CN109067585B - Method and device for issuing query ACL (access control list) table items - Google Patents

Method and device for issuing query ACL (access control list) table items Download PDF

Info

Publication number
CN109067585B
CN109067585B CN201810931112.7A CN201810931112A CN109067585B CN 109067585 B CN109067585 B CN 109067585B CN 201810931112 A CN201810931112 A CN 201810931112A CN 109067585 B CN109067585 B CN 109067585B
Authority
CN
China
Prior art keywords
acl
query
shunting
entry
item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810931112.7A
Other languages
Chinese (zh)
Other versions
CN109067585A (en
Inventor
符志清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201810931112.7A priority Critical patent/CN109067585B/en
Publication of CN109067585A publication Critical patent/CN109067585A/en
Application granted granted Critical
Publication of CN109067585B publication Critical patent/CN109067585B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0876Aspects of the degree of configuration automation
    • H04L41/0886Fully automatic configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides an ACL table item issuing method and device, comprising the following steps: receiving a query condition input by a user; searching a shunting ACL table item matched with the query condition in a pre-configured shunting ACL list, wherein the shunting ACL table item is used for guiding the equipment to forward a service message; generating a query ACL list item according to the searched shunting ACL list item; and issuing the generated inquiry ACL list items to a forwarding chip of the equipment so that the forwarding chip counts the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items. By using the method provided by the application, the performance consumption of the CPU can be reduced when the message is monitored.

