * | 2010-05-24 | 2013-03-14 | Hangzhou H3C Technologies Co., Ltd. | Method and device for processing source role information |
| US20120033670A1 (en) * | 2010-08-06 | 2012-02-09 | Alcatel-Lucent, Usa Inc. | EGRESS PROCESSING OF INGRESS VLAN ACLs |
| US20120287786A1 (en) * | 2011-05-14 | 2012-11-15 | International Business Machines Corporation | Priority based flow control in a distributed fabric protocol (dfp) switching network architecture |
| CN102307136A (en) * | 2011-07-06 | 2012-01-04 | 杭州华三通信技术有限公司 | Method for processing message and device thereof |
| CN103152257A (en) * | 2013-03-14 | 2013-06-12 | 杭州华三通信技术有限公司 | Data transmission method and device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591834A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Traffic monitoring method and device in VXLAN |
| CN105591834B (en) * | 2015-07-10 | 2018-12-11 | 新华三技术有限公司 | Flux monitoring method and device in VXLAN |
| CN105939230A (en) * | 2016-04-27 | 2016-09-14 | 杭州迪普科技有限公司 | Multipoint remote monitoring method and device |
| CN106230668A (en) * | 2016-07-14 | 2016-12-14 | 杭州华三通信技术有限公司 | Connection control method and device |
| CN106230668B (en) * | 2016-07-14 | 2020-01-03 | 新华三技术有限公司 | Access control method and device |
| CN108063718A (en) * | 2017-12-18 | 2018-05-22 | 迈普通信技术股份有限公司 | Message processing method, device and electronic equipment |
| CN108063718B (en) * | 2017-12-18 | 2021-02-05 | 迈普通信技术股份有限公司 | Message processing method and device and electronic equipment |
| CN108093051A (en) * | 2017-12-20 | 2018-05-29 | 迈普通信技术股份有限公司 | Packet copy method and device |
| CN108093051B (en) * | 2017-12-20 | 2021-02-05 | 迈普通信技术股份有限公司 | Message copying method and device |
| CN108616463A (en) * | 2018-04-25 | 2018-10-02 | 新华三技术有限公司 | A kind of message processing method and interchanger |
| CN108616463B (en) * | 2018-04-25 | 2021-04-30 | 新华三技术有限公司 | Message processing method and switch |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104734986B (en) | 2018-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104734986A (en) | Message forwarding method and device | |
| CN105264834B (en) | A kind of method, apparatus and NVO3 network of the processing multicast message in NVO3 network | |
| CN108322338B (en) | Broadcast suppression method and VTEP device | |
| CN103841037B (en) | The method and apparatus of multicast message forwarding | |
| WO2020073685A1 (en) | Forwarding path determining method, apparatus and system, computer device, and storage medium | |
| CN107547349A (en) | A kind of method and device of virtual machine (vm) migration | |
| CN104852826B (en) | A kind of loop detecting method and device | |
| WO2014202026A1 (en) | Method and system for virtual network mapping protection and computer storage medium | |
| CN112887229B (en) | Session information synchronization method and device | |
| US20180054397A1 (en) | Filtration of Network Traffic Using Virtually-Extended Ternary Content-Addressable Memory (TCAM) | |
| CN105939324A (en) | Message forwarding method and device | |
| CN103200100A (en) | Method and device for packet transmitting | |
| CN102882793B (en) | Topology changes the method for transmission processing and the network equipment of message | |
| CN103067270B (en) | A kind of virtual machine exchange visit safety control method and device | |
| US10880109B2 (en) | Forwarding multicast data packet | |
| CN104660597A (en) | Three-layer authentication method and device as well as three-layer authentication exchanger | |
| US8442047B2 (en) | Method, system, router and apparatus for implementing switching between layer-2 multicast route tracing and layer-3 multicast route tracing | |
| CN108540386A (en) | One kind preventing Business Stream interrupt method and device | |
| CN107896188A (en) | Data forwarding method and device | |
| CN104780090A (en) | VPN multicast transmission method and device PE equipment | |
| CN102546308A (en) | Method and system for realizing neighbor discovery proxy based on duplicate address detection (DAD) | |
| CN105812221A (en) | Data transmission device and method in virtual extensible local area network | |
| CN105306357A (en) | System and method for detecting loopback | |
| CN106209554A (en) | Message forwarding method and equipment across virtual expansible LAN | |
| CN104104597B (en) | A kind of data transmission method, Apparatus and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |