CN106470143A - A kind of method and apparatus of MPLS VPN traffic filtering - Google Patents

A kind of method and apparatus of MPLS VPN traffic filtering Download PDF

Info

Publication number
CN106470143A
CN106470143A CN201610744587.6A CN201610744587A CN106470143A CN 106470143 A CN106470143 A CN 106470143A CN 201610744587 A CN201610744587 A CN 201610744587A CN 106470143 A CN106470143 A CN 106470143A
Authority
CN
China
Prior art keywords
vpn
message
corresponding relation
mpls
traffic filtering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610744587.6A
Other languages
Chinese (zh)
Inventor
薛海峰
黄晓朦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610744587.6A priority Critical patent/CN106470143A/en
Publication of CN106470143A publication Critical patent/CN106470143A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Abstract

The application provides a kind of method and apparatus of MPLS VPN traffic filtering, is applied to acquisition server side, methods described includes:Collect the notification packet that edge router sends;Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation;Described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on described corresponding relation and generates corresponding traffic filtering rule, and MPLS VPN message is gone out based on this traffic filtering rule-based filtering.The technical scheme being provided using the application, can accurately filter out MPLS VPN flow.

Description

A kind of method and apparatus of MPLS VPN traffic filtering
Technical field
The application is related to network communication technology field, particularly to a kind of method and apparatus of MPLS VPN traffic filtering.
Background technology
The Internet develops rapidly, and miscellaneous service type is also varied, in order to ensure healthy, legal the sending out in the Internet Exhibition, governments at all levels also set up various flow analysis equipments to analyze the flow of the Internet, to ensure the security developments of the Internet. The current analysis to flow is to be analyzed based on five-tuple, message load etc. mostly, but the private network IP of different VPN and message Load is likely to overlap, thus the analysis currently for VPN flow still belongs to weak link.
Content of the invention
In view of this, the application provides a kind of method and apparatus of MPLS VPN traffic filtering, Accurate Analysis MPLS VPN Flow.
Specifically, the application is achieved by the following technical solution:
A kind of method of MPLS VPN traffic filtering, is applied to acquisition server, including:
Collect the notification packet that edge router sends;
Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation;
Described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on institute State corresponding relation and generate corresponding traffic filtering rule, and MPLS VPN message is gone out based on this traffic filtering rule-based filtering.
A kind of method of MPLS VPN traffic filtering, is applied to VPN flow filter, including:
Receive the encapsulated message carrying MPLS label and the corresponding relation of routing iinformation that acquisition server sends;
Parse described encapsulated message, obtain the corresponding relation of MPLS label and routing iinformation;
Corresponding traffic filtering rule is generated based on described corresponding relation, and is gone out based on the traffic filtering rule-based filtering generating MPLS VPN message in the message receiving.
A kind of device of MPLS VPN traffic filtering, is applied to acquisition server, including:
Collector unit, for collecting the notification packet that edge router sends;
Unit, for based on the notification packet collected, learning multiprotocol label switching MPLS label and route letter The corresponding relation of breath;
Retransmission unit, for described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN stream Amount filter is based on described corresponding relation and generates corresponding traffic filtering rule, and goes out MPLS based on this traffic filtering rule-based filtering VPN message.
A kind of device of MPLS VPN traffic filtering, is applied to VPN flow filter, including:
Receiving unit, for receiving the envelope carrying MPLS label and the corresponding relation of routing iinformation of acquisition server transmission Dress message;
Resolution unit, for parsing described encapsulated message, obtains the corresponding relation of MPLS label and routing iinformation;
Filter element, for generating corresponding traffic filtering rule based on described corresponding relation, and based on the flow generating Filtering rule filters out the MPLS VPN message in the message receiving.
The technical scheme being provided from above the application, acquisition server is by collecting the notice that edge router sends Message;Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation;By institute State corresponding relation and be forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on described corresponding relation life Become corresponding traffic filtering rule, and MPLS VPN message is gone out based on this traffic filtering rule-based filtering.