Description

Method and device for issuing query ACL (access control list) table items
Technical Field
The present application relates to the field of computer communications, and in particular, to a method and an apparatus for issuing an ACL query entry.
Background
The network device refers to a device, such as a switch, a router, and the like, that forwards or otherwise processes a received service packet according to a specified rule (such as a routing table entry and the like, an ACL table entry) in a network.
In order to enable a network maintenance worker to locate a processing result of a service packet in a network device (for example, the service packet is forwarded through a designated interface, or the service packet is discarded), the network device needs to provide a packet forwarding monitoring function.
In the existing message forwarding monitoring technology, developers need to add observation points to multiple network devices on a service message forwarding path. When adding an observation point, a developer needs to modify a source code of a message forwarding flow and write a message forwarding monitoring program. During monitoring, the CPU of the network device always starts the monitoring program to monitor the received message, so that the performance consumption of the CPU is greatly increased.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for issuing an ACL query entry, so as to reduce the performance consumption of a CPU when monitoring a packet.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a method for issuing an ACL query entry is provided, where the method is applied to a network device, and includes:
receiving a query condition input by a user;
searching a shunting ACL table item matched with the query condition in a pre-configured shunting ACL list, wherein the shunting ACL table item is used for guiding the equipment to forward a service message;
generating a query ACL list item according to the searched shunting ACL list item;
and issuing the generated inquiry ACL list items to a forwarding chip of the equipment so that the forwarding chip counts the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items.
Optionally, the generating an inquiry ACL entry according to the found shunting ACL entry includes:
when a preset condition is met, generating a query ACL list item according to the searched shunting ACL list item;
the preset conditions include:
determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip and the query condition does not include an output interface according to the shunting ACL entries; alternatively, the first and second electrodes may be,
and determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip according to the shunting ACL entries, and the output interface included by the query condition is the same as the output interface recorded by the action items of the shunting ACL entries.
Optionally, the generating the query ACL entry according to the found shunting ACL entry includes:
and when the number of the query conditions is equal to the number of the matching items of the shunting ACL list items, or the number of other query conditions except for an output interface in the query conditions is equal to the number of the matching items of the shunting ACL list items, generating the query ACL list items of which the matching items are the query conditions and the action items are the number of the statistical service messages.
Optionally, the generating the query ACL entry according to the found shunting ACL entry includes:
when the number of the query conditions is less than the number of the matching items of the shunting ACL table item, or if the number of other query conditions except the output interface in the query conditions is less than the number of the matching items of the shunting ACL table item, checking whether a first target matching item correspondingly contains a set of a plurality of values; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
Optionally, the generating the query ACL entry according to the found shunting ACL entry includes:
and when the found matching item of the shunting ACL list item is an arbitrary value, generating the inquiry ACL list item with the matching item as the inquiry condition and the action item as the statistical service message quantity.
Optionally, the method further includes:
when the determined number of the query ACL entries exceeds the number of the query ACL entries which can be currently borne by the forwarding chip, outputting first prompt information to a user; the first prompt message is used for prompting the user to add the query condition.
Optionally, the method further includes:
if the output interface included in the query condition is different from the output interface recorded by the action item of the shunting ACL list item, not generating a query ACL list item corresponding to the shunting ACL list item, and outputting second prompt information to a user; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
Optionally, the shunting ACL entry and the querying ACL entry are stored in different areas of the forwarding chip.
According to a second aspect of the present application, an apparatus for issuing an ACL query entry is provided, where the apparatus is applied to a network device, and includes:
the receiving unit is used for receiving the query condition input by the user;
a searching unit, configured to search a shunting ACL entry matching the query condition in a preconfigured shunting ACL list, where the shunting ACL entry is used to instruct the device to forward a service packet;
a generating unit, configured to generate an inquiry ACL entry according to the found shunting ACL entry;
and the issuing unit is used for issuing the generated inquiry ACL list items to a forwarding chip of the equipment so that the forwarding chip counts the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items.
Optionally, the generating unit is specifically configured to generate an inquiry ACL entry according to the found shunting ACL entry when a preset condition is met; the preset conditions include: determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip and the query condition does not include an output interface according to the shunting ACL entries; or, determining, according to the shunting ACL entries, that the number of query ACL entries to be generated does not exceed the number of query ACL entries currently bearable by the forwarding chip, and that an output interface included in the query condition is the same as an output interface recorded by an action entry of the shunting ACL entry.
Optionally, the generating unit is specifically configured to generate the query ACL entries whose matching items are the query conditions and whose action items are the numbers of the statistical service packets, when the number of the query conditions is equal to the number of the matching items of the shunting ACL entries, or when the number of the other query conditions except for the output interface in the query conditions is equal to the number of the matching items of the shunting ACL entries.
Optionally, the generating unit is further specifically configured to check whether the first target matching item corresponds to a set including multiple values when the number of the query conditions is less than the number of the matching items of the shunting ACL entry, or if the number of other query conditions except the egress interface in the query conditions is less than the number of the matching items of the shunting ACL entry; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
Optionally, the generating unit is further specifically configured to generate the query ACL entry with the matching entry as the query condition and the action entry as the number of the statistical service packet when the found matching entry of the shunting ACL entry is an arbitrary value.
Optionally, the apparatus further comprises:
the first prompting unit is used for outputting first prompting information to a user when the determined number of the query ACL entries exceeds the number of the query ACL entries which can be currently borne by the forwarding chip; the first prompt message is used for prompting the user to add the query condition.
Optionally, the apparatus further comprises:
a second prompting unit, configured to not generate a query ACL entry corresponding to the shunting ACL entry and output second prompting information to the user if an output interface included in the query condition is different from an output interface recorded by the action item of the shunting ACL entry; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
Optionally, the shunting ACL entry and the querying ACL entry are stored in different areas of the forwarding chip.
On one hand, compared with the method of modifying the source code of the service message forwarding flow of the network equipment and adding the service message forwarding monitoring program, when the method is used for monitoring the processing result of the service message, the monitoring can be realized only by matching the query ACL list item on the forwarding chip, and the monitoring of the processing result of the service message is not needed by the participation of the CPU of the network equipment, so that the resources of the CPU are greatly saved.
On the other hand, when the query ACL list items are issued, the forwarding equipment can automatically generate the query ACL list items and issue the query ACL list items to the forwarding chip according to the query conditions and the preset shunt ACL list items only by manually inputting the query conditions, so that the user can automatically issue the query ACL list items by one-key configuration, the workload of the user is greatly reduced, and the user experience is improved.
Drawings
Fig. 1 is a flowchart illustrating a method for issuing a query ACL entry according to an exemplary embodiment of the present application;
FIG. 2 is a diagram illustrating a hardware configuration of a network device in accordance with an exemplary embodiment of the present application;
fig. 3 is a block diagram of an apparatus for issuing a query ACL entry according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The method and the device realize the monitoring of the processing result of the service message by sending and receiving the ACL list items on the forwarding chip of the network equipment and inquiring the ACL list items (the processing result of the service message comprises the service message forwarded from which output interface or the service message is discarded).
The method specifically comprises the following steps: after receiving the query condition input by the user, the network device may search, in the preset shunting ACL table, a shunting ACL entry matching the query condition. Then, the network device can generate the query ACL list item according to the shunting ACL list item and issue the query ACL list item to the forwarding chip of the device. After the forwarding chip receives the message, the message can be matched with the query ACL entry, so that the forwarding chip can count the number of messages matched with the query ACL entry, and further can display the number of messages matched with the query ACL entry and the processing result of the message (i.e. an output interface of the service message or the discarded service message) to a user.
On one hand, compared with the method of modifying the source code of the service message forwarding flow of the network equipment and adding the service message forwarding monitoring program, when the method is used for monitoring the processing result of the service message, the monitoring can be realized only by matching the query ACL list item on the forwarding chip, and the monitoring of the processing result of the service message is not needed by the participation of the CPU of the network equipment, so that the resources of the CPU are greatly saved.
On the other hand, when the query ACL list items are issued, the forwarding equipment can automatically generate the query ACL list items and issue the query ACL list items to the forwarding chip according to the query conditions and the preset shunt ACL list items only by manually inputting the query conditions, so that the user can automatically issue the query ACL list items by one-key configuration, the workload of the user is greatly reduced, and the user experience is improved.
In addition, because the high-performance network device usually implements message parsing and forwarding by means of a switch chip or a programmable chip (such as an FPGA), and it is difficult to add a forwarding monitoring program of a service message on the forwarding chip by encoding, compared with a method of modifying a source code of a service message forwarding flow of the network device and adding the service message forwarding monitoring program, the method for monitoring the processing result of the service message by querying an ACL entry can also be applied to the high-performance network device, so that the monitoring method provided by the application has stronger practicability.
Several concepts related to the present application will be described below.
ACL (Access Control List) is a traffic Access Control technique. A plurality of ACL entries are recorded in the ACL list. Each ACL entry records a matching item and an action item, where the matching item includes message characteristics of the service message (e.g., characteristics of a quintuple of the message, an ingress interface, and the like), and the action item may include forwarding the message, discarding the message, counting the number, and the like. ACL entries typically have matching priorities.
After the network equipment receives the service message, the network equipment can preferentially match the message with the ACL table item with the highest matching priority, if the message is matched with the ACL table item with the highest matching priority, the service message is processed according to the action recorded by the action item of the ACL table item with the highest matching priority, and the next ACL table item is not matched; and if the service message is not matched with the ACL entry with the highest matching priority, matching the service message with the ACL entry with the highest matching priority.
For example, the ACL entries are shown in Table 1. Assume that the ACL entry at position 1 has a higher matching priority than the ACL entry at position 2.
Figure BDA0001766639320000071
Figure BDA0001766639320000081
TABLE 1
Assume that the source IP address of the service packet 1 received by the network device is 192.168.1.2, the destination IP address is 3.3.3.3, the IP protocol number is TCP, and the destination port number is 80.
After the network device receives the service message 1, the network device may match the service message 1 with the ACL entry at the position 1 with high matching priority. In this example, the service packet 1 matches the ACL entry in location 1, and the network device redirects the service packet 1 to the eth3 interface. Then, the network device will not match the service message 1 with the next ACL entry.
The ACL function can be implemented by software or hardware.
The software ACL stores the ACL list in a system memory, and after the network equipment receives a service message, the service processing process performs ACL list item matching on the message. When the number of ACL entries is larger, the matching speed of the ACL entries is slower due to the limitation of CPU performance and memory capacity.
The hardware ACL is also called chip ACL, the hardware coding of the ACL list item is realized through a forwarding chip, the forwarding chip realizes the matching of the ACL list item, and the matching speed is high.
The resources of the chip ACL are divided into a plurality of areas, and each area can store ACL table items of different types. After the service message enters the switching chip, the switching chip matches the service message with the ACL table entry of each segment in parallel, then comprehensively considers the action of the ACL table entry matched by each segment, processes the service message according to the non-conflicting action for non-conflicting actions (such as statistics and forwarding non-conflicting), and processes the message according to the action with the highest priority for conflicting actions (such as forwarding and packet loss).
For example, the service packet 1 matches an ACL entry 1 in the segment 1 (action is forwarding), an ACL entry 2 in the segment 2 (action is modifying packet VLAN ID), and an ACL entry 3 in the segment 3 (action is statistics + packet loss), where the priority of the ACL entry in the segment 1 is higher than that of the ACL entry in the segment 2, and the priority of the ACL entry in the segment 2 is higher than that of the ACL entry in the segment 3. Because the forwarding action and the packet loss action conflict, and the priority of the table entry 1 is higher than that of the table entry 3, only the forwarding action is executed in the two actions; the statistic action and the message VLAN ID modification action are not in conflict with each other, so that the statistic action and the message VLAN ID modification action are executed at the same time. Therefore, the final action performed on the packet is forwarding + statistics + modifying the packet VLAN ID.
The ACL resource of the forwarding chip is at least divided into two different areas, wherein one area is used for storing shunting ACL items, and the other area is used for storing inquiry ACL items. Certainly, in actual application, the ACL resource of the forwarding chip may also be divided into a plurality of segments, and store ACL entries related to actual services, which is only described by way of example, and the number of segments and the stored ACL entries are not specifically limited.
The shunting ACL entry is mainly used to instruct the forwarding chip to forward the service packet, and its action entry is usually from which outgoing interface to forward, to which outgoing interface to redirect, discard the service packet, and so on. The shunting ACL table entry is preconfigured in one chip area of the forwarding chip.
The query ACL table items are mainly used for monitoring message forwarding and counting the number of service messages matched with the query ACL table items. And inquiring the action item of the ACL list item to count the number of the service messages. The query ACL entry is configured in a different tile area than the shunt ACL entry.
The shunting ACL list item and the query ACL list item are respectively stored in different areas, so that the method has the advantages that:
if the query ACL entry and the shunt ACL entry are stored in the same area, the priority of the shunt ACL entry is higher than that of the query ACL entry possibly, so that the message is not matched with the query ACL entry, and the statistics of the message cannot be realized. The inquiry ACL list items and the shunt ACL list items are stored in different areas of the forwarding chip, the forwarding chip can match the service messages with the ACL list items of each area in parallel, and the service messages are not matched with the inquiry ACL list items due to the high or low priority.
The advantage of setting the action item for inquiring the ACL table item as the statistical number of the service messages is that:
according to the method and the device, the action items for inquiring the ACL table items are set to count the number of the service messages, and the counted action does not conflict with any other action (such as forwarding, discarding, modifying and the like), so that the forwarding chip can always count the number of the service messages matched with the ACL table items correctly.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for issuing a query ACL entry according to an exemplary embodiment of the present application, where the flowchart may be applied to a network device and may include the following steps.
Step 101: the network device may receive a query condition input by a user.
The query condition input by the user is the same as the matching item of the shunting ACL entry, and the query condition also includes the message characteristics of the service message, such as a source IP address, a destination IP address, a source port number, a destination port number, a protocol number, an ingress interface, an egress interface, and the like. Here, the query condition is merely exemplary and is not specifically limited.
Step 102: the network device can search a shunting ACL table item matched with the query condition in a preconfigured shunting ACL list, wherein the shunting ACL table item is used for guiding the device to forward the service message.
In implementation, when the query condition input by the user does not include the output interface, the network device may search, in the preconfigured shunting ACL list, the shunting ACL entry including the keyword by using the query condition as the keyword.
When the query condition input by the user includes an outgoing interface, the network device may search, in a preconfigured shunting ACL list, a shunting ACL entry including the keyword by using, as the keyword, the query condition except the other query condition of the outgoing interface in the query condition.
It should be noted that: during searching, the ACL entries are also searched according to the priorities of the ACL entries, for example, if a matching entry of one ACL entry completely contains the query condition, the ACL entry with a low priority is not searched any more.
For example, assume that the bypass ACL list is as shown in table 2. It should be noted that any of the matching entries in the entry drop-all in table 2 refers to any value, for example, the source IP is any value, which indicates that the source IP address of any packet matches the source IP in the entry drop-all.
Figure BDA0001766639320000101
Figure BDA0001766639320000111
TABLE 2
Assuming that a plurality of query conditions input by the user are that a source IP is 192.168.1.8, a destination IP is 8.1.1.1, an IP protocol is TCP, a source port number is 20000, a destination port number is 53, and an ingress interface is eth1, the network device can search a matching entry in table 2 for a shunting ACL entry containing the query condition, and the queried shunting ACL entry is entry b. Since the table entry b completely includes the query condition, the network device will not find the next ACL table entry matching the query condition, and will not find the drop-all table entry.
In addition, when some of the above query conditions are not specified by the user, it indicates that the value of the query condition is an arbitrary value. For example, if the query condition does not specify the value of the destination IP, it indicates that the destination IP is an arbitrary value.
Step 103: the network device can generate a query ACL entry according to the searched shunting ACL entry.
Step 103 is described below from two aspects of the condition and the specific implementation manner of the network device generating the query ACL entry according to the found shunting ACL entry.
1) Generating conditions for querying ACL entries
When the network device detects that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries currently bearable by the forwarding chip and the query condition does not include an output interface, the network device may generate the query ACL entries according to the found shunting ACL entries.
Or, when the network device detects that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries that can be currently borne by the forwarding chip, and the output interface included in the query condition is the same as the output interface recorded by the action entry of the shunting ACL entry, the network device may generate the query ACL entries according to the found shunting ACL entries.
In addition, when the network equipment detects that the number of the query ACL entries to be generated exceeds the number of the query ACL entries which can be currently borne by the forwarding chip, the network equipment does not generate the query ACL entries, but outputs first prompt information to the user. The first prompt message is used for prompting the user to add the query condition.
When the network equipment detects that an output interface contained in the query condition is different from an output interface recorded by the action item of the shunting ACL list item, not generating a query ACL list item corresponding to the shunting ACL list item, and outputting second prompt information to a user; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
2) Concrete implementation mode for generating query ACL table item
1) And when the number of the query conditions is equal to the number of the matching items of the shunting ACL list items, or the number of other query conditions except for an output interface in the query conditions is equal to the number of the matching items of the shunting ACL list items, generating the query ACL list items of which the matching items are the query conditions and the action items are the number of the statistical service messages.
For example, assume that the query condition input by the user is that the source IP is 192.168.1.8, the destination IP is 8.1.1.1, the IP protocol is TCP, the source port number is 20000, the destination port number is 53, and the ingress interface is eth 1.
Assume that the matched shunting ACL entry is entry b in table 2.
The network device detects that the number (i.e. 6) of the query conditions input by the user is the same as the number (i.e. 6) of the matching items of the table entry b, and the network device may generate the query ACL table entries shown in table 3, where the matching items of the query ACL table entries are the query conditions, and the action items are the number of the statistical service messages. The generated matching items of the query ACL table items are as follows: the source IP is 192.168.1.8/255.255.255.255, the destination IP is 8.1.1.1/255.255.255, the IP protocol is TCP, the source port number is 20000, the destination port number is 53, the ingress interface is eth1, and the actions are statistics.
Figure BDA0001766639320000121
TABLE 3
2) When the number of the query conditions is less than the number of the matching items of the shunting ACL entry, or if the number of the other query conditions except the output interface in the query conditions is less than the number of the matching items of the shunting ACL entry, the network device may check whether the first target matching item corresponds to a set including a plurality of values; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
For convenience of description, a matching item in the shunting ACL entry different from the query condition is defined as a first target matching item, and a matching item in the query ACL entry different from the query condition is defined as a second target matching item.
For example, if the query condition is a source IP, a destination IP, an IP protocol, a source port number, and a matching entry of the shunting ACL entry is the source IP, the destination IP, the IP protocol, the source port number, the destination port number, and the ingress interface, the first target matching entry is the destination port number and the ingress interface.
If the matching items of the query ACL entry are the source IP, the destination IP, the IP protocol, the source port number, the destination port number, and the ingress interface, the second target matching item is the destination port number and the ingress interface.
In addition, the first target matching item may be one or more.
Example 1: the first target match is the case of one.
Suppose that the query condition input by the user is that the source IP is 192.168.1.8, the destination IP is 8.1.1.1, the IP protocol is TCP, the source port number is 20000, and the destination port number is 53 (the user does not specify an ingress interface, and since the ingress interface is not specified, the ingress interface is not included in the query condition input by the user, but the unspecified ingress interface indicates that the ingress interface may be an arbitrary value).
Assume that the shunting ACL entries that match the query conditions entered by the user are as shown in table 4.
Figure BDA0001766639320000131
TABLE 4
In this example, the user inputs 5 query conditions (i.e., source IP, destination IP, IP protocol, source port number, destination port number), the number of matching entries of the shunting ACL entries is 6, the number of query conditions input by the user is less than that of the matched shunting ACL entries, and the network device may determine a first target matching entry (i.e., an incoming interface) different from the query conditions in the matching entries of the shunting ACL entries. The network device may then check whether the first target match, the ingress interface, corresponds to a set containing multiple values.
In this example, the ingress interface corresponds to a set containing three values (i.e., a set containing eth0, eth1, and eth 2). The network device may generate three query ACL entries corresponding to the shunting ACL entry, and the generated three query ACL entries are shown in table 5.
Figure BDA0001766639320000141
TABLE 5
The incoming interfaces (i.e. the second target matching entries described above) of the three query ACL entries are respectively one value in the set, and this value is different from the incoming interfaces of the other generated query ACL entries, i.e. the incoming interfaces of the three query ACL entries are eth0, eth1, eth2, respectively, and the other matching entries are the same as the other matching entries except the incoming interface (i.e. the first target matching entry described above) in the shunting ACL entry shown in table 4, i.e. the source IP, the destination IP, the IP protocol, the source port number, and the destination port number in table 5 are the same as in table 4. The three action items for inquiring the ACL list items are the number of the statistical service messages.
Example 2: the first target matching item is a case of plural.
Suppose the user enters the query condition that the source IP is 192.168.1.8, the destination IP is 8.1.1.1, the IP protocol is TCP, and the source port number is 20000 (the user does not specify the ingress interface and the destination port number).
Assume that the shunting ACL entries that match the query conditions entered by the user are as shown in table 6.
Figure BDA0001766639320000151
TABLE 6
In this example, the number of query conditions input by the user is 4 (i.e. source IP, destination IP, IP protocol, source port number), the number of matching entries of the shunting ACL entries is 6, and the number of query conditions input by the user is less than the number of matching shunting ACL entries. At this time, the first target matching item determined by the network device is the destination port number and the incoming interface. The network device may check whether the destination port number and the ingress interface correspond to a set containing multiple values.
In this example, since the destination port number corresponds to a set including two values 53 and 80, and the ingress interface corresponds to a set including three values eth0, eth1, and eth2, the network device may generate 6 query ACL entries corresponding to the shunting ACL entry, where the generated query ACL entries are as shown in table 7.
Figure BDA0001766639320000152
TABLE 7
The source IP, the destination IP, the IP protocol, and the source port number of the lookup ACL entry in table 7 are the same as those of the shunting ACL entry shown in table 5. The destination port number and the incoming interface respectively correspond to each value in the corresponding set, and the combination of the values of the destination port number and the incoming interface of each query ACL table entry is different from the combination of the destination port number and the incoming interface of other query ACL table entries. The action item for querying the ACL entry shown in table 7 is the number of the statistical service messages.
3) When the found matching item of the shunting ACL list item is an arbitrary value, the network equipment can generate the inquiry ACL list item with the matching item as the inquiry condition and the action item as the statistical service message quantity.
For example, assume that the query condition input by the user is that the source IP is 192.168.1.8, the destination IP is 8.1.1.1, the IP protocol is TCP, the source port number is 20000, the destination port number is 53, and the ingress interface is eth 2. It is assumed that the queried shunting ACL entries matching the query condition are shown in table 8.
Source IP Destination IP IP protocol Source port number Destination port number Input interface Movement of
Arbitrary Arbitrary Arbitrary Arbitrary Arbitrary Arbitrary Discard the
TABLE 8
When the network device determines that all the matching items of the shunting ACL entries shown in table 8 are arbitrary values, the network device may generate the matching item as the query condition, the action item is the query ACL entry counting the number of the service messages, and the generated query ACL entry is shown in table 9.
Figure BDA0001766639320000161
TABLE 9
Step 104: the network device can issue the generated inquiry ACL list items to a forwarding chip of the device, so that the forwarding chip can count the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items.
In this embodiment, the network device may issue the generated query ACL entry to a forwarding chip of the network device. When the forwarding chip receives the service message, the forwarding chip can match the service message with the shunting ACL table and the query ACL table respectively.
When the network device receives a message query instruction input by a user, the network device may present, to the user, a matching entry of each query ACL entry, a number of service messages matching the query ACL entry, and a message forwarding result (e.g., forwarding, discarding, redirecting to a certain egress interface, etc.).
For example, the contents displayed to the user are shown in table 10.
Figure BDA0001766639320000171
Watch 10
As can be seen from the above description, on the one hand, compared with the method of modifying the source code of the service packet forwarding flow of the network device and adding the service packet forwarding monitoring program, when monitoring the processing result of the service packet, the monitoring can be realized only by matching the query ACL entry on the forwarding chip, and the monitoring of the processing result of the service packet does not need to be performed by the participation of the network device CPU, so that the resources of the CPU are greatly saved.
On the other hand, when the query ACL list items are issued, the forwarding equipment can automatically generate the query ACL list items and issue the query ACL list items to the forwarding chip according to the query conditions and the preset shunt ACL list items only by manually inputting the query conditions, so that the user can automatically issue the query ACL list items by one-key configuration, the workload of the user is greatly reduced, and the user experience is improved.
The following describes in detail the issuing method of the query ACL entry provided in the present application by using a specific example.
Assume that the bypass ACL table is as shown in table 2.
Example 1: assume that the plurality of query conditions input by the user are that the source IP is 192.168.1.8, the destination IP is 8.1.1.1, the IP protocol is TCP, the source port number is 20000, the destination port number is 53, and the ingress interface is eth 1.
When the network device receives the query condition, the network device may search table 2 for a shunting ACL entry matching the query condition.
In this example, the source IP of the entry a is not matched, the entry b is completely matched, the destination IP of the entry c is not matched, the destination IP of the entry d is not matched, and the entry drop-all is completely matched. The entry b is higher in priority than the entry drop-all, so that the shunting ACL entry matched with the group of query conditions is the entry b, and the action is to send out the service message from the eth4 interface.
In addition, because the number of the query ACL entries to be generated is 1, the number of the ACL entries which can be borne by the chip is not exceeded, and the query condition does not include an output interface, the network device can generate the query ACL entries according to the found shunting ACL entry (i.e., entry b).
Specifically, the network device may check whether the number of query conditions is the same as the number of found shunting ACL entries. In this example, the number of the two items is the same, the network device may generate a matching item as the query condition, the action item is a query ACL entry for counting the number of the service packets, and the generated ACL entry is shown in table 3.
The network device may issue table 3 to the forwarding chip of the device.
When the network device receives an ACL entry query command, which is input by the administrator and is directed to table 3, the network device may present the user with the contents shown in table 4 above.
Example 2:
assume that the query condition input by the user is: the source IP is 192.168.1.8, the destination IP is unspecified, the IP protocol is UDP, the source port number is 20000, the destination port number is 53, and the ingress interface is unspecified.
When the network device receives the query condition, the shunting ACL entry matching the query condition can be searched in table 2. In this example, the entries a and b are not matched, and the entries c, d and drop-all are matched.
Since the destination IP is not specified, the destination IP is an arbitrary value. The query conditions can be classified into the following three categories according to the value of the destination IP.
1) When the query condition is: the source IP is 192.168.1.8, the destination IP is 1.1.1.1, the IP protocol is UDP, the source port number is 20000, the destination port number is 53, the ingress interface is not specified, the query condition matches the entry c, and the action of the entry c is to discard the service packet.
2) When the query condition is: the source IP is 192.168.1.8, the destination IP is 1.1.1.0/255.255.255.0, the IP protocol is UDP, the source port number is 20000, the destination port number is 53, and when the ingress interface is unspecified, the query condition matches the entry d, and the action of the entry d is to forward the service packet from the eth5 interface.
3) When the query condition is that the source IP is 192.168.1.8, the destination IP is other IP addresses except 1.1.1.1 and 1.1.1.0/255.255.255.0, the IP protocol is UDP, the source port number is 20000, the destination port number is 53, and the ingress interface is not specified, the query condition is matched with the entry drop-all, and the action of the entry drop-all is to discard the service packet.
If the number of the ACL entries to be generated does not exceed the number of the query ACL entries currently bearable by the forwarding chip and the query condition does not include an output interface, the network device can generate the query ACL entries for the entry c, the entry d and the entry drop-all respectively.
1) Query ACL table entry for table entry c
The number of the matching items of the table entry c is more than that of the query condition, and the matching items in the matching items of the table entry c, which are different from the query condition, correspond to a plurality of values, that is, the input interface corresponds to a plurality of values. The network device may generate two ACL query entries for entry c (the ingress interface corresponds to 2 values, and generates two ACL entries according to the multiplication principle). The ACL entries for entry c are shown in table 11 for a total of 2 entries.
Figure BDA0001766639320000191
TABLE 11
2) Query ACL table entry for table entry d
The number of the matching items of the table item d is more than that of the query condition, and the matching items in the matching items of the table item d, which are different from the query condition, correspond to a plurality of values, that is, the destination IP and the ingress interface correspond to a plurality of values. So the network device can generate 510 ACL query entries for entry c (2 values for the ingress interface and 255 values for the destination IP, and generate 510 ACL entries according to the multiplication principle). The ACL entries for entry d are shown in table 12 for a total of 510 entries.
Figure BDA0001766639320000192
Figure BDA0001766639320000201
TABLE 12
3) ACL (access control list) table item query aiming at table item drop-all
Because the matching items of the matched drop-all list items are all arbitrary values, the network equipment can generate that the matching items are the query conditions, the action items are statistical ACL list items, and 1 query ACL list item corresponding to the list item drop-all is generated as shown in a table 13.
Figure BDA0001766639320000202
Watch 13
When the network device receives the administrator's query instructions for table 11, table 12, and table 13, the network device may present the contents shown in table 14 to the administrator.
Figure BDA0001766639320000203
Figure BDA0001766639320000211
TABLE 14
Referring to fig. 2, fig. 2 is a hardware structure diagram of a network device according to an exemplary embodiment of the present application.
The network device may include: forwarding chip 201, processor 202, machine-readable storage medium 203, and bus 204; wherein, the forwarding chip 201, the processor 202 and the machine-readable storage medium 203 complete the communication with each other through the bus 204. The processor 202 may perform the ACL entry delivery method described above by reading and executing machine-executable instructions in the machine-readable storage medium 203 corresponding to the ACL entry delivery control logic.
The machine-readable storage medium 203 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 203 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 3, fig. 3 is a block diagram of a query ACL entry issuing device according to an exemplary embodiment of the present application, where the query ACL entry issuing device is applicable to a network device and may include the following units.
A receiving unit 301, configured to receive a query condition input by a user;
a searching unit 302, configured to search, in a preconfigured shunting ACL list, a shunting ACL entry matching the query condition, where the shunting ACL entry is used to instruct the device to forward a service packet;
a generating unit 303, configured to generate an inquiry ACL entry according to the found shunting ACL entry;
and the issuing unit 304 is configured to issue the generated query ACL entry to a forwarding chip of the device, so that the forwarding chip counts the number of service messages matching the query ACL entry based on the query ACL entry.
Optionally, the generating unit 303 is specifically configured to generate an inquiry ACL entry according to the found shunting ACL entry when a preset condition is met; the preset conditions include: determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip and the query condition does not include an output interface according to the shunting ACL entries; or, determining, according to the shunting ACL entries, that the number of query ACL entries to be generated does not exceed the number of query ACL entries currently bearable by the forwarding chip, and that an output interface included in the query condition is the same as an output interface recorded by an action entry of the shunting ACL entry.
Optionally, the generating unit 303 is specifically configured to generate the query ACL entries whose matching items are the query conditions and whose action items are the numbers of the statistical service packets, when the number of the query conditions is equal to the number of the matching items of the shunting ACL entries, or when the number of the other query conditions except for the output interface in the query conditions is equal to the number of the matching items of the shunting ACL entries.
Optionally, the generating unit 303 is further specifically configured to check whether the first target matching item corresponds to a set including multiple values when the number of the query conditions is less than the number of the matching items of the shunting ACL entry, or if the number of other query conditions except the egress interface in the query conditions is less than the number of the matching items of the shunting ACL entry; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
Optionally, the generating unit 303 is further specifically configured to generate the query ACL entry of which the matching entry is the query condition and the action entry is the number of the statistical service packet when the found matching entry of the shunting ACL entry is an arbitrary value.
Optionally, the apparatus further comprises:
a first prompting unit 305, configured to output first prompting information to a user when the determined number of query ACL entries exceeds the number of query ACL entries that can be currently borne by the forwarding chip; the first prompt message is used for prompting the user to add the query condition.
Optionally, the apparatus further comprises:
a second prompting unit 306, configured to not generate a query ACL entry corresponding to the shunting ACL entry if an output interface included in the query condition is different from an output interface recorded by the action item of the shunting ACL entry, and output second prompting information to the user; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
Optionally, the shunting ACL entry and the querying ACL entry are stored in different areas of the forwarding chip.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (16)

1. A method for issuing query ACL table items is characterized in that the method is applied to network equipment and comprises the following steps:
receiving a query condition input by a user;
searching a shunting ACL table item matched with the query condition in a pre-configured shunting ACL list, wherein the shunting ACL table item is used for guiding the equipment to forward a service message;
generating a query ACL list item according to the searched shunting ACL list item;
and issuing the generated inquiry ACL list items to a forwarding chip of the equipment so that the forwarding chip counts the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items.
2. The method of claim 1, wherein the generating a query ACL entry according to the found shunting ACL entry includes:
when a preset condition is met, generating a query ACL list item according to the searched shunting ACL list item;
the preset conditions include:
determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip and the query condition does not include an output interface according to the shunting ACL entries; alternatively, the first and second electrodes may be,
and determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip according to the shunting ACL entries, and the output interface included by the query condition is the same as the output interface recorded by the action items of the shunting ACL entries.
3. The method according to claim 2, wherein the generating a query ACL entry according to the found shunting ACL entry includes:
and when the number of the query conditions is equal to the number of the matching items of the shunting ACL list items, or the number of other query conditions except the output interface in the query conditions is equal to the number of the matching items of the shunting ACL list items, generating the query ACL list items of which the matching items are the query conditions and the action items are the number of the statistical service messages.
4. The method according to claim 2, wherein the generating a query ACL entry according to the found shunting ACL entry includes:
when the number of the query conditions is less than the number of the matching items of the shunting ACL table item, or if the number of other query conditions except the output interface in the query conditions is less than the number of the matching items of the shunting ACL table item, checking whether a first target matching item corresponds to a set containing a plurality of values; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
5. The method according to claim 2, wherein the generating a query ACL entry according to the found shunting ACL entry includes:
and when the found matching item of the shunting ACL list item is an arbitrary value, generating the inquiry ACL list item with the matching item as the inquiry condition and the action item as the statistical service message quantity.
6. The method of claim 2, further comprising:
when the determined number of the query ACL entries exceeds the number of the query ACL entries which can be currently borne by the forwarding chip, outputting first prompt information to a user; the first prompt message is used for prompting the user to add the query condition.
7. The method of claim 2, further comprising:
if the output interface included in the query condition is different from the output interface recorded by the action item of the shunting ACL list item, not generating a query ACL list item corresponding to the shunting ACL list item, and outputting second prompt information to a user; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
8. The method of claim 1, wherein the bypass ACL entry and the query ACL entry are stored in different chip areas of the forwarding chip.
9. An inquiry ACL entry issuing device, which is applied to a network device, includes:
the receiving unit is used for receiving the query condition input by the user;
a searching unit, configured to search a shunting ACL entry matching the query condition in a preconfigured shunting ACL list, where the shunting ACL entry is used to instruct the device to forward a service packet;
a generating unit, configured to generate an inquiry ACL entry according to the found shunting ACL entry;
and the issuing unit is used for issuing the generated inquiry ACL list items to a forwarding chip of the equipment so that the forwarding chip counts the number of the service messages matched with the inquiry ACL list items based on the inquiry ACL list items.
10. The apparatus according to claim 9, wherein the generating unit is specifically configured to generate a query ACL entry according to the found shunting ACL entry when a preset condition is met; the preset conditions include: determining that the number of the query ACL entries to be generated does not exceed the number of the query ACL entries which can be currently borne by the forwarding chip and the query condition does not include an output interface according to the shunting ACL entries; or, determining, according to the shunting ACL entries, that the number of query ACL entries to be generated does not exceed the number of query ACL entries currently bearable by the forwarding chip, and that an output interface included in the query condition is the same as an output interface recorded by an action entry of the shunting ACL entry.
11. The apparatus according to claim 10, wherein the generating unit is specifically configured to generate the query entry ACL whose matching items are the query conditions and whose action items are the numbers of statistical traffic packets, when the number of the query conditions is equal to the number of the matching items of the shunting ACL entry, or when the number of the query conditions other than the egress interface in the query conditions is equal to the number of the matching items of the shunting ACL entry.
12. The apparatus according to claim 10, wherein the generating unit is further specifically configured to check whether the first target matching entry corresponds to a set including a plurality of values when the number of the query conditions is less than the number of the matching entries of the shunting ACL entry, or if the number of the query conditions other than the egress interface is less than the number of the matching entries of the shunting ACL entry; the first target matching item is a matching item which is different from the query condition in the shunting ACL list item;
if yes, generating a plurality of inquiry ACL table items corresponding to the shunting ACL table items; wherein a second target matching item in each query ACL entry different from the query condition is a value of a second target matching item in the set and different from other query ACL entries, and the matching items in each query ACL entry except the second target matching item are the same as the matching items in the shunting ACL entry except the first target matching item; and the action item of each inquiry ACL table item is the number of the statistical service messages.
13. The apparatus according to claim 10, wherein the generating unit is further specifically configured to generate the query ACL entry whose matching entry is the query condition and whose action entry is the statistical service packet number, when the found matching entry of the shunting ACL entry is an arbitrary value.
14. The apparatus of claim 10, further comprising:
the first prompting unit is used for outputting first prompting information to a user when the determined number of the query ACL entries exceeds the number of the query ACL entries which can be currently borne by the forwarding chip; the first prompt message is used for prompting the user to add the query condition.
15. The apparatus of claim 10, further comprising:
a second prompting unit, configured to not generate a query ACL entry corresponding to the shunting ACL entry and output second prompting information to the user if an output interface included in the query condition is different from an output interface recorded by the action item of the shunting ACL entry; and the second prompt message is used for prompting the user that no shunting ACL list item matched with the query condition exists on the equipment.
16. The apparatus of claim 9, wherein the bypass ACL entry and the query ACL entry are stored in different chip areas of the forwarding chip.
CN201810931112.7A 2018-08-15 2018-08-15 Method and device for issuing query ACL (access control list) table items Active CN109067585B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810931112.7A CN109067585B (en) 2018-08-15 2018-08-15 Method and device for issuing query ACL (access control list) table items