VPN flow filter passes through to receive the corresponding relation carrying MPLS label and routing iinformation that acquisition server sends Encapsulated message;Parse described encapsulated message, obtain the corresponding relation of MPLS label and routing iinformation;Based on described corresponding relation Generate corresponding traffic filtering rule, and the MPLS VPN in the message receiving is gone out based on the traffic filtering rule-based filtering generating Message.
Because acquisition server learns the corresponding relation to MPLS label and routing iinformation, and described corresponding relation is forwarded To VPN flow filter, described corresponding relation is based on by described VPN flow filter and generates corresponding traffic filtering rule, because This VPN flow filter can accurately filter out MPLS based on this traffic filtering rule from the surfing flow receiving VPN flow, thus solve the problems, such as cannot accurately filter out MPLS VPN flow in correlation technique.
Brief description
Fig. 1 is a kind of group-network construction figure of the MPLS VPN traffic filtering shown in the application;
Fig. 2 is a kind of method flow diagram of the MPKS VPN traffic filtering shown in the application;
Fig. 3 is another a kind of method flow diagram of MPLS VPN traffic filtering shown in the application;
Fig. 4 is a kind of device hardware structure diagram of the MPLS VPN traffic filtering shown in the application;
Fig. 5 is a kind of device of the MPLS VPN traffic filtering shown in the application;
Fig. 6 is another a kind of device hardware structure diagram of MPLS VPN traffic filtering shown in the application;
Fig. 7 is another a kind of device of MPKS VPN traffic filtering shown in the application.
Specific embodiment
Here will in detail exemplary embodiment be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and be not intended to be limiting the application. " a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to including most Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated any or all possible combination listing project.
It will be appreciated that though various information may be described using term first, second, third, etc. in the application, but this A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, without departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
In the related, it is to be analyzed based on five-tuple, message load etc. mostly to the analysis of flow, existing flow Analytical equipment is also only capable of five-tuple based on message or payload content is mated and forwarded,
Yet with different VPN (Virtual Private Network, VPN (virtual private network)) private network IP address and The payload content of message be possible to identical, therefore, when VPN flow being analyzed based on five-tuple and message payload content etc., Generally cannot accurately filter out VPN flow, thus in the related, for MPLS VPN flow, generally cannot be carried out essence Quasi- analysis.
In order to solve the problems, such as in correlation technique, this application provides a kind of MPLS (Multi-Protocol Label Switching, multiprotocol label switching) VPN traffic filtering method, acquisition server is by collecting what edge router sent Notification packet;Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation; Described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on described corresponding pass System generates corresponding traffic filtering rule, and goes out MPLS VPN message based on this traffic filtering rule-based filtering.VPN flow filter By receiving the encapsulated message carrying MPLS label and the corresponding relation of routing iinformation that acquisition server sends;Parse described envelope Dress message, obtains the corresponding relation of MPLS label and routing iinformation;Corresponding traffic filtering rule are generated based on described corresponding relation Then, and based on the traffic filtering rule-based filtering generating go out the MPLS VPN message in the message receiving.
Because acquisition server learns the corresponding relation to MPLS label and routing iinformation, and described corresponding relation is forwarded To VPN flow filter, described corresponding relation is based on by described VPN flow filter and generates corresponding traffic filtering rule, because This VPN flow filter can accurately filter out MPLS based on this traffic filtering rule from the surfing flow receiving VPN flow, thus solve the problems, such as cannot accurately filter out MPLS VPN flow in correlation technique.
Refer to Fig. 1, a kind of group-network construction figure of MPLS VPN traffic filtering shown in the application for the Fig. 1.
In group-network construction shown in Fig. 1, edge router is connected with acquisition server and VPN flow filter respectively, Acquisition server is connected with VPN flow filter, and VPN flow filter is connected with Analysis server.
In the present embodiment, edge router can be by other edge router notification packets, coming to other Edge router issues routing iinformation and MPLS label.Wherein, the right of MPLS label and RD can be carried in this notification packet Should be related to it is also possible to carry the corresponding relation of RD and routing iinformation.
Acquisition server is used for collecting the notification packet that edge router sends or receives, and from notification packet middle school Practise the corresponding relation of MPLS label and routing iinformation, and this corresponding relation is packaged with default encapsulation format, finally turn It is sent to VPN flow filter.
VPN flow filter is mainly used in receiving that acquisition server forwards that to carry MPLS label corresponding with routing iinformation The encapsulated message of relation, and described encapsulated message is parsed, obtain from encapsulated message
The corresponding relation of MPLS label and routing iinformation, and will be corresponding with the corresponding relation generation of routing iinformation for MPLS label Traffic filtering rule, based on this traffic filtering rule, the surfing flow through edge router is filtered, therefrom permissible Filter out MPLS VPN flow, and the source MAC of MPLS VPN flow and VPN flow filter is packaged, finally will Encapsulated message is handed down to Analysis server, simultaneously can also the corresponding action of traffic filtering rule.
Analysis server is mainly used in receiving the encapsulated message that VPN flow filter issues, and encapsulated message is solved Analysis, therefrom obtains MPLS VPN flow and the information of related VPN flow filter.
Refer to Fig. 2, a kind of method flow diagram of MPLS VPN traffic filtering shown in the application for the Fig. 2, it is applied to adopt Collection server side, specifically executes following steps:
Step 201:Collect the notification packet that edge router sends;
Step 202:Based on the notification packet collected, study multiprotocol label switching MPLS label is right with routing iinformation Should be related to;
Step 203:Described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN traffic filtering Device is based on described corresponding relation and generates corresponding traffic filtering rule, and goes out MPLS VPN report based on this traffic filtering rule-based filtering Literary composition.
In the present embodiment, above-mentioned acquisition server can be by collecting the notice that each edge router sends or receives The information carrying in message, and the notification packet collected by parsing, to create MPLS label and routing iinformation (such as IP ground Location and subnet mask) between corresponding relation.
Wherein, the type of described notification packet, is not particularly limited in this application, generally depends on above-mentioned edge road By the gateway protocol starting on device;For example, when edge router starts bgp protocol or MBGP agreement, described notice report Literary composition can be MP-BGP MBGP (Multiprotocol Border Gateway Protocol, multi-protocols side Boundary's gateway protocol) message, or can also be BGP (Border Gateway Protocol, Border Gateway Protocol) message.Institute State in the information that notification packet carries, the routing iinformation that edge router is issued to other edge routers can be included, also may be used It route the MPLS label information issued to other edge routers to include edge.
In a kind of embodiment illustrating, the notification packet that acquisition server is collected from edge router, generally may be used To include edge router when issuing routing iinformation to other edge routers, the notification packet being sent;And, edge road From device when issuing MPLS label to other edge routers, the notification packet being sent.
Wherein, on the one hand, edge router to other edge routers issue MPLS label when, the notice report being sent The corresponding relation of MPLS label and RD is generally comprised in literary composition.In this case, acquisition server is collected edge router and is sent out After the notification packet going out, can extract, from substantial amounts of notification packet, the notice report carrying MPLS label and RD corresponding relation Then these notification packets are parsed by literary composition, and then therefrom extract the corresponding relation of MPLS label and RD.
On the other hand, edge router to other edge routers issue routing iinformation when, the notification packet being sent In, generally comprise the corresponding relation of RD and routing iinformation.In this case, acquisition server is collected edge router and is sent Notification packet after it is also possible to from substantial amounts of notification packet, extract the notice report carrying RD and routing iinformation corresponding relation Then these notification packets are parsed by literary composition, and then therefrom extract the corresponding relation of RD and routing iinformation.Wherein, above-mentioned Routing iinformation generally can include IP address (including source IP address and purpose IP address) and subnet mask (MASK).
Finally, acquisition server can according to the corresponding relation extracting the MPLS label obtaining and RD from notification packet, And RD and the corresponding relation of IP address and MASK (i.e. routing iinformation), generate the relation of MPLS label and routing iinformation.
In this example, acquisition server by finally giving the corresponding pass of MPLS label and IP address and MASK with upper type After system, this corresponding relation can be stored to local data base according to default data form, be then sent to VPN flow mistake Filter.
Wherein, the storage format of storage MPLS label in the local database and the corresponding relation of IP and MASK can be as Shown in table 1:
ID IP MASK RD MPLS
1 192.168.1.1 255.255.255.0 100:1 30
Table 1
In addition, for security consideration, acquisition server sends MPLS label pass corresponding with RD to VPN flow filter Before system, MPLS label can also be directed to by default encapsulation format and carry out message encapsulation with the corresponding relation of RD, finally will Message after encapsulation is forwarded to VPN flow filter.
Wherein, above-mentioned default encapsulation format can be that (Transmission Control Protocol passes based on TCP Transport control protocol is discussed) encapsulation format of agreement, acquisition server to VPN flow filter issue above-mentioned corresponding relation when, can be with base Carry out transmitting in Transmission Control Protocol, its concrete packaged type is as shown in table 2:
Table 2
Acquisition server is packaged into encapsulated message as implied above to the corresponding relation of MPLS and IP address and MASK, one Encapsulated message includes heading data part, has the number of block, data division total length, Message id in heading And more flag.Wherein, MPLS and IP address and MASK form a block, and described Message id is used for distinguishing difference Encapsulated message, described More flag is used for identifying after this encapsulated message whether also have encapsulated message.
After the corresponding relation of MPLS label and IP address and MASK is packaged into message by acquisition server, now learn This corresponding relation arriving, can describe MPLS VPN message as message characteristic, in this case, acquisition server also may be used So that encapsulated message to be handed down to VPN flow filter.VPN flow filter receives the encapsulated message that acquisition server issues Afterwards, encapsulated message is parsed, and therefrom obtain the corresponding relation of MPLS label and IP address and MASK, then MPLS is marked Sign and generate corresponding traffic filtering rule with the corresponding relation of IP address and MASK, be finally based on this traffic filtering rule to from side The surfing flow of edge router transmission is filtered, and finally filters out MPLS VPN flow.
When acquisition server issues first packet to VPN flow filter, VPN flow filter is waited to return response After message, acquisition server is further continued for issuing second packet to VPN flow filter, and acquisition server often receives afterwards After the response of the packet issuing for acquisition server that VPN flow filter returns, acquisition server is again to VPN flow Server continues to issue packet.
Please participate in Fig. 3, a kind of method flow diagram of MPLS VPN traffic filtering shown in the application for the Fig. 3, it is applied to VPN Flow filter side, specifically executes following steps:
Step 301:Receive the encapsulation report carrying MPLS label and the corresponding relation of routing iinformation that acquisition server sends Literary composition;
Step 302:Parse described encapsulated message, obtain the corresponding relation of MPLS label and routing iinformation;
Step 303:Corresponding traffic filtering rule is generated based on described corresponding relation, and based on the traffic filtering rule generating Then filter out the MPLS VPN message in the message receiving.
After VPN flow filter receives the encapsulated message that acquisition server issues, message identification can be carried out to message, If with regard to MPLS label and IP address and MASK corresponding relation message when, encapsulated message is parsed, therefrom obtains To the corresponding relation of MPLS label and IP address and MASK, and will be right for the corresponding relation generation of MPLS label and IP address and MASK The traffic filtering rule answered, in the present embodiment, described traffic filtering rule can be the rule of triple form, described ternary Group form be:MPLS label+source IP address/mask+purpose IP address/mask.In this case it is possible to will route Information is converted into two-way rule, can generate two kinds of matched rules it is assumed that source IP address/mask is the address information of router A, Purpose IP address/mask is the address information of router B, therefore can form router A → router B and router B → road Bidirectional traffics by device A.If the encapsulated message that VPN flow filter receives be not with regard to MPLS label and IP address and During the message of MASK corresponding relation, message is re-injected in network.
In a kind of embodiment illustrating, traffic filtering rule has also preset corresponding execution action.When VPN flow mistake Filter receive acquisition server forwarding carry the message of MPLS label and routing iinformation corresponding relation after, can be to receiving Message parsed, and analytically after extracting data MPLS and routing iinformation corresponding relation, and corresponding closed based on this System generates corresponding traffic filtering rule.After generating traffic filtering rule, VPN flow filter can receive from edge router The message receiving then can be mated, when arbitrary message receiving by data message with described traffic filtering rule During with described traffic filtering rule match, if the match is successful, determine that this message is MPLS VPN message, be then based on this flow mistake Execution action in filter rule processes this message.When the corresponding action of filtering rule is to abandon, then VPN flow filter will not Encapsulated message is injected in network, when the corresponding action of filtering rule is not to abandon, then VPN flow filter can will encapsulate Message re-injects in network.
In a kind of embodiment illustrating, after VPN flow filter filters out MPLS VPN message.Can will filter out MPLS VPN message is issued to Analysis server, so that Analysis server carries out flow based on the MPLS VPN message receiving dividing Analysis;The mark of described VPN flow filter is carried in the source MAC of wherein said MPLS VPN message.
After VPN flow filter obtains traffic filtering rule, will be through edge router based on this traffic filtering rule The surfing flow of transmission is filtered, thus filtering out MPLS VPN flow.VPN flow filter obtain MPLS VPN flow it Afterwards, described flow is packaged by default packaged type, encapsulation format is as shown in table 3:
MPLS VPN flow all retains (32) Machine room numbers (8) Identification number (8)
Table 3
Wherein, above-mentioned machine room numbering and identification number uniquely identify a VPN flow filter, can be for analysis clothes The MPLS VPN flow that VPN flow filter sends more accurately analyzed by business device.
MPLS VPN flow is packaged into after encapsulated message VPN flow filter, will carry the MPLS VPN being filtrated to get The message of flow is issued to Analysis server, so that Analysis server is further analyzed to MPLS VPN flow.
The technical scheme being provided from above the application, acquisition server is by collecting the notice that edge router sends Message;Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation;By institute State corresponding relation and be forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on described corresponding relation life Become corresponding traffic filtering rule, and MPLS VPN message is gone out based on this traffic filtering rule-based filtering.
VPN flow filter passes through to receive the corresponding relation carrying MPLS label and routing iinformation that acquisition server sends Encapsulated message;Parse described encapsulated message, obtain the corresponding relation of MPLS label and routing iinformation;Based on described corresponding relation Generate corresponding traffic filtering rule, and the MPLS VPN in the message receiving is gone out based on the traffic filtering rule-based filtering generating Message.
Because acquisition server learns the corresponding relation to MPLS label and routing iinformation, and described corresponding relation is forwarded To VPN flow filter, described corresponding relation is based on by described VPN flow filter and generates corresponding traffic filtering rule, because This VPN flow filter can accurately filter out MPLS based on this traffic filtering rule from the surfing flow receiving VPN flow, thus solve the problems, such as cannot accurately filter out MPLS VPN flow in correlation technique.
Corresponding with a kind of aforementioned embodiment of the method for MPLS VPN traffic filtering, present invention also provides a kind of MPLS The embodiment of the device of VPN traffic filtering.
A kind of embodiment of the device of the application MPLS VPN traffic filtering can be applied on acquisition server.Device is real Apply example to realize by software it is also possible to realize by by way of hardware or software and hardware combining.As a example implemented in software, make For the device on a logical meaning, it is will be corresponding in nonvolatile memory by the processor of its place acquisition server Computer program instructions read and run formation in internal memory.For hardware view, as shown in figure 4, a kind of for the application A kind of hardware structure diagram of the device place acquisition server of MPLS VPN traffic filtering, except the processor shown in Fig. 4, interior Deposit, outside network interface and nonvolatile memory, the acquisition server that in embodiment, device is located is generally according to this MPLS The actual functional capability of the device of VPN traffic filtering, can also include other hardware, this is repeated no more.
Refer to Fig. 5, a kind of device of MPLS VPN traffic filtering shown in the application for the Fig. 5, this device includes:Collect Unit 510, unit 520, retransmission unit 530.
Wherein, collector unit 510, for collecting the notification packet that edge router sends;
Unit 520, for based on the notification packet collected, learning multiprotocol label switching MPLS label and route The corresponding relation of information;
Retransmission unit 530, for described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN Flow filter is based on described corresponding relation and generates corresponding traffic filtering rule, and is gone out based on this traffic filtering rule-based filtering MPLS VPN message.
Described unit 520, specifically for extracting from the notification packet carrying MPLS label and Router Distinguisher RD MPLS label and the corresponding relation of RD;From carrying, extraction RD RD and the notification packet of routing iinformation is corresponding with routing iinformation to close System;According to the corresponding relation of MPLS label and RD, and RD and the corresponding relation of routing iinformation, generate MPLS label and route letter The corresponding relation of breath.
Described retransmission unit 530, specifically for carrying out message envelope by default encapsulation format for described corresponding relation Dress;Message after encapsulation is forwarded to VPN flow filter.
A kind of embodiment of the device of the application MPLS VPN traffic filtering can be applied on VPN flow filter.Dress Put embodiment to realize by software it is also possible to realize by by way of hardware or software and hardware combining.Implemented in software it is Example, as the device on a logical meaning, is by nonvolatile memory by the processor of its place VPN flow filter In corresponding computer program instructions read in internal memory run formed.For hardware view, as shown in fig. 6, being this Shen Please a kind of a kind of hardware structure diagram of the device place VPN flow filter of MPLS VPN traffic filtering, except the place shown in Fig. 6 Outside reason device, internal memory, network interface and nonvolatile memory, the VPN flow filter that in embodiment, device is located is usual The actual functional capability of the device according to this MPLS VPN traffic filtering, can also include other hardware, this is repeated no more.
Refer to Fig. 7, a kind of device of MPLS VPN traffic filtering shown in the application for the Fig. 7, it is applied to VPN collection clothes Business device, this device includes:Receiving unit 710, resolution unit 720, filter element 730, issuance unit 740.
Wherein, receiving unit 710, for receive acquisition server transmission to carry MPLS label corresponding with routing iinformation The encapsulated message of relation;
Resolution unit 720, for parsing described encapsulated message, obtains the corresponding relation of MPLS label and routing iinformation;
Filter element 730, for generating corresponding traffic filtering rule based on described corresponding relation, and is based on this flow mistake Filter rule-based filtering goes out the MPLS VPN message in the message receiving.
Issuance unit 740, the MPLS VPN message for will filter out is issued to Analysis server, so that Analysis server Flow analysis is carried out based on the MPLS VPN message receiving;Wherein, carry institute in the source MAC of described MPLS VPN message State the mark of VPN flow filter.
Wherein, described filter element 730, specifically for carrying out the message receiving and described traffic filtering rule Join;When arbitrary message receiving and described traffic filtering rule match, determine that this message is MPLS VPN message, be then based on Execution action in this traffic filtering rule processes this message.
In said apparatus, the process of realizing of the function of unit and effect specifically refers to corresponding step in said method Realize process, will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, thus real referring to method in place of correlation The part applying example illustrates.Device embodiment described above is only schematically, wherein said as separating component The unit illustrating can be or may not be physically separate, as the part that unit shows can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to actual Need to select the purpose to realize application scheme for some or all of module therein.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and to implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvement done etc., should be included within the scope of the application protection.

Claims (12)

1. a kind of method of MPLS VPN traffic filtering, is applied to acquisition server it is characterised in that including:
Collect the notification packet that edge router sends;
Based on the notification packet collected, learn the corresponding relation of multiprotocol label switching MPLS label and routing iinformation;
Described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow filter is based on described right Generation corresponding traffic filtering rule should be related to, and MPLS VPN message is gone out based on this traffic filtering rule-based filtering.
2. method according to claim 1 it is characterised in that described based on the notification packet collected, learn multi-protocols Tag switching MPLS label and the corresponding relation of routing iinformation, including:
From the corresponding relation carrying extraction MPLS label and RD the notification packet that MPLS label is with Router Distinguisher RD;
From the corresponding relation carrying extraction RD and routing iinformation the notification packet that RD is with routing iinformation;
According to the corresponding relation of MPLS label and RD, and RD and the corresponding relation of routing iinformation, generate MPLS label and route The corresponding relation of information.
3. method according to claim 1 is it is characterised in that described be forwarded to VPN (virtual private network) by described corresponding relation VPN flow filter, including:
Message encapsulation is carried out for described corresponding relation by default encapsulation format;
Message after encapsulation is forwarded to VPN flow filter.
4. a kind of method of MPLS VPN flow analysis, is applied to VPN flow filter it is characterised in that including:
Receive the encapsulated message carrying MPLS label and the corresponding relation of routing iinformation that acquisition server sends;
Parse described encapsulated message, obtain the corresponding relation of MPLS label and routing iinformation;
Corresponding traffic filtering rule is generated based on described corresponding relation, and goes out to receive based on the traffic filtering rule-based filtering generating To message in MPLS VPN message.
5. method according to claim 4 it is characterised in that described traffic filtering rule also to have preset corresponding execution dynamic Make;
Described based on the MPLS VPN message in the message that receives of traffic filtering rule-based filtering generating, including:
The message receiving is mated with described traffic filtering rule;
When arbitrary message receiving and described traffic filtering rule match, determine that this message is MPLSVPN message, be then based on Execution action in this traffic filtering rule processes this message.
6. method according to claim 4 is it is characterised in that methods described also includes:
The MPLS VPN message that will filter out is issued to Analysis server, so that Analysis server is based on the MPLS VPN receiving Message carries out flow analysis;Wherein, carry the mark of described VPN flow filter in the source MAC of described MPLS VPN message Know.
7. a kind of device of MPLS VPN flow analysis, is applied to acquisition server it is characterised in that including:
Collector unit, collects the notification packet that edge router sends;
Unit, for based on the notification packet collected, learning multiprotocol label switching MPLS label and routing iinformation Corresponding relation;
Retransmission unit, for described corresponding relation is forwarded to VPN (virtual private network) VPN flow filter, so that VPN flow mistake Filter is based on described corresponding relation and generates corresponding traffic filtering rule, and goes out MPLS VPN based on this traffic filtering rule-based filtering Message.
8. device according to claim 7 is it is characterised in that include:
Described unit specifically for:
From the corresponding relation carrying extraction MPLS label and RD the notification packet that MPLS label is with Router Distinguisher RD;
From the corresponding relation carrying extraction RD and routing iinformation the notification packet that RD is with routing iinformation;
According to the corresponding relation of MPLS label and RD, and RD and the corresponding relation of routing iinformation, generate MPLS label and route The corresponding relation of information.
9. device according to claim 7 is it is characterised in that include:
Described retransmission unit specifically for:
Message encapsulation is carried out for described corresponding relation by default encapsulation format;
Message after encapsulation is forwarded to VPN flow filter.
10. a kind of device of MPLS VPN flow analysis, is applied to VPN flow filter it is characterised in that including:
Receiving unit, for receiving the encapsulation report carrying MPLS label and the corresponding relation of routing iinformation of acquisition server transmission Literary composition;
Resolution unit, for parsing described encapsulated message, obtains the corresponding relation of MPLS label and routing iinformation;
Filter element, for generating corresponding traffic filtering rule based on described corresponding relation, and based on the traffic filtering generating Rule-based filtering goes out the MPLS VPN message in the message receiving.
11. devices according to claim 10 are it is characterised in that include:
Described filter element specifically for:
The message receiving is mated with described traffic filtering rule;
When arbitrary message receiving and described traffic filtering rule match, determine that this message is MPLSVPN message, be then based on Execution action in this traffic filtering rule processes this message.
12. devices according to claim 10 are it is characterised in that described device also includes:
Issuance unit, the MPLS VPN message for will filter out is issued to Analysis server, so that Analysis server is based on connecing The MPLS VPN message receiving carries out flow analysis;Wherein, carry described VPN in the source MAC of described MPLS VPN message The mark of flow filter.
CN201610744587.6A 2016-08-26 2016-08-26 A kind of method and apparatus of MPLS VPN traffic filtering Pending CN106470143A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610744587.6A CN106470143A (en) 2016-08-26 2016-08-26 A kind of method and apparatus of MPLS VPN traffic filtering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610744587.6A CN106470143A (en) 2016-08-26 2016-08-26 A kind of method and apparatus of MPLS VPN traffic filtering

Publications (1)

Publication Number Publication Date
CN106470143A true CN106470143A (en) 2017-03-01

Family

ID=58229988

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610744587.6A Pending CN106470143A (en) 2016-08-26 2016-08-26 A kind of method and apparatus of MPLS VPN traffic filtering

Country Status (1)

Country Link
CN (1) CN106470143A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110198260A (en) * 2019-06-15 2019-09-03 杨长虹 A kind of cut-in method of MPLS VPN
CN110597856A (en) * 2019-08-20 2019-12-20 华能四川水电有限公司 Rapid retrieval system and method for deep flow analysis data
CN110661722A (en) * 2019-09-09 2020-01-07 新华三信息安全技术有限公司 Flow control method and device
CN111464527A (en) * 2020-03-30 2020-07-28 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism filtering strategy detection method and device based on multipoint coordination
CN112383476A (en) * 2020-11-30 2021-02-19 安徽信息工程学院 Distributed ADS-B system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488925A (en) * 2009-03-03 2009-07-22 中兴通讯股份有限公司 Method for collecting and designing VPN flow by using Netflow
CN101605087A (en) * 2008-06-12 2009-12-16 中国电信股份有限公司 Flow information extraction method, equipment and system
US20110010209A1 (en) * 2009-07-09 2011-01-13 International Business Machines Corporation Statistical condition detection and resolution management
CN103746914A (en) * 2013-12-31 2014-04-23 华为技术有限公司 Method, device and system for building corresponding relationship between private network label and primary VRF (VPN (virtual private network) routing and forwarding table)
CN104219147A (en) * 2013-06-05 2014-12-17 中兴通讯股份有限公司 Implementation method and device of VPN (virtual private network) for edge equipment
CN104243311A (en) * 2013-06-08 2014-12-24 华为技术有限公司 Message processing method and router thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605087A (en) * 2008-06-12 2009-12-16 中国电信股份有限公司 Flow information extraction method, equipment and system
CN101488925A (en) * 2009-03-03 2009-07-22 中兴通讯股份有限公司 Method for collecting and designing VPN flow by using Netflow
US20110010209A1 (en) * 2009-07-09 2011-01-13 International Business Machines Corporation Statistical condition detection and resolution management
CN104219147A (en) * 2013-06-05 2014-12-17 中兴通讯股份有限公司 Implementation method and device of VPN (virtual private network) for edge equipment
CN104243311A (en) * 2013-06-08 2014-12-24 华为技术有限公司 Message processing method and router thereof
CN103746914A (en) * 2013-12-31 2014-04-23 华为技术有限公司 Method, device and system for building corresponding relationship between private network label and primary VRF (VPN (virtual private network) routing and forwarding table)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110198260A (en) * 2019-06-15 2019-09-03 杨长虹 A kind of cut-in method of MPLS VPN
CN110597856A (en) * 2019-08-20 2019-12-20 华能四川水电有限公司 Rapid retrieval system and method for deep flow analysis data
CN110661722A (en) * 2019-09-09 2020-01-07 新华三信息安全技术有限公司 Flow control method and device
CN110661722B (en) * 2019-09-09 2022-07-22 新华三信息安全技术有限公司 Flow control method and device
CN111464527A (en) * 2020-03-30 2020-07-28 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism filtering strategy detection method and device based on multipoint coordination
CN111464527B (en) * 2020-03-30 2022-03-01 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism filtering strategy detection method and device based on multipoint coordination
CN112383476A (en) * 2020-11-30 2021-02-19 安徽信息工程学院 Distributed ADS-B system

Similar Documents

Publication Publication Date Title
CN108781171B (en) System and method for signaling packet capture with data plane in IPV6 environment
CN109743340B (en) The method and network equipment of Message processing
CN106470143A (en) A kind of method and apparatus of MPLS VPN traffic filtering
US10432512B2 (en) Packet marking for L4-7 advanced counting and monitoring
CN105765946B (en) Support the method and system of the service chaining in data network
CN103703722B (en) The method and apparatus of fault detection conversation of booting on P2MP tunnels
EP3058687B1 (en) Configurable service proxy mapping
US10887209B2 (en) In-Situ OAM for multicast path, telemetry data collection and receive-only service function proof of transit
CN111953604B (en) Method and device for providing business service for business flow
DE602004001277T2 (en) Insert addresses to enable OAM functions
CN107078957A (en) The link of network service function in communication network
US20170026270A1 (en) Method and an apparatus for network state re-construction in software defined networking
CN108702331A (en) SR applications section is integrated with service function chain (SFC) header metadata
CN107431657A (en) Method for the packet marking of flow point analysis
CN109863725A (en) Segment routing based on maximum segment identifier depth
CN102055674B (en) Internet protocol (IP) message as well as information processing method and device based on same
CN107026791A (en) VPN vpn service optimization method and equipment
CN109076018A (en) Utilize IS-IS exposure maximum node and/or the technology of Link Fragmentation identifier depth
CN106464590A (en) Method and apparatus for obtaining path information
CN106233673A (en) Network service inserts
CN105991441B (en) The method and apparatus that route forwarding table is issued to BGP Route Selection
CN110138618A (en) A kind of message processing method, apparatus and system
CN103746914B (en) Set up method, the apparatus and system of private network tags and original VRF corresponding relations
CN105429841A (en) NNI PING realization method and device
CN106341423A (en) Message processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170301

RJ01 Rejection of invention patent application after publication