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810931112.7A CN109067585B (en) 2018-08-15 2018-08-15 Method and device for issuing query ACL (access control list) table items

Publications (2)

Publication Number Publication Date
CN109067585A CN109067585A (en) 2018-12-21
CN109067585B true CN109067585B (en) 2021-11-23

Family

ID=64686125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810931112.7A Active CN109067585B (en) 2018-08-15 2018-08-15 Method and device for issuing query ACL (access control list) table items

Country Status (1)

Country Link
CN (1) CN109067585B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111353018B (en) * 2020-02-24 2023-11-10 杭州迪普信息技术有限公司 Data processing method and device based on deep packet inspection and network equipment
CN112650452B (en) * 2020-12-31 2021-11-26 成都卓讯智安科技有限公司 Data query method and equipment
CN113114579B (en) * 2021-03-30 2022-03-25 杭州迪普信息技术有限公司 ACL issuing method and device
CN114356418B (en) * 2022-03-10 2022-08-05 之江实验室 Intelligent table entry controller and control method
CN116582362B (en) * 2023-07-11 2023-09-26 建信金融科技有限责任公司 Network access control method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200123A (en) * 2013-03-06 2013-07-10 深圳市新格林耐特通信技术有限公司 Safety control method of switchboard port
CN104320305A (en) * 2014-11-12 2015-01-28 迈普通信技术股份有限公司 Forwarding service monitoring method and system for network equipment
CN106131083A (en) * 2016-08-30 2016-11-16 迈普通信技术股份有限公司 A kind of attack message detection and take precautions against method and switch
CN106302306A (en) * 2015-05-11 2017-01-04 中兴通讯股份有限公司 A kind of flow statistical method based on access control list ACL and device
CN106603302A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device of ACL table item management

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7853687B2 (en) * 2007-03-05 2010-12-14 Alcatel Lucent Access control list generation and validation tool
CN101159665B (en) * 2007-08-28 2010-04-14 杭州华三通信技术有限公司 Method and device to implement forwarding of unknown multicast packet to router port
CN101789905A (en) * 2010-02-05 2010-07-28 杭州华三通信技术有限公司 Method and equipment for preventing unknown multicast from attacking CPU (Central Processing Unit)

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200123A (en) * 2013-03-06 2013-07-10 深圳市新格林耐特通信技术有限公司 Safety control method of switchboard port
CN104320305A (en) * 2014-11-12 2015-01-28 迈普通信技术股份有限公司 Forwarding service monitoring method and system for network equipment
CN106302306A (en) * 2015-05-11 2017-01-04 中兴通讯股份有限公司 A kind of flow statistical method based on access control list ACL and device
CN106131083A (en) * 2016-08-30 2016-11-16 迈普通信技术股份有限公司 A kind of attack message detection and take precautions against method and switch
CN106603302A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device of ACL table item management

Also Published As

Publication number Publication date
CN109067585A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
CN109067585B (en) Method and device for issuing query ACL (access control list) table items
US10075338B2 (en) Relay control unit, relay control system, relay control method, and relay control program
CN108141416B (en) Message processing method, computing equipment and message processing device
US10742722B2 (en) Server load balancing
US8345688B2 (en) System and method for managing flow of packets
KR102586898B1 (en) Message processing method and apparatus, and relevant devices
US11677719B2 (en) Firewall in a virtualized computing environment using physical network interface controller (PNIC) level firewall rules
US8799507B2 (en) Longest prefix match searches with variable numbers of prefixes
US10244537B2 (en) Communication system, access control apparatus, switch, network control method, and program
US8638793B1 (en) Enhanced parsing and classification in a packet processor
CN108259347B (en) Message transmission method and device
US9590922B2 (en) Programmable and high performance switch for data center networks
US9419910B2 (en) Communication system, control apparatus, and communication method
CN107786450B (en) Data message transmission method and device and machine-readable storage medium
CN104821890A (en) Realization method for OpenFlow multi-level flow tables based on ordinary switch chip
EP3179687B1 (en) Network flow information statistics method and apparatus
US8938579B2 (en) Method and system for using range bitmaps in TCAM access
EP2947826A1 (en) Control apparatus, communication apparatus, communication system, switch control method and program
WO2018045862A1 (en) Method and device for writing ternary content addressable memory (tcam) table
US7046663B1 (en) System and method for intercepting packets in a pipeline network processor
US7110404B1 (en) System and method for sending a packet to multiple destinations using a pipeline network processor
CN111404839A (en) Message processing method and device
CN106453144B (en) Message processing method and device in software defined network
US6940852B1 (en) Probabilistic counter
CN112637083B (en) Packet loss processing method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant