TWI773394B - Communication method for one-way transmission based on vlan id and switch device using the same - Google Patents

Communication method for one-way transmission based on vlan id and switch device using the same Download PDF

Info

Publication number
TWI773394B
TWI773394B TW110122755A TW110122755A TWI773394B TW I773394 B TWI773394 B TW I773394B TW 110122755 A TW110122755 A TW 110122755A TW 110122755 A TW110122755 A TW 110122755A TW I773394 B TWI773394 B TW I773394B
Authority
TW
Taiwan
Prior art keywords
port
data packet
address
programmable logic
packet
Prior art date
Application number
TW110122755A
Other languages
Chinese (zh)
Other versions
TW202231031A (en
Inventor
詹元成
許博智
Original Assignee
台灣黑熊網路安全股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 台灣黑熊網路安全股份有限公司 filed Critical 台灣黑熊網路安全股份有限公司
Application granted granted Critical
Publication of TWI773394B publication Critical patent/TWI773394B/en
Publication of TW202231031A publication Critical patent/TW202231031A/en

Links

Images

Landscapes

  • Near-Field Transmission Systems (AREA)
  • Transceivers (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A communication method and a switch device for one-way transmission based on VLAN ID are provided. The communication method includes: receiving, by a first port of a switch, a first data packet from a first external device; packing the first data packet with a first VLAN ID corresponding to a first path to generate a second data packet; receiving, by a first PLD, the second data packet from a third port of the switch; filtering, by the first PLD, the second data packet according to a first filtering rule; in response to the second data packet being matched with the first filtering rule, overwriting the first VLAN ID by a second VLAN ID corresponding to a second path to generate a third data packet; and transmitting, by the first PLD, the third data packet to a second port of the switch via the second path.

Description

用於基於VLAN ID的單向傳輸的通訊方法及使用其的交換器裝置Communication method for unidirectional transmission based on VLAN ID and switch device using the same

本揭露針對一種用於基於虛擬區域網路識別符(virtual local area network identifier;VLAN ID)的單向傳輸的通訊方法及交換器裝置。 The present disclosure is directed to a communication method and a switch device for unidirectional transmission based on a virtual local area network identifier (VLAN ID).

為了防止安全場域(或OT場域:維運技術站operation technology site)被來自網際網路的電腦病毒或駭客攻擊,單向傳輸技術通常用於在安全場域與非安全場域(或IT場域:資訊技術站information technology site)之間進行資料傳輸。單向鏈路可限制訊號的方向,使得訊號可僅自安全場域傳輸至非安全場域,而訊號不可自非安全場域傳輸至安全場域。 In order to prevent the security field (or OT field: operation technology site) from being attacked by computer viruses or hackers from the Internet, one-way transmission technology is usually used in the security field and the non-secure field (or IT field: data transmission between information technology sites. A unidirectional link restricts the direction of the signal so that the signal can only be transmitted from the secure field to the non-secure field, and the signal cannot be transmitted from the non-secure field to the secure field.

圖1示出單向鏈路裝置90的示意圖。單向鏈路裝置90包含交換器91及單向鏈路電路92,其中交換器91耦接至單向鏈路電路92。單向鏈路電路92可為例如可程式化邏輯裝置。安全場域81中用於進行常規診斷或韌體更新程序的裝置(例如,裝置A 或裝置B)可能感染病毒。因此,如何防止安全場域81中的裝置彼此感染是所屬技術領域的重要問題。為了防止安全場域81中的裝置彼此感染,單向鏈路裝置90可安置於安全場域81與非安全場域82之間。單向鏈路裝置90的交換器91包含埠A、埠B以及埠C,其中埠A耦接至安全場域81中的裝置A,埠B耦接至安全場域81中的裝置B,且埠C耦接至單向鏈路電路92的輸入端。單向鏈路電路92的輸出端耦接至裝置C。來自埠C的資料可經由單向鏈路電路92傳輸至裝置C,但來自裝置C的資料不可經由單向鏈路電路92傳輸至埠C。因此,來自裝置A的資料可經由單向鏈路裝置90傳輸至裝置C,但來自裝置C的資料不可經由單向鏈路裝置90傳輸至裝置A。來自裝置B的資料可經由單向鏈路裝置90傳輸至裝置C,但來自裝置C的資料不可經由單向鏈路裝置90傳輸至裝置B。單向鏈路裝置90可配置成將裝置A與裝置B分離。由於裝置A不可與裝置B通訊,故若裝置A已被感染,則裝置A將不會感染裝置B,因此病毒或惡意程式無法分佈在安全場域81上。然而,在一些情況下,裝置A可能需要與裝置B交換資料,而單向鏈路裝置90無法解決此類問題。由於無法將資料自裝置C傳輸至裝置A(或裝置B),故裝置A及裝置B無法經由裝置C來交換資料。 FIG. 1 shows a schematic diagram of a unidirectional link arrangement 90 . The unidirectional link device 90 includes a switch 91 and a unidirectional link circuit 92 , wherein the switch 91 is coupled to the unidirectional link circuit 92 . Unidirectional link circuit 92 may be, for example, a programmable logic device. A device in the secure field 81 for routine diagnostics or firmware update procedures (eg, Device A Or device B) may be infected with a virus. Therefore, how to prevent the devices in the security field 81 from infecting each other is an important issue in the technical field. In order to prevent the devices in the secure field 81 from infecting each other, the one-way link device 90 may be disposed between the secure field 81 and the non-secure field 82 . Switch 91 of unidirectional link device 90 includes port A, port B, and port C, where port A is coupled to device A in secure domain 81, port B is coupled to device B in secure domain 81, and Port C is coupled to the input of the unidirectional link circuit 92 . The output of the unidirectional link circuit 92 is coupled to the device C. Data from port C can be transmitted to device C via unidirectional link circuit 92 , but data from device C cannot be transmitted to port C via unidirectional link circuit 92 . Thus, data from device A can be transmitted to device C via unidirectional link device 90 , but data from device C cannot be transmitted to device A via unidirectional link device 90 . Data from device B can be transmitted to device C via unidirectional link device 90 , but data from device C cannot be transmitted to device B via unidirectional link device 90 . Unidirectional link device 90 may be configured to separate device A from device B. Since device A cannot communicate with device B, if device A is infected, device A will not infect device B, so viruses or malicious programs cannot be distributed on the security field 81 . However, in some cases, device A may need to exchange data with device B, and the unidirectional link device 90 cannot solve such a problem. Since data cannot be transmitted from device C to device A (or device B), device A and device B cannot exchange data via device C.

防止安全場域81中的裝置彼此感染的另一方法為配置具有分別連接至裝置A、裝置B以及裝置C的大量乙太網埠的高端電腦(亦即,防火牆)。裝置A可經由高端電腦將資料封包傳輸至裝置B。高端電腦將檢查資料封包是否安全。若資料封包安全,則高端電腦會將資料封包轉送至裝置B。此方法將延遲裝置A與裝 置B之間的通訊,此是因為高端電腦需要為資料封包執行TCP/IP協定軟體。此外高端電腦也需要被保護。 Another way to prevent devices in the secure domain 81 from infecting each other is to configure a high-end computer (ie, a firewall) with a large number of Ethernet ports connected to Device A, Device B, and Device C, respectively. Device A can transmit data packets to device B via a high-end computer. The high-end computer will check whether the data packet is secure. If the data packet is safe, the high-end computer will forward the data packet to device B. This method combines delay device A with the Communication between settings B, this is because high-end computers need to implement TCP/IP protocol software for data packets. In addition, high-end computers also need to be protected.

因此,本揭露針對一種用於基於VLAN ID的單向傳輸的方法及交換器裝置。本揭露可防止安全場域中的裝置受同一安全場域的裝置或受非安全場域中的裝置攻擊。 Accordingly, the present disclosure is directed to a method and switch device for VLAN ID based unidirectional transmission. The present disclosure can prevent a device in a secure domain from being attacked by a device in the same secure domain or by a device in a non-secure domain.

本揭露針對一種用於基於虛擬區域網路識別符的單向傳輸的交換器裝置。交換器裝置包含管理型交換器及第一可程式化邏輯裝置。交換器包含第一埠、第二埠、第三埠以及控制器。第三埠配置成經由第一路徑耦接至第一埠且經由第二路徑耦接至第二埠。控制器耦接至第一埠、第二埠以及第三埠。第一可程式化邏輯裝置耦接至第三埠,其中第一埠自第一外部裝置接收第一資料封包;控制器用對應於第一路徑的第一虛擬區域網路識別符封裝第一資料封包以產生第二資料封包;第一可程式化邏輯裝置自第三埠接收第二資料封包且根據第一過濾規則過濾第二資料封包;回應於第二資料封包與第一過濾規則匹配,第一可程式化邏輯裝置藉由對應於第二路徑的第二虛擬區域網路識別符重寫第一虛擬區域網路識別符以產生第三資料封包;且第一可程式化邏輯裝置經由第二路徑將第三資料封包傳輸至第二埠,以便經由第二埠輸出第三資料封包。 The present disclosure is directed to a switch device for virtual area network identifier based unidirectional transmission. The switch device includes a managed switch and a first programmable logic device. The switch includes a first port, a second port, a third port and a controller. The third port is configured to be coupled to the first port via the first path and to the second port via the second path. The controller is coupled to the first port, the second port and the third port. The first programmable logic device is coupled to the third port, wherein the first port receives the first data packet from the first external device; the controller encapsulates the first data packet with the first virtual local area network identifier corresponding to the first path to generate a second data packet; the first programmable logic device receives the second data packet from the third port and filters the second data packet according to the first filtering rule; in response to the second data packet matching the first filtering rule, the first The programmable logic device rewrites the first virtual local area network identifier by the second virtual local area network identifier corresponding to the second path to generate a third data packet; and the first programmable logic device passes through the second path The third data packet is transmitted to the second port for outputting the third data packet through the second port.

在本發明的例示性實施例中,第二資料封包包含目的地位址,其中第一可程式化邏輯裝置儲存映射表,其中第一可程式化邏輯裝置回應於目的地位址與第二虛擬區域網路識別符之間的映 射關係記錄於映射表中,而藉由第二虛擬區域網路識別符重寫第一虛擬區域網路識別符。 In an exemplary embodiment of the present invention, the second data packet includes a destination address, wherein the first programmable logic device stores the mapping table, wherein the first programmable logic device is responsive to the destination address and the second virtual area network Mapping between road identifiers The mapping relationship is recorded in the mapping table, and the first virtual local area network identifier is overwritten by the second virtual local area network identifier.

在本揭露的例示性實施例中,第一可程式化邏輯裝置回應於目的地位址與第二虛擬區域網路識別符之間的映射關係未記錄於映射表中而丢棄第二資料封包。 In an exemplary embodiment of the present disclosure, the first programmable logic device discards the second data packet in response to that the mapping relationship between the destination address and the second virtual area network identifier is not recorded in the mapping table.

在本揭露的例示性實施例中,第二資料封包更包含框檢查順序,其中第一可程式化邏輯裝置回應於藉由第二虛擬區域網路識別符重寫第一虛擬區域網路識別符而更新框檢查順序以產生第三資料封包。 In an exemplary embodiment of the present disclosure, the second data packet further includes a frame check sequence, wherein the first programmable logic device is responsive to overwriting the first virtual area network identifier with the second virtual area network identifier And the update frame checks the sequence to generate the third data packet.

在本揭露的例示性實施例中,第一埠自第一外部裝置接收位址查詢封包且將位址查詢封包傳輸至第三埠,其中位址查詢封包包含網際網路協定(Internet protocol;IP)位址;第一可程式化邏輯裝置自第三埠接收位址查詢封包且產生對應於位址查詢封包的回應封包;且第一可程式化邏輯裝置經由第三埠將回應封包傳輸至第一埠。 In an exemplary embodiment of the present disclosure, the first port receives the address query packet from the first external device and transmits the address query packet to the third port, wherein the address query packet includes an Internet protocol (IP) ) address; the first programmable logic device receives the address query packet from the third port and generates a response packet corresponding to the address query packet; and the first programmable logic device transmits the response packet to the third port through the third port a port.

在本揭露的例示性實施例中,第一可程式化邏輯裝置儲存映射表,其中第一可程式化邏輯裝置藉由以下產生回應封包:回應於IP位址與MAC位址之間的映射關係記錄於映射表中而將回應封包的源位址設定為與IP位址相關聯的媒體存取控制(media access control;MAC)位址。 In an exemplary embodiment of the present disclosure, the first programmable logic device stores a mapping table, wherein the first programmable logic device generates a response packet by: responding to the mapping relationship between the IP address and the MAC address Recording in the mapping table sets the source address of the response packet as a media access control (MAC) address associated with the IP address.

在本揭露的例示性實施例中,第一可程式化邏輯裝置藉由以下產生回應封包:經由第二埠向第二外部裝置廣播IP位址;回應於廣播IP位址而經由第二埠自第二外部裝置接收媒體存取控制(MAC)位址;以及將回應封包的源位址設定為MAC位址。 In an exemplary embodiment of the present disclosure, the first programmable logic device generates a response packet by: broadcasting the IP address to the second external device through the second port; The second external device receives a media access control (MAC) address; and sets the source address of the response packet as the MAC address.

在本揭露的例示性實施例中,第一可程式化邏輯裝置儲存映射表,其中第一可程式化邏輯裝置回應於自第二外部裝置接收MAC位址而將IP位址與MAC位址之間的映射關係添加至映射表。 In an exemplary embodiment of the present disclosure, the first programmable logic device stores a mapping table, wherein the first programmable logic device associates the IP address with the MAC address in response to receiving the MAC address from the second external device The mapping relationship between them is added to the mapping table.

在本揭露的例示性實施例中,第一可程式化邏輯裝置進一步藉由以下產生回應封包:將回應封包的目標硬體位址設定為MAC位址。 In an exemplary embodiment of the present disclosure, the first programmable logic device further generates the response packet by setting the target hardware address of the response packet as the MAC address.

在本揭露的例示性實施例中,第一過濾規則對應於埠編號或傳輸協定中的至少一者,其中傳輸協定包含Modbus協定、IEC 60870-5-101協定、分散式網路協定以及可程式化邏輯控制器協定中的一者。 In an exemplary embodiment of the present disclosure, the first filtering rule corresponds to at least one of a port number or a transmission protocol, wherein the transmission protocol includes Modbus protocol, IEC 60870-5-101 protocol, distributed network protocol and programmable One of the logical controller contracts.

本揭露針對一種用於基於虛擬區域網路識別符的單向傳輸的通訊方法。通訊方法包含:經由第一路徑耦接交換器的第一埠與交換器的第三埠,經由第二路徑耦接交換器的第二埠與第三埠,以及耦接第一可程式化邏輯裝置與第三埠;由第一埠自第一外部裝置接收第一資料封包;用對應於第一路徑的第一虛擬區域網路識別符封裝第一資料封包以產生第二資料封包;由第一可程式化邏輯裝置自第三埠接收第二資料封包;由第一可程式化邏輯裝置根據第一過濾規則過濾第二資料封包;回應於第二資料封包與第一過濾規則匹配,藉由對應於第二路徑的第二虛擬區域網路識別符重寫第一虛擬區域網路識別符以產生第三資料封包;以及由第一可程式化邏輯裝置經由第二路徑將第三資料封包傳輸至第二埠,以便經由第二埠輸出第三資料封包。 The present disclosure is directed to a communication method for unidirectional transmission based on a virtual local area network identifier. The communication method includes: coupling the first port of the switch and the third port of the switch via the first path, coupling the second port and the third port of the switch via the second path, and coupling the first programmable logic device and a third port; receiving a first data packet from a first external device by the first port; encapsulating the first data packet with a first virtual local area network identifier corresponding to the first path to generate a second data packet; A programmable logic device receives the second data packet from the third port; the first programmable logic device filters the second data packet according to the first filtering rule; in response to the second data packet matching the first filtering rule, by rewriting the first virtual area network identifier corresponding to the second virtual area network identifier of the second path to generate a third data packet; and transmitting the third data packet by the first programmable logic device via the second path to the second port, so as to output the third data packet through the second port.

鑒於前述內容,本揭露可過濾用於安全場域中的多個裝 置之間的傳輸的資料封包,因此可保證傳輸的安全性。 In view of the foregoing, the present disclosure may filter multiple devices for use in a secure field The data packets transmitted between the two devices can be transmitted, so the security of the transmission can be guaranteed.

為使前述內容更容易理解,以下結合圖式詳細描述若干實施例。 In order to make the foregoing content easier to understand, several embodiments are described in detail below with reference to the drawings.

10:交換器裝置 10: Exchanger device

11、12、13、14、15、16、17:路徑 11, 12, 13, 14, 15, 16, 17: Path

40:封包格式 40: Packet format

41、42:閘道 41, 42: Gateway

43、44、45、50:裝置 43, 44, 45, 50: Devices

61、62:儲存裝置 61, 62: Storage device

81:安全場域 81: Security Field

82:非安全場域 82: Non-secure field

90:單向鏈路裝置 90: Unidirectional link device

91、100:交換器 91, 100: Exchanger

92:單向鏈路電路 92: Unidirectional link circuit

110:控制器 110: Controller

200、300:可程式化邏輯裝置 200, 300: Programmable logic device

P1、P2、P3、P4、P5、P6、P7:埠 P1, P2, P3, P4, P5, P6, P7: Port

S301、S302、S303、S304、S305、S306、S307、S308、S309、S310、0S311、S312、S501、S502、S503、S504、S505、S506、S507:步驟 S301, S302, S303, S304, S305, S306, S307, S308, S309, S310, 0S311, S312, S501, S502, S503, S504, S505, S506, S507: Steps

包含隨附圖式以提供對本揭露的進一步理解,且隨附圖式併入於本說明書中且構成本說明書的一部分。圖式示出本揭露的例示性實施例,且與描述一起用於解釋本揭露的原理。 The accompanying drawings are included to provide a further understanding of the present disclosure, and are incorporated into and constitute a part of this specification. The drawings illustrate exemplary embodiments of the present disclosure, and together with the description serve to explain principles of the present disclosure.

圖1示出單向鏈路裝置的示意圖。 Figure 1 shows a schematic diagram of a unidirectional link arrangement.

圖2示出根據本揭露的實施例的交換器裝置的示意圖。 FIG. 2 shows a schematic diagram of a switch device according to an embodiment of the present disclosure.

圖3示出根據本揭露的實施例的基於VLAN ID的通訊方法的流程圖。 FIG. 3 shows a flowchart of a VLAN ID-based communication method according to an embodiment of the present disclosure.

圖4示出根據本揭露的實施例的封包格式的示意圖。 FIG. 4 shows a schematic diagram of a packet format according to an embodiment of the present disclosure.

圖5示出根據本揭露的實施例的用於基於VLAN ID的單向傳輸的通訊方法的流程圖。 FIG. 5 shows a flowchart of a communication method for VLAN ID-based unidirectional transmission according to an embodiment of the present disclosure.

為了使本揭露更容易理解,下文將若干實施例描述為本揭露的實施的實例。此外,在適當的情況下,具有相同附圖標號的元件/組件/步驟在圖式及實施例中用於表示相同或類似部分。 In order to make the present disclosure easier to understand, several embodiments are described below as examples of implementations of the present disclosure. Furthermore, where appropriate, elements/components/steps with the same reference numerals are used in the drawings and the embodiments to refer to the same or similar parts.

圖2示出根據本揭露的實施例的交換器裝置10的示意圖。交換器裝置10可包含交換器(或管理型交換器)100、可程式化邏輯裝置(programmable logic device;PLD)200以及PLD 300。 FIG. 2 shows a schematic diagram of the switch device 10 according to an embodiment of the present disclosure. The switch device 10 may include a switch (or managed switch) 100 , a programmable logic device (PLD) 200 and a PLD 300 .

交換器100可包含控制器110、埠P1(亦稱為「第一埠」)、 埠P2(亦稱為「第二埠」)、埠P3、埠P4、埠P5、埠P6(亦稱為「第四埠」)以及埠P7(亦稱為「第三埠」)。控制器110可藉由為埠中的每一者配置埠VLAN ID(port VLAN ID;PVID)判定交換器100的埠之間的路由路徑。此外,控制器110可將埠指派至VLAN ID群組。屬於同一VLAN ID群組的埠可彼此通訊。具體言之,若資料封包通過具有特定PVID的埠,則資料封包可由控制器110用對應於特定PVID的VLAN ID標記。交換器100或控制器110可根據資料封包的VLAN ID決定資料封包的路由路徑。在資料封包由另一埠接收之後,若VLAN ID尚未移除,則另一埠可基於儲存於資料封包的VLAN標記欄中的VLAN ID識別資料封包來自的路徑。 Switch 100 may include controller 110, port P1 (also referred to as "first port"), Port P2 (also referred to as the "second port"), port P3, port P4, port P5, port P6 (also referred to as the "fourth port"), and port P7 (also referred to as the "third port"). The controller 110 can determine the routing path between the ports of the switch 100 by configuring a port VLAN ID (port VLAN ID; PVID) for each of the ports. Additionally, the controller 110 can assign ports to VLAN ID groups. Ports belonging to the same VLAN ID group can communicate with each other. Specifically, if the data packet passes through a port with a specific PVID, the data packet may be tagged by the controller 110 with a VLAN ID corresponding to the specific PVID. The switch 100 or the controller 110 can determine the routing path of the data packet according to the VLAN ID of the data packet. After the data packet is received by the other port, if the VLAN ID has not been removed, the other port can identify the path from which the data packet came based on the VLAN ID stored in the VLAN tag column of the data packet.

舉例而言,預設PVID(例如,PVID 1)可指派給交換器100的所有埠,使得交換器100的所有埠可彼此通訊。亦即,控制器110可將所有埠配置為彼此耦接。然而,最終路由路徑可取決於儲存於交換器100中的MAC位址表的目的地MAC位址。對於另一實例,為了將埠P1及埠P6指派給對應於VLAN ID 16的VLAN ID群組,控制器110可將埠P1及埠P6的PVID配置為對應於VLAN ID 16的PVID 16。亦即,控制器110可將埠P1配置為經由路徑16耦接至埠P6。因此,通過埠P1的資料封包可用VLAN ID 16標記,且控制器110可經由對應於VLAN ID 16的路徑16將資料封包自埠P1傳輸至埠P6。通常,只有在交換器內部傳輸的資料封包才會用PVID標記。當資料封包自交換器輸出至外部裝置時,將移除PVID標記。 For example, a default PVID (eg, PVID 1) can be assigned to all ports of switch 100 so that all ports of switch 100 can communicate with each other. That is, the controller 110 may configure all ports to be coupled to each other. However, the final routing path may depend on the destination MAC address of the MAC address table stored in switch 100 . For another example, to assign ports P1 and P6 to a VLAN ID group corresponding to VLAN ID 16, controller 110 may configure the PVIDs of ports P1 and P6 to be PVID 16 corresponding to VLAN ID 16. That is, the controller 110 may configure port P1 to be coupled to port P6 via path 16 . Thus, data packets passing through port P1 can be tagged with VLAN ID 16, and controller 110 can transmit the data packets from port P1 to port P6 via path 16 corresponding to VLAN ID 16. Typically, only data packets traveling inside the switch are marked with PVIDs. The PVID tag is removed when data packets are output from the switch to an external device.

控制器110可將埠P1的PVID指派給VLAN ID 11,且 可將埠P6及埠P7配置為加入VLAN ID 11群組。亦即,埠P1可經由路徑16耦接至埠P6且可經由路徑11耦接至埠P7,其中路徑11及路徑16屬於VLAN ID 11群組。埠P1可耦接至安置於安全場域81中的裝置,諸如閘道41(或代理伺服器41)。控制器110可將埠P2的PVID指派給VLAN ID 12,且可將埠P6及埠P7配置為加入VLAN ID 12群組。亦即,埠P2可經由路徑17耦接至埠P6且可經由路徑12耦接至埠P7,其中路徑12及路徑17屬於VLAN ID 12群組。埠P2可耦接至安置於安全場域81中的裝置,諸如閘道42(或代理伺服器42)。控制器110可將埠P3的PVID指派給VLAN ID 13,且可將埠P7配置為加入VLAN ID 13群組。亦即,埠P3可經由對應於VLAN ID 13群組的路徑13耦接至埠P7。埠P3可耦接至安置於安全場域81中的裝置,諸如裝置43,其中裝置43可包含多個電子裝置或多個感測器。控制器110可將埠P4的PVID指派給VLAN ID 14,且可將埠P7配置為加入VLAN ID 14群組。亦即,埠P4可經由對應於VLAN ID 14群組的路徑14耦接至埠P7。埠P4可耦接至安置於安全場域81中的裝置,諸如裝置44,其中裝置44可包含多個電子裝置或多個感測器。控制器110可將埠P5的PVID指派給VLAN ID 15,且可將配置埠P7配置為加入VLAN ID 15群組。亦即,埠P5可經由對應於VLAN ID 15群組的路徑15耦接至埠P7。埠P5可耦接至安置於安全場域81中的裝置,諸如裝置45,其中裝置45可包含多個電子裝置或多個感測器。 Controller 110 may assign the PVID of port P1 to VLAN ID 11, and Ports P6 and P7 can be configured to join the VLAN ID 11 group. That is, port P1 may be coupled to port P6 via path 16 and may be coupled to port P7 via path 11, where path 11 and path 16 belong to the VLAN ID 11 group. Port P1 may be coupled to a device disposed in secure field 81, such as gateway 41 (or proxy server 41). The controller 110 can assign the PVID of port P2 to VLAN ID 12, and can configure ports P6 and P7 to join the VLAN ID 12 group. That is, port P2 can be coupled to port P6 via path 17 and can be coupled to port P7 via path 12, where path 12 and path 17 belong to the VLAN ID 12 group. Port P2 may be coupled to a device disposed in secure field 81, such as gateway 42 (or proxy server 42). The controller 110 can assign the PVID of port P3 to VLAN ID 13, and can configure port P7 to join the VLAN ID 13 group. That is, port P3 can be coupled to port P7 via path 13 corresponding to the group of VLAN ID 13 . Port P3 may be coupled to a device disposed in secure field 81, such as device 43, where device 43 may include multiple electronic devices or multiple sensors. The controller 110 can assign the PVID of port P4 to VLAN ID 14, and can configure port P7 to join the VLAN ID 14 group. That is, port P4 may be coupled to port P7 via path 14 corresponding to the group of VLAN ID 14 . Port P4 may be coupled to a device disposed in secure field 81, such as device 44, where device 44 may include multiple electronic devices or multiple sensors. The controller 110 can assign the PVID of port P5 to VLAN ID 15, and can configure port P7 to join the VLAN ID 15 group. That is, port P5 may be coupled to port P7 via path 15 corresponding to the group of VLAN ID 15 . Port P5 may be coupled to a device disposed in secure field 81, such as device 45, where device 45 may include multiple electronic devices or multiple sensors.

埠P6可耦接至PLD 300,且埠P6可經由埠P1或埠P2由裝置(例如,閘道)存取。埠P7可耦接至PLD 200。在一個實 施例中,若VLAN ID儲存於資料封包的VLAN標記欄中,則在將資料封包輸入至交換器100時控制器可不標記資料封包(由輸入時的VLAN ID決定路徑)。舉例而言,假定自PLD 200傳輸至埠P7的資料封包儲存VLAN ID。因此,資料封包在通過埠P7時就不用另一VLAN ID標記。亦即,自埠P7傳輸至交換器100的其他埠的資料封包的VLAN ID就不會被控制器110所改變而能由PLD 200決定。因此,埠P7的PVID不會影響交換器100的資料路由。在一個實施例中,埠P6至少已指派給VLAN ID 11群組及VLAN ID 12群組。埠P7至少已指派給VLAN ID 11群組、VLAN ID 12群組、VLAN ID 13群組、VLAN ID 14群組以及VLAN ID 15群組。由於資料封包將不經由埠P6輸入至交換器100,故埠P6的PVID不會影響交換器100的資料路由。 Port P6 may be coupled to PLD 300, and port P6 may be accessed by a device (eg, a gateway) via port P1 or port P2. Port P7 can be coupled to PLD 200 . in a real In an embodiment, if the VLAN ID is stored in the VLAN tag column of the data packet, the controller may not tag the data packet when the data packet is input to the switch 100 (the route is determined by the VLAN ID at the time of input). For example, assume that data packets transmitted from PLD 200 to port P7 store VLAN IDs. Therefore, the data packet is not tagged with another VLAN ID when passing through port P7. That is, the VLAN IDs of the data packets transmitted from the port P7 to other ports of the switch 100 will not be changed by the controller 110 but can be determined by the PLD 200 . Therefore, the PVID of port P7 does not affect the data routing of switch 100 . In one embodiment, port P6 has been assigned to at least the VLAN ID 11 group and the VLAN ID 12 group. Port P7 has been assigned to at least the VLAN ID 11 group, the VLAN ID 12 group, the VLAN ID 13 group, the VLAN ID 14 group, and the VLAN ID 15 group. Since the data packet will not be input to the switch 100 through the port P6, the PVID of the port P6 will not affect the data routing of the switch 100.

控制器110可為例如中央處理單元(central processing unit;CPU)、可程式化微處理器、數位訊號處理器(digital signal processor;DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit;ASIC)、圖形處理單元(graphics processing unit;GPU)、PLD或其他類似元件或其組合。控制器110可耦接至埠P1、埠P2、埠P3、埠P4、埠P5、埠P6以及埠P7。控制器110可包含儲存媒體,其中儲存媒體可包含例如任何類型的固定或可移除隨機存取記憶體(random access memory;RAM)、唯讀記憶體(read-only memory;ROM)、快閃記憶體、硬式磁碟機(hard disk drive;HDD)、固態磁碟機(solid state drive;SSD)或類似元件或其組合,其配置成記錄由控制器110執行的多個模組或各種應用程式。 The controller 110 can be, for example, a central processing unit (CPU), a programmable microprocessor, a digital signal processor (DSP), a programmable controller, or an application specific integrated circuit. integrated circuit; ASIC), graphics processing unit (GPU), PLD or other similar elements or combinations thereof. The controller 110 can be coupled to port P1, port P2, port P3, port P4, port P5, port P6 and port P7. The controller 110 may include a storage medium, wherein the storage medium may include, for example, any type of fixed or removable random access memory (RAM), read-only memory (ROM), flash memory A memory, hard disk drive (HDD), solid state drive (SSD), or similar element, or combination thereof, configured to record multiple modules or various applications executed by the controller 110 program.

PLD 200(或PLD 300)可包含例如光纖、二極體電路、RJ45連接器、可程式化陣列邏輯(programmable array logic;PAL)、通用陣列邏輯(generic array logic;GAL)、複雜PLD(complex PLD;CPLD)、場可程式化閘陣列(field programmable gate array;FPGA)或類似元件或其組合。 PLD 200 (or PLD 300 ) may include, for example, optical fibers, diode circuits, RJ45 connectors, programmable array logic (PAL), generic array logic (GAL), complex PLD (complex PLD) ; CPLD), field programmable gate array (field programmable gate array; FPGA) or similar elements or combinations thereof.

安全場域81中的裝置可經由PLD 300將資料封包傳輸至非安全場域82中的裝置。舉例而言,若閘道42想要將資料封包傳輸至裝置50,則閘道42可經由埠P2、路徑17以及埠P6將資料封包傳輸至PLD 300,其中埠P6可將資料封包輸出至PLD 300。PLD 300可回應於自埠P6接收資料封包而將資料封包轉送至裝置50。具體而言,PLD 300可儲存第二過濾規則,其中第二過濾規則可限制訊號通過PLD 300的方向。根據第二過濾規則,PLD 300可將資料封包自交換器100(或埠P6)傳輸至安置於非安全場域82中的裝置50,但PLD 300不可將資料封包自裝置50傳輸至交換器100,其中裝置50可為電子裝置或伺服器。因此,資料封包不可自非安全場域82發送至安全場域81,因此安全場域81中的裝置將不受非安全場域82中的裝置攻擊。 Devices in secure domain 81 may transmit data packets to devices in non-secure domain 82 via PLD 300 . For example, if gateway 42 wants to transmit data packets to device 50, gateway 42 can transmit the data packets to PLD 300 via port P2, path 17, and port P6, which can output the data packets to the PLD 300. PLD 300 may forward the data packet to device 50 in response to receiving the data packet from port P6. Specifically, the PLD 300 may store a second filter rule, wherein the second filter rule may limit the direction of the signal passing through the PLD 300 . According to the second filtering rule, PLD 300 can transmit data packets from switch 100 (or port P6 ) to device 50 located in non-secure field 82 , but PLD 300 cannot transmit data packets from device 50 to switch 100 , wherein the device 50 can be an electronic device or a server. Therefore, data packets cannot be sent from the non-secure domain 82 to the secure domain 81 , so the devices in the secure domain 81 will not be attacked by devices in the non-secure domain 82 .

在自埠P6接收資料封包之後,PLD 300可根據第二過濾規則過濾資料封包。若資料封包與第二過濾規則匹配,則PLD 300可判定將資料封包輸出至裝置50。若資料封包與第二過濾規則不匹配,則PLD 300可判定丢棄資料封包,或PLD 300可判定將資料封包傳輸至儲存裝置62以用於進一步分析,其中儲存裝置62可耦接至PLD 300。在一個實施例中,第二過濾規則可能與UDP埠編號或傳輸協定相關聯。舉例而言,第二過濾規則可包含埠P6 的UDP埠編號。若PLD 300判定由PLD 300接收的資料封包不包含與埠P6的UDP埠編號匹配的埠編號,則PLD 300可丢棄資料封包或將資料封包傳輸至儲存裝置62。在一個實施例中,傳輸協定可為單向協定,諸如使用者資料報協定(user datagram protocol;UDP)、即時傳輸協定(real time transport protocol;RTP)、簡單網路管理協定(simple network management protocol;SNMP)或路由資訊協定(routing information protocol;RIP)。 After receiving the data packets from port P6, the PLD 300 can filter the data packets according to the second filtering rule. If the data packet matches the second filtering rule, the PLD 300 may determine to output the data packet to the device 50 . If the data packet does not match the second filter rule, then PLD 300 may determine to discard the data packet, or PLD 300 may determine to transmit the data packet to storage device 62, which may be coupled to PLD 300, for further analysis . In one embodiment, the second filter rule may be associated with a UDP port number or transport protocol. For example, the second filter rule may include port P6 UDP port number. If PLD 300 determines that the data packet received by PLD 300 does not contain a port number that matches the UDP port number of port P6, PLD 300 may discard the data packet or transmit the data packet to storage device 62 . In one embodiment, the transport protocol may be a one-way protocol, such as user datagram protocol (UDP), real time transport protocol (RTP), simple network management protocol (simple network management protocol) ; SNMP) or routing information protocol (routing information protocol; RIP).

安全場域81中的裝置可經由PLD 200將資料封包傳輸至安全場域81中的另一裝置。舉例而言,若閘道41想要查詢來自裝置44的資料,則閘道41可經由埠P1、路徑11以及埠P7將資料封包傳輸至PLD 200,其中埠P7可將資料封包輸出至PLD 200。PLD 200可回應於自埠P7接收資料封包而將資料封包轉送至裝置44。具體言之,PLD 200可預儲存第一過濾規則,其中PLD 200可根據第一過濾規則過濾通過PLD 200的資料封包。若來自源裝置(亦即,閘道41)的資料封包與第一過濾規則匹配,則PLD 200可判定將資料封包轉送至資料封包的目標裝置(亦即,裝置44)。若來自源裝置的資料封包與第一過濾規則不匹配,則PLD 200可丢棄資料封包,或PLD 200可判定將資料封包傳輸至儲存裝置61以用於進一步分析,其中PLD 200可耦接至儲存裝置61。 A device in secure domain 81 may transmit data packets to another device in secure domain 81 via PLD 200 . For example, if gateway 41 wants to query data from device 44, gateway 41 can transmit data packets to PLD 200 via port P1, path 11, and port P7, which can output data packets to PLD 200 . PLD 200 may forward the data packet to device 44 in response to receiving the data packet from port P7. Specifically, the PLD 200 may pre-store a first filtering rule, wherein the PLD 200 may filter the data packets passing through the PLD 200 according to the first filtering rule. If the data packet from the source device (ie, gateway 41 ) matches the first filter rule, PLD 200 may determine to forward the data packet to the data packet's target device (ie, device 44 ). If the data packet from the source device does not match the first filter rule, PLD 200 may discard the data packet, or PLD 200 may decide to transmit the data packet to storage device 61 for further analysis, where PLD 200 may be coupled to storage device 61 .

在一個實施例中,第一過濾規則可能與TCP/UDP埠編號或傳輸協定相關聯。在一個實施例中,傳輸協定可為雙向協定,例如但不限於諸如Modbus協定、IEC 60870-5-104協定、分散式網路協定(distributed network protocol;DNP)或可程式化邏輯控制器(programmable logic controller;PLC)協定。舉例而言,第一 過濾規則可包含資料封包的TCP/UDP埠編號。若PLD 200判定由PLD 200接收的資料封包不包含與來自埠P7的資料封包的TCP/UDP埠編號匹配的埠編號,則PLD 200可丢棄資料封包或將資料封包傳輸至儲存裝置61。對於另一實例,第一過濾規則可能與DNP協定相關聯,其中支持DNP協定的資料封包可具有前置碼0x27、標頭0x05以及標頭0x64。PLD 200可藉由檢查資料封包的前置碼及標頭判定自埠P7接收的資料封包是否支持DNP協定。若PLD 200判定自埠P7接收的資料封包不支持DNP協定,則PLD 200可丢棄資料封包或將資料封包傳輸至儲存裝置61。對於另一實例,第一過濾規則可能與IEC 60870-5-104協定相關聯,其中支持IEC 60870-5-104協定的資料封包可具有前置碼0x68及結束碼0x16。PLD 200可藉由檢查資料封包的前置碼及結束碼判定自埠P7接收的資料封包是否支持IEC 60870-5-104協定。若PLD 200判定自埠P7接收的資料封包不支持IEC 60870-5-104協定,則PLD 200可丢棄資料封包或將資料封包傳輸至儲存裝置61。 In one embodiment, the first filter rule may be associated with a TCP/UDP port number or transport protocol. In one embodiment, the transmission protocol may be a bidirectional protocol such as, but not limited to, protocols such as Modbus, IEC 60870-5-104, distributed network protocol (DNP), or programmable logic controller (Programmable Logic Controller). logic controller; PLC) agreement. For example, the first Filter rules can include TCP/UDP port numbers of data packets. If the PLD 200 determines that the data packet received by the PLD 200 does not contain a port number that matches the TCP/UDP port number of the data packet from port P7, the PLD 200 may discard the data packet or transmit the data packet to the storage device 61. For another example, the first filter rule may be associated with a DNP protocol, where data packets supporting the DNP protocol may have a preamble of 0x27, a header of 0x05, and a header of 0x64. The PLD 200 can determine whether the data packet received from port P7 supports the DNP protocol by checking the preamble and header of the data packet. If the PLD 200 determines that the data packet received from the port P7 does not support the DNP protocol, the PLD 200 may discard the data packet or transmit the data packet to the storage device 61 . For another example, the first filter rule may be associated with the IEC 60870-5-104 protocol, wherein data packets supporting the IEC 60870-5-104 protocol may have a preamble 0x68 and an end code 0x16. The PLD 200 can determine whether the data packet received from port P7 supports the IEC 60870-5-104 protocol by checking the preamble and end code of the data packet. If the PLD 200 determines that the data packet received from port P7 does not support the IEC 60870-5-104 protocol, the PLD 200 may discard the data packet or transmit the data packet to the storage device 61 .

基於IEEE 802.1Q的交換器可動態更新MAC位址表且可根據MAC位址表進行交換器的內部資料傳輸。控制器110可儲存交換器100的MAC位址表,其中MAC位址表可記錄埠與對應於耦接至埠的裝置的MAC位址之間的映射關係。舉例而言,若埠P1耦接至閘道41,則自閘道41傳輸至埠P1的資料封包可包含源位址,其中源位址可為閘道41的MAC位址。控制器110可自通過埠P1的資料封包擷取閘道41的MAC位址。接著,控制器110可根據閘道41的MAC位址更新MAC位址表,其中更新後的位址表可記錄埠P1與閘道41的MAC位址之間的映射關係。 The switch based on IEEE 802.1Q can dynamically update the MAC address table and can perform the internal data transmission of the switch according to the MAC address table. The controller 110 may store a MAC address table of the switch 100, wherein the MAC address table may record the mapping relationship between the ports and the MAC addresses corresponding to the devices coupled to the ports. For example, if port P1 is coupled to gateway 41 , data packets transmitted from gateway 41 to port P1 may include a source address, where the source address may be the MAC address of gateway 41 . The controller 110 can retrieve the MAC address of the gateway 41 from the data packets passing through the port P1. Next, the controller 110 may update the MAC address table according to the MAC address of the gateway 41 , wherein the updated address table may record the mapping relationship between the port P1 and the MAC address of the gateway 41 .

然而,由於在交換器100的不同埠之間傳輸的所有資料封包需要經由埠P7轉送,故上文所提及的方法不適合於交換器100。具體言之,具有相同源位址的兩個資料封包可分別經由兩個不同埠發送至交換器100中。控制器110可能需要更新MAC位址表的先前記錄,或將兩個資料封包中的一者處理為畸形封包,其中畸形封包可由交換器100丢棄。舉例而言,若裝置44想要將資料封包傳輸至裝置45,則資料封包可自裝置44傳輸至PLD 200,其中資料封包的源位址可為裝置44的MAC位址。控制器110可更新MAC位址表以記錄裝置44的MAC位址與埠P4之間的映射關係。回應於自裝置44接收資料封包,PLD 200可根據第一過濾規則過濾資料封包。若資料封包與第一過濾規則匹配,則PLD 200可將資料封包傳輸至裝置45。由於資料封包的源位址仍然為裝置44的MAC位址,故控制器110可更新MAC位址表以記錄裝置44的MAC位址與埠P7之間的映射關係。因此,交換器100可考慮將埠P4及埠P7耦接至具有相同MAC位址的裝置。因此,控制器110需要藉由裝置44的MAC位址與埠P7之間的映射關係重寫裝置44的MAC位址與埠4之間的映射關係,或丢棄自埠P7(或自埠P4)傳輸的資料封包。具有相同MAC位址的多於一個的裝置分別耦接至交換器100的不同埠將破壞交換器技術的基本概念。 However, since all data packets transmitted between different ports of the switch 100 need to be forwarded through the port P7, the above-mentioned method is not suitable for the switch 100 . Specifically, two data packets with the same source address can be respectively sent to the switch 100 through two different ports. The controller 110 may need to update the previous record of the MAC address table, or treat one of the two data packets as a malformed packet, which may be discarded by the switch 100 . For example, if device 44 wants to transmit a data packet to device 45 , the data packet may be transmitted from device 44 to PLD 200 , where the source address of the data packet may be the MAC address of device 44 . The controller 110 can update the MAC address table to record the mapping relationship between the MAC address of the device 44 and the port P4. In response to receiving the data packets from the device 44, the PLD 200 may filter the data packets according to the first filtering rule. If the data packet matches the first filter rule, PLD 200 may transmit the data packet to device 45 . Since the source address of the data packet is still the MAC address of the device 44, the controller 110 can update the MAC address table to record the mapping relationship between the MAC address of the device 44 and the port P7. Therefore, the switch 100 may consider coupling ports P4 and P7 to devices with the same MAC address. Therefore, the controller 110 needs to rewrite the mapping relationship between the MAC address of the device 44 and the port 4 according to the mapping relationship between the MAC address of the device 44 and the port P7, or discard the self-port P7 (or the self-port P4 ) transmitted data packets. The coupling of more than one device with the same MAC address to different ports of the switch 100 would destroy the basic concept of switch technology.

為了解決上文所提及的問題,本發明揭露一種基於VLAN ID進行交換器的內部資料傳輸的方法。圖3示出根據本公開的實施例的基於VLAN ID的通訊方法的流程圖,其中通訊方法可由如圖2中所繪示的交換器裝置10實施。假定閘道41想要將第一資料封包傳輸至裝置44。亦即,閘道41可為源裝置,且裝置44可 為目標裝置。 In order to solve the above-mentioned problems, the present invention discloses a method for internal data transmission of a switch based on a VLAN ID. FIG. 3 shows a flowchart of a VLAN ID-based communication method according to an embodiment of the present disclosure, wherein the communication method may be implemented by the switch device 10 as shown in FIG. 2 . Assume that gateway 41 wants to transmit the first data packet to device 44 . That is, gateway 41 may be the source device, and device 44 may be for the target device.

在步驟S301中,交換器100可自源裝置接收第一資料封包。舉例而言,若閘道41想要將第一資料封包傳輸至裝置44,則交換器100可經由埠P1自閘道41接收第一資料封包。 In step S301, the switch 100 may receive the first data packet from the source device. For example, if the gateway 41 wants to transmit the first data packet to the device 44, the switch 100 may receive the first data packet from the gateway 41 via the port P1.

在步驟S302中,交換器100的控制器110可用對應於第一路徑的第一VLAN ID(亦即,埠的PVID)封裝第一資料封包以產生第二資料封包,且可將第二資料封包傳輸至PLD 200。舉例而言,控制器110可用對應於路徑11(亦即,第一路徑)的VLAN ID 11(亦即,埠P1的第一VLAN ID或PVID)封裝第一資料封包,從而產生第二資料封包,且控制器110可經由埠P1、路徑11以及埠P7將第二資料封包傳輸至PLD 200。控制器110可自預設表獲得VLAN ID 11,其中預設表可預儲存於控制器110中,且可包含VLAN ID與交換器100的路徑之間的映射關係。表1為預設表的實例。若進入交換器100的資料封包不包含VLAN ID,則控制器110可根據預設表使用VLAN ID封裝資料封包,其中VLAN ID可對應於資料封包將通過的路徑。若要求資料封包傳遞至非安全場域82,則僅埠P1(或閘道41)或埠P2(或閘道42)可基於VLAN ID 11或VLAN ID 12將資料封包傳輸至非安全場域82。傳遞至非安全場域的資料封包需要滿足安全性準則。舉例而言,傳遞至非安全場域82的資料封包可由閘道41或閘道42自雙向協定轉變成單向協定。 In step S302, the controller 110 of the switch 100 may encapsulate the first data packet with the first VLAN ID (ie, the PVID of the port) corresponding to the first path to generate the second data packet, and may encapsulate the second data packet Transfer to PLD 200. For example, the controller 110 may encapsulate the first data packet with the VLAN ID 11 (ie, the first VLAN ID or PVID of the port P1) corresponding to the path 11 (ie, the first path), thereby generating the second data packet , and the controller 110 can transmit the second data packet to the PLD 200 via the port P1, the path 11 and the port P7. The controller 110 can obtain the VLAN ID 11 from a preset table, wherein the preset table can be pre-stored in the controller 110 and can include the mapping relationship between the VLAN IDs and the paths of the switch 100 . Table 1 is an example of a preset table. If the data packet entering the switch 100 does not contain a VLAN ID, the controller 110 may encapsulate the data packet with the VLAN ID according to a preset table, wherein the VLAN ID may correspond to the path through which the data packet will pass. If data packets are required to be delivered to the non-secure domain 82, only port P1 (or gateway 41) or port P2 (or gateway 42) can transmit the data packets to the non-secure domain 82 based on VLAN ID 11 or VLAN ID 12 . Data packets delivered to non-secure fields need to meet security criteria. For example, data packets delivered to insecure domain 82 may be converted from bidirectional protocol to unidirectional protocol by gateway 41 or gateway 42 .

Figure 110122755-A0305-02-0016-1
Figure 110122755-A0305-02-0016-1
Figure 110122755-A0305-02-0017-3
Figure 110122755-A0305-02-0017-3

圖4示出根據本公開的實施例的封包格式40(例如,標準乙太網框)的示意圖。在交換器100內部傳輸的任何資料封包可基於封包格式40形成。舉例而言,控制器110可基於封包格式40封裝第一資料封包以產生第二資料封包。封包格式40可包含目的地位址欄、源位址欄、VLAN標記欄(例如,802.1Q標記欄)、類型/長度值欄(例如,乙太類型/長度值欄)、資料欄(或有效負載欄)以及框檢查順序(frame check sequence;FCS)欄。目的地位址欄可儲存諸如目標裝置的MAC位址的目的地位址。舉例而言,由於第二資料封包的目標裝置為裝置44,故第二資料封包的目的地位址欄可儲存裝置44的MAC位址。源位址欄可儲存諸如源裝置的MAC位址的源位址。舉例而言,由於第二資料封包的源裝置為閘道41,故第二資料封包的源位址欄可儲存閘道41的MAC位址。VLAN標記欄可儲存標記協定識別符(tag protocol identifier;TPID)、優先順序(priority;PRI)、正準格式指示符(canonical format indicator;CFI)或VLAN ID(亦即,VID)。舉例而言,控制器110可藉由修改第一資料封包的VLAN標記欄以記錄VLAN ID 11產生第二資料封包。類型/長度值欄可儲存資料封包的類型。舉例而言,在圖4中,若封包格式40對應於位址解析協定(address resolution protocol;ARP)資料封包,則類型/長度值欄可儲存「0x0806」。資料欄可儲存發送端硬體位址(例如,源裝置的MAC位址)、發送端協定位址(例如,源裝置的IP位址)、目標硬體位址(例如,目標裝置的MAC位址)或目標協定位址(例如,目標 裝置的IP位址)。舉例而言,第二資料封包的資料欄可包含閘道41的作為發送端硬體位址的MAC位址,閘道41的作為發送端協定位址的IP位址、裝置44的作為目標硬體位址的MAC位址以及裝置44的作為目標協定位址的IP位址。在一個實施例中,目標協定位址可為空白的。舉例而言,ARP查詢的目標協定位址可為空白的且ARP查詢的目的地位址可為廣播位址(例如,0xFF)。FCS欄可儲存對應於資料欄的FCS值(或循環冗餘檢測(cyclic redundancy check,CRC)碼)。FCS值可根據資料欄計算。若資料欄中的資料改變,則FCS值可相應地改變。舉例而言,回應於產生第二資料封包,控制器110可將第一資料封包的資料欄修改為包含VLAN ID 11。亦即,第二資料封包的FCS值應不同於第一資料封包的FCS值。控制器110可根據經修改的資料欄計算第二資料封包的FCS值。 4 shows a schematic diagram of a packet format 40 (eg, a standard Ethernet frame) according to an embodiment of the present disclosure. Any data packets transmitted within switch 100 may be formed based on packet format 40 . For example, the controller 110 may encapsulate the first data packet based on the packet format 40 to generate the second data packet. The packet format 40 may include a destination address field, a source address field, a VLAN tag field (eg, 802.1Q tag field), a type/length value field (eg, ether type/length value field), a data field (or payload column) and frame check sequence (FCS) column. The destination address field may store a destination address such as the MAC address of the target device. For example, since the target device of the second data packet is the device 44 , the destination address field of the second data packet can store the MAC address of the device 44 . The source address field may store a source address such as the MAC address of the source device. For example, since the source device of the second data packet is the gateway 41 , the source address field of the second data packet can store the MAC address of the gateway 41 . The VLAN tag column can store a tag protocol identifier (TPID), priority (PRI), canonical format indicator (CFI), or VLAN ID (ie, VID). For example, the controller 110 can generate the second data packet by modifying the VLAN tag column of the first data packet to record the VLAN ID 11 . The Type/Length value field stores the type of data packet. For example, in FIG. 4, if the packet format 40 corresponds to an address resolution protocol (ARP) data packet, the type/length value column may store "0x0806". The data field can store the sender's hardware address (eg, the source device's MAC address), the sender's protocol address (eg, the source's IP address), and the target hardware address (eg, the target's MAC address) or the target contract address (e.g. target IP address of the device). For example, the data field of the second data packet may include the MAC address of the gateway 41 as the sender's hardware address, the IP address of the gateway 41 as the sender's protocol address, and the device 44 as the target hardware address The MAC address of the address and the IP address of the device 44 as the target protocol address. In one embodiment, the target agreement address may be blank. For example, the target agreement address of the ARP query may be blank and the destination address of the ARP query may be the broadcast address (eg, 0xFF). The FCS column can store the FCS value (or cyclic redundancy check (CRC) code) corresponding to the data column. The FCS value can be calculated from the data column. If the data in the data column changes, the FCS value can be changed accordingly. For example, in response to generating the second data packet, the controller 110 may modify the data column of the first data packet to include the VLAN ID 11 . That is, the FCS value of the second data packet should be different from the FCS value of the first data packet. The controller 110 may calculate the FCS value of the second data packet according to the modified data field.

返回參考圖3,在步驟S303中,回應於接收第二資料封包,PLD 200可判定第二資料封包是否為位址查詢封包(或ARP封包),其中位址查詢封包可為例如ARP查詢。具體言之,第二資料封包的資料欄可進一步儲存操作欄中的ARP指示符(例如,乙太類型「0x0806」)。ARP指示符可指示第二資料封包是否為位址查詢封包。回應於自埠P7接收第二資料封包,PLD 200可根據第二資料封包的操作欄判定第二資料封包是否為位址查詢封包(或ARP封包)。若第二資料封包為位址查詢封包,則前進至步驟S308。若第二資料封包並非位址查詢封包(或ARP封包),則前進至步驟S304。 Referring back to FIG. 3, in step S303, in response to receiving the second data packet, the PLD 200 may determine whether the second data packet is an address query packet (or an ARP packet), wherein the address query packet may be, for example, an ARP query. Specifically, the data column of the second data packet can further store the ARP indicator in the operation column (for example, the ether type "0x0806"). The ARP indicator can indicate whether the second data packet is an address query packet. In response to receiving the second data packet from the port P7, the PLD 200 can determine whether the second data packet is an address query packet (or an ARP packet) according to the operation field of the second data packet. If the second data packet is an address query packet, proceed to step S308. If the second data packet is not an address query packet (or an ARP packet), the process proceeds to step S304.

在步驟S304中,PLD 200可過濾第二資料封包且判定第 二資料封包是否與映射表匹配。若第二資料封包與映射表匹配,則前進至步驟S306。若第二資料封包與映射表不匹配,則前進至步驟S305。具體而言,PLD 200可根據第一過濾規則過濾第二資料封包。第一過濾規則可能與TCP/UDP埠編號或傳輸協定相關聯。此外,過濾規則可包含映射表,其中映射表可包含MAC位址與VLAN ID之間的映射關係。在一個實施例中,映射表可更包含對應於MAC位址及VLAN ID的IP位址。PLD 200可回應於第二資料封包的目的地位址與第二資料封包的VLAN ID之間的映射關係記錄於映射表中而判定第二資料封包與映射表匹配。PLD 200可回應於第二資料封包的目的地位址與第二資料封包的VLAN ID之間的映射關係未記錄於映射表中而判定第二資料封包與映射表不匹配。表2為儲存於PLD 200中的映射表的實例,映射表可記錄閘道41的MAC位址與VLAN ID 11之間的映射關係。假定第二資料封包的資料欄儲存VLAN ID 11。PLD 200可判定若第二資料封包的源位址為閘道41的MAC位址,則第二資料封包與映射表匹配,且PLD 200可判定若第二資料封包的源位址並非閘道41的MAC位址,則第二資料封包與映射表不匹配。 In step S304, the PLD 200 may filter the second data packet and determine the first 2. Whether the data packet matches the mapping table. If the second data packet matches the mapping table, go to step S306. If the second data packet does not match the mapping table, proceed to step S305. Specifically, the PLD 200 can filter the second data packet according to the first filtering rule. The first filter rule may be associated with a TCP/UDP port number or transport protocol. In addition, the filtering rule may include a mapping table, wherein the mapping table may include a mapping relationship between MAC addresses and VLAN IDs. In one embodiment, the mapping table may further include IP addresses corresponding to MAC addresses and VLAN IDs. The PLD 200 may determine that the second data packet matches the mapping table in response to the mapping relationship between the destination address of the second data packet and the VLAN ID of the second data packet being recorded in the mapping table. The PLD 200 may determine that the second data packet does not match the mapping table in response to the fact that the mapping relationship between the destination address of the second data packet and the VLAN ID of the second data packet is not recorded in the mapping table. Table 2 is an example of a mapping table stored in the PLD 200 . The mapping table can record the mapping relationship between the MAC address of the gateway 41 and the VLAN ID 11 . It is assumed that the data column of the second data packet stores VLAN ID 11. The PLD 200 can determine that if the source address of the second data packet is the MAC address of the gateway 41, the second data packet matches the mapping table, and the PLD 200 can determine that if the source address of the second data packet is not the gateway 41 , the second data packet does not match the mapping table.

Figure 110122755-A0305-02-0019-4
Figure 110122755-A0305-02-0019-4

在步驟S305中,PLD 200可丢棄第二資料封包或可將第二資料封包傳輸至儲存裝置61以用於進一步分析。 In step S305, the PLD 200 may discard the second data packet or may transmit the second data packet to the storage device 61 for further analysis.

在步驟S306中,PLD 200可藉由對應於第二路徑的第二VLAN ID重寫第二資料封包的第一VLAN ID,從而產生第三資料封包,其中第二VLAN ID可對應於PLD 200與目標裝置之間的路徑。亦即,PLD 200可根據第二資料封包的目的地位址自映射表選擇第二VLAN ID。舉例而言,PLD 200可由VLAN ID 14重寫第二資料封包中的VLAN ID 11以產生第三資料封包,其中VLAN ID 14可對應於PLD 200與裝置44(亦即,目標裝置)之間的路徑14。 In step S306, the PLD 200 may rewrite the first VLAN ID of the second data packet by the second VLAN ID corresponding to the second path, thereby generating a third data packet, wherein the second VLAN ID may correspond to the PLD 200 and the Path between target devices. That is, the PLD 200 can select the second VLAN ID from the mapping table according to the destination address of the second data packet. For example, PLD 200 may rewrite VLAN ID 11 in the second data packet by VLAN ID 14 to generate a third data packet, where VLAN ID 14 may correspond to the connection between PLD 200 and device 44 (ie, the target device) Path 14.

回應於藉由第二VLAN ID重寫資料欄的第一VLAN ID,PLD 200可根據更新後的資料欄重新計算第三資料封包的FCS值。換言之,PLD 200可更新第二資料封包的FCS值以產生第三資料封包。 In response to overwriting the first VLAN ID of the data column with the second VLAN ID, the PLD 200 may recalculate the FCS value of the third data packet according to the updated data column. In other words, the PLD 200 can update the FCS value of the second data packet to generate the third data packet.

在步驟S307中,PLD 200可將第三資料封包傳輸至目標裝置。舉例而言,PLD 200可經由埠P7、路徑14以及埠P4將第三資料封包傳輸至裝置44。 In step S307, the PLD 200 may transmit the third data packet to the target device. For example, PLD 200 may transmit the third data packet to device 44 via port P7, path 14, and port P4.

在步驟S308中,PLD 200可判定第二資料封包是否與映射表匹配。若第二資料封包與映射表匹配,則前進至步驟S312。若第二資料封包與映射表不匹配,則前進至步驟S309。具體而言,PLD 200可儲存映射表,其中映射表可包含MAC位址、IP位址以及VLAN ID之間的映射關係。若第二資料封包為位址查詢封包,則第二資料封包的發送端硬體位址、發送端協定位址以及目標協定位址可由源裝置填充,且源裝置可將第二資料封包的目標硬體位址留白。換言之,目標裝置的MAC位址對於第二資料封包為未知的。PLD 200可檢查目標裝置的IP位址與MAC位址之間的映 射關係是否記錄於映射表中。PLD 200可回應於目標裝置的IP位址與MAC位址之間的映射關係記錄於映射表中而判定第二資料封包與映射表匹配,且PLD 200可回應於目標裝置的IP位址與MAC位址之間的映射關係未記錄於映射表中而判定第二資料封包與映射表不匹配。 In step S308, the PLD 200 may determine whether the second data packet matches the mapping table. If the second data packet matches the mapping table, proceed to step S312. If the second data packet does not match the mapping table, proceed to step S309. Specifically, the PLD 200 may store a mapping table, wherein the mapping table may include a mapping relationship among MAC addresses, IP addresses, and VLAN IDs. If the second data packet is an address query packet, the sending end hardware address, the sending end protocol address and the destination protocol address of the second data packet can be filled by the source device, and the source device can store the destination hardware address of the second data packet Body address is left blank. In other words, the MAC address of the target device is unknown to the second data packet. The PLD 200 can check the mapping between the IP address and MAC address of the target device Whether the mapping relationship is recorded in the mapping table. The PLD 200 may determine that the second data packet matches the mapping table in response to the mapping relationship between the IP address and the MAC address of the target device being recorded in the mapping table, and the PLD 200 may respond to the IP address and the MAC address of the target device The mapping relationship between the addresses is not recorded in the mapping table, and it is determined that the second data packet does not match the mapping table.

表3為儲存於PLD 200中的映射表的實例。可回應於由PLD 200接收的資料封包而添加映射表。IP位址、VLAN ID以及MAC位址可記錄於映射表中。舉例而言,在連接至交換器100之後,網路裝置可將廣播封包(例如,ARP回應)發佈至內部網路裝置(例如,耦接至交換器100的裝置),從而告知內部網路裝置網路裝置的硬體位址及軟體位址。回應於接收廣播封包,PLD 200可將網路裝置的IP位址與網路裝置的MAC位址之間的映射關係添加至映射表。在一個實施例中,自閘道41傳輸至PLD 200的第二資料封包可包含閘道41的MAC位址、閘道41的IP位址以及目標裝置的IP位址。PLD 200可判定目標裝置的IP位址與MAC位址之間的映射關係是否記錄於表3中。由於目標裝置的IP位址與裝置44的MAC位址之間的映射關係記錄於表3中,故PLD 200可判定目標裝置的IP位址對應於裝置44。因此,PLD 200可判定第二資料封包與映射表匹配。 Table 3 is an example of a mapping table stored in PLD 200. Mapping tables may be added in response to data packets received by PLD 200 . IP address, VLAN ID and MAC address can be recorded in the mapping table. For example, after connecting to switch 100, a network device may publish a broadcast packet (eg, an ARP reply) to an internal network device (eg, a device coupled to switch 100), thereby informing the internal network device The hardware address and software address of the network device. In response to receiving the broadcast packet, the PLD 200 may add the mapping relationship between the IP address of the network device and the MAC address of the network device to the mapping table. In one embodiment, the second data packet transmitted from the gateway 41 to the PLD 200 may include the MAC address of the gateway 41, the IP address of the gateway 41, and the IP address of the target device. The PLD 200 may determine whether the mapping relationship between the IP address and the MAC address of the target device is recorded in Table 3. Since the mapping relationship between the IP address of the target device and the MAC address of the device 44 is recorded in Table 3, the PLD 200 can determine that the IP address of the target device corresponds to the device 44 . Therefore, the PLD 200 can determine that the second data packet matches the mapping table.

Figure 110122755-A0305-02-0021-5
Figure 110122755-A0305-02-0021-5

表4為儲存於PLD 200中的映射表的實例。自閘道41傳輸至PLD 200的第二資料封包可包含閘道41的MAC位址、閘道 41的IP位址以及目標裝置的IP位址。PLD 200可判定目標裝置的IP位址與MAC位址之間的映射關係是否記錄於表4中。由於目標裝置的IP位址與MAC位址之間映射關係未記錄於表4中,故PLD 200可判定第二資料封包與映射表不匹配。 Table 4 is an example of a mapping table stored in PLD 200. The second data packet transmitted from the gateway 41 to the PLD 200 may include the MAC address of the gateway 41, the gateway 41 and the IP address of the target device. The PLD 200 can determine whether the mapping relationship between the IP address and the MAC address of the target device is recorded in Table 4. Since the mapping relationship between the IP address and the MAC address of the target device is not recorded in Table 4, the PLD 200 can determine that the second data packet does not match the mapping table.

Figure 110122755-A0305-02-0022-6
Figure 110122755-A0305-02-0022-6

在步驟S309中,PLD 200可將目標裝置的IP位址廣播至耦接至交換器100的一或多個外部裝置。舉例而言,PLD 200可複製第二資料封包以產生多個廣播資料封包,其中廣播資料封包中的每一者可包含目標裝置的IP位址及專用VLAN ID。亦即,不同廣播資料封包可具有不同VLAN ID。舉例而言,PLD 200可根據第二資料封包產生廣播資料封包且經由埠P4將廣播資料封包傳輸至裝置44,其中廣播資料封包可包含目標裝置的IP位址及VLAN ID 14。類似地,PLD 200可根據第二資料封包產生廣播資料封包且經由埠P3將廣播資料封包傳輸至裝置43,其中廣播資料封包可包含目標裝置的IP位址及VLAN ID 13。PLD 200可根據第二資料封包產生廣播資料封包且經由埠P2將廣播資料封包傳輸至閘道42,其中廣播資料封包可包含目標裝置的IP位址及VLAN ID 12。PLD 200可根據第二資料封包產生廣播資料封包且經由埠P5將廣播資料封包傳輸至裝置45,其中廣播資料封包可包含目標裝置的IP位址及VLAN ID 15。 In step S309 , the PLD 200 may broadcast the IP address of the target device to one or more external devices coupled to the switch 100 . For example, PLD 200 may duplicate the second data packet to generate a plurality of broadcast data packets, where each of the broadcast data packets may include the IP address and private VLAN ID of the target device. That is, different broadcast data packets may have different VLAN IDs. For example, PLD 200 may generate a broadcast data packet from the second data packet and transmit the broadcast data packet to device 44 via port P4, wherein the broadcast data packet may include the IP address and VLAN ID 14 of the target device. Similarly, PLD 200 may generate a broadcast data packet from the second data packet and transmit the broadcast data packet to device 43 via port P3, wherein the broadcast data packet may include the IP address and VLAN ID 13 of the target device. The PLD 200 may generate a broadcast data packet according to the second data packet and transmit the broadcast data packet to the gateway 42 via the port P2, wherein the broadcast data packet may include the IP address and the VLAN ID 12 of the target device. The PLD 200 can generate a broadcast data packet according to the second data packet and transmit the broadcast data packet to the device 45 via the port P5, wherein the broadcast data packet can include the IP address and the VLAN ID 15 of the target device.

在步驟S310中,PLD 200可回應於廣播目標裝置的IP位址而自目標裝置(亦即,裝置44)接收MAC位址,且PLD 200可 產生對應於第二資料封包(亦即,位址查詢封包)的回應封包,其中目標裝置為接收廣播資料封包的一或多個外部裝置中的一者。具體言之,假定包含於廣播資料封包中的目標的IP位址等於裝置44的IP位址。亦即,裝置44為第二資料封包的目標裝置。因此,裝置44可回應於接收廣播資料封包而經由埠P4、路徑14以及埠P7將裝置44的MAC位址傳輸至PLD 200。在接收裝置44的MAC位址之後,PLD 200可將回應封包的源位址設定為接收到的MAC位址。舉例而言,PLD 200可將回應封包的源位址設定為裝置44的MAC位址。另外,PLD 200可將回應封包的目的地位址設定為第二資料封包的源位址。舉例而言,第二資料封包可包含閘道41的作為源位址的MAC位址。PLD 200可將回應封包的目的地位址設定為閘道41的MAC位址。此外,PLD 200可將回應封包的目標硬體位址設定為接收到的MAC位址,其中目標硬體位址包含於回應封包的資料欄中,且目標硬體位址為尚未填充於第二資料封包中的資訊。舉例而言,PLD 200可將回應封包的目標硬體位址設定為裝置44的MAC位址,其中裝置44的MAC位址尚未儲存於第二資料封包中。 In step S310, PLD 200 may receive a MAC address from the target device (ie, device 44) in response to broadcasting the IP address of the target device, and PLD 200 may A response packet corresponding to the second data packet (ie, the address query packet) is generated, wherein the target device is one of the one or more external devices that receive the broadcast data packet. Specifically, it is assumed that the IP address of the target contained in the broadcast data packet is equal to the IP address of device 44 . That is, device 44 is the target device of the second data packet. Thus, device 44 may transmit the MAC address of device 44 to PLD 200 via port P4, path 14, and port P7 in response to receiving the broadcast data packet. After receiving the MAC address of the device 44, the PLD 200 may set the source address of the response packet to the received MAC address. For example, PLD 200 may set the source address of the response packet to be the MAC address of device 44 . In addition, the PLD 200 may set the destination address of the response packet as the source address of the second data packet. For example, the second data packet may include the MAC address of the gateway 41 as the source address. The PLD 200 may set the destination address of the response packet as the MAC address of the gateway 41 . In addition, the PLD 200 may set the target hardware address of the response packet as the received MAC address, wherein the target hardware address is included in the data field of the response packet, and the target hardware address is not yet filled in the second data packet information. For example, the PLD 200 may set the target hardware address of the response packet as the MAC address of the device 44, which has not been stored in the second data packet.

在一個實施例中,回應於自目標裝置接收MAC位址,PLD 200可將目標裝置的IP位址與目標裝置的MAC位址之間的映射關係添加至映射表。舉例而言,假定目前儲存於PLD 200中的映射表為表4。回應於自裝置44接收MAC位址作為廣播資料封包的反饋,PLD 200可判定目標裝置的IP位址對應於裝置44的MAC位址。因此,PLD 200可將目標裝置的IP位址與裝置44的MAC位址之間的關係添加至表4。因此,表4可由PLD 200修改 為表3。 In one embodiment, in response to receiving the MAC address from the target device, the PLD 200 may add the mapping relationship between the IP address of the target device and the MAC address of the target device to the mapping table. For example, assume that the mapping table currently stored in the PLD 200 is Table 4. In response to receiving the MAC address from device 44 as feedback from the broadcast data packet, PLD 200 may determine that the IP address of the target device corresponds to the MAC address of device 44 . Accordingly, PLD 200 may add to Table 4 the relationship between the IP address of the target device and the MAC address of device 44 . Therefore, Table 4 can be modified by PLD 200 for Table 3.

在步驟S311中,PLD 200可將回應封包傳輸至源裝置(亦即,閘道41),其中回應封包可為對應於ARP查詢的ARP回應。具體言之,PLD 200可經由埠P7、路徑11以及埠P1將回應封包傳輸至閘道41。 In step S311, the PLD 200 may transmit a response packet to the source device (ie, the gateway 41), wherein the response packet may be an ARP response corresponding to an ARP query. Specifically, the PLD 200 can transmit the response packet to the gateway 41 via the port P7, the path 11 and the port P1.

在步驟S312中,PLD 200可根據映射表產生對應於第二資料封包(亦即,位址查詢封包)的回應封包。具體言之,PLD 200可將回應封包的源位址設定為與目標裝置的IP位址相關聯的MAC位址。以表3作為實例,回應於目標裝置的IP位址與裝置44的MAC位址之間的映射關係記錄於表3中,PLD 200可判定目標裝置的IP位址與裝置44的MAC位址相關聯。因此,PLD 200可根據映射表將回應封包的源位址設定為裝置44的MAC位址。亦即,目標裝置的IP位址可能不需要廣播至實際目標裝置(亦即,裝置44),從而獲得目標裝置的MAC位址。在自源裝置接收ARP查詢之後,PLD 200可基於所建立的映射表產生對應於ARP查詢的ARP回應。可省略複製ARP查詢或廣播ARP查詢的步驟。因此,源裝置可在較短時間內獲得目標裝置的IP位址。 In step S312, the PLD 200 may generate a response packet corresponding to the second data packet (ie, the address query packet) according to the mapping table. Specifically, the PLD 200 may set the source address of the response packet to the MAC address associated with the IP address of the target device. Taking Table 3 as an example, in response to the mapping relationship between the IP address of the target device and the MAC address of the device 44 being recorded in Table 3, the PLD 200 can determine that the IP address of the target device is related to the MAC address of the device 44 link. Therefore, the PLD 200 can set the source address of the response packet as the MAC address of the device 44 according to the mapping table. That is, the IP address of the target device may not need to be broadcast to the actual target device (ie, device 44) in order to obtain the MAC address of the target device. After receiving the ARP query from the source device, PLD 200 may generate an ARP response corresponding to the ARP query based on the established mapping table. The steps of duplicating the ARP query or broadcasting the ARP query can be omitted. Therefore, the source device can obtain the IP address of the target device in a shorter time.

另外,PLD 200可將回應封包的目的地位址設定為第二資料封包的源位址。舉例而言,第二資料封包可包含閘道41的作為源位址的MAC位址。PLD 200可將回應封包的目的地位址設定為閘道41的MAC位址。此外,PLD 200可將回應封包的目標硬體位址設定為與目標裝置的IP位址相關聯的MAC位址,其中目標硬體位址包含於回應封包的資料欄中,且目標硬體位址為尚未填充於第二資料封包中的資訊。舉例而言,PLD 200可判定裝置44 的MAC位址與目標裝置的IP位址相關聯。因此,PLD 200可將回應封包的目標硬體位址設定為裝置44的MAC位址。 In addition, the PLD 200 may set the destination address of the response packet as the source address of the second data packet. For example, the second data packet may include the MAC address of the gateway 41 as the source address. The PLD 200 may set the destination address of the response packet as the MAC address of the gateway 41 . In addition, the PLD 200 may set the target hardware address of the response packet as the MAC address associated with the IP address of the target device, wherein the target hardware address is included in the data field of the response packet, and the target hardware address is not yet Information populated in the second data packet. For example, PLD 200 may determine device 44 The MAC address is associated with the IP address of the target device. Therefore, the PLD 200 can set the target hardware address of the response packet as the MAC address of the device 44 .

圖5示出根據本公開的實施例的用於基於VLAN ID的單向傳輸的通訊方法的流程圖,其中通訊方法可由如圖1中所繪示的交換器裝置10實施。在步驟S501中,經由第一路徑耦接交換器的第一埠與交換器的第三埠,經由第二路徑耦接交換器的第二埠與第三埠以及耦接第一可程式化邏輯裝置與第三埠。在步驟S502中,由第一埠自第一外部裝置接收第一資料封包。在步驟S503中,用對應於第一路徑的第一虛擬區域網路識別符封裝第一資料封包以產生第二資料封包。在步驟S504中,由第一可程式化邏輯裝置自第三埠接收第二資料封包。在步驟S505中,由第一可程式化邏輯裝置根據第一過濾規則過濾第二資料封包。在步驟S506中,回應於第二資料封包與第一過濾規則匹配,藉由對應於第二路徑的第二虛擬區域網路識別符重寫第一虛擬區域網路識別符以產生第三資料封包。在步驟S507中,由第一可程式化邏輯裝置經由第二路徑將第三資料封包傳輸至第二埠,以便經由第二埠輸出第三資料封包。 5 shows a flowchart of a communication method for VLAN ID-based unidirectional transmission according to an embodiment of the present disclosure, wherein the communication method may be implemented by the switch device 10 as shown in FIG. 1 . In step S501, the first port of the switch and the third port of the switch are coupled via the first path, the second port and the third port of the switch are coupled via the second path, and the first programmable logic is coupled device and the third port. In step S502, the first data packet is received from the first external device by the first port. In step S503, the first data packet is encapsulated with the first virtual area network identifier corresponding to the first path to generate a second data packet. In step S504, the first programmable logic device receives the second data packet from the third port. In step S505, the second data packet is filtered by the first programmable logic device according to the first filtering rule. In step S506, in response to the second data packet matching the first filtering rule, rewrite the first virtual local area network identifier with the second virtual local area network identifier corresponding to the second path to generate a third data packet . In step S507, the first programmable logic device transmits the third data packet to the second port through the second path, so as to output the third data packet through the second port.

綜上所述,本揭露可藉由將交換器裝置而不是高端電腦配置為連接安全場域及非安全場域來降低安全場域與非安全場域之間的單向傳輸的延遲。與高端電腦相比,當使用預先定義協定轉送資料封包時,交換器裝置可能不需要擷取資料封包的所有內容(例如,資料封包的通訊協定堆疊的每一層)。交換器裝置可包含可過濾用於安全場域中的裝置之間的傳輸的資料封包的PLD。在將經過濾的資料封包轉送至目的地之前,PLD可更新資料封包的 VLAN ID,從而防止資料封包破壞由交換器的位址表定義的規則。另一方面,PLD可建立或更新包含目標裝置的IP位址與MAC位址之間的映射關係的映射表(例如,ARP表)。若源裝置將ARP查詢傳輸至目標裝置,則PLD可向目標裝置的源裝置回覆ARP回應。因此,ARP查詢可能不需要轉送至目標裝置且源裝置可在較短時間內得到目標裝置的MAC位址。 In conclusion, the present disclosure can reduce the delay of one-way transmission between the secure domain and the non-secure domain by configuring the switch device instead of the high-end computer to connect the secure domain and the non-secure domain. In contrast to high-end computers, when a data packet is forwarded using a predefined protocol, the switch device may not need to retrieve all the contents of the data packet (eg, each layer of the protocol stack of the data packet). The switch device may include a PLD that may filter data packets for transmission between devices in the secure domain. Before forwarding the filtered data packet to the destination, the PLD can update the data packet's VLAN ID, thus preventing data packets from breaking the rules defined by the switch's address table. On the other hand, the PLD may establish or update a mapping table (eg, an ARP table) including the mapping relationship between the IP address and the MAC address of the target device. If the source device transmits an ARP query to the target device, the PLD may reply with an ARP response to the source device of the target device. Therefore, the ARP query may not need to be forwarded to the target device and the source device can obtain the MAC address of the target device in a shorter time.

用於本申請案的所揭露實施例的詳細描述中的元件、動作或指令不應被解釋為對本揭露來說為絕對關鍵或必要的,除非明確地如此描述。此外,如本文中所使用,不定冠詞「一(a)」及「一個(an)」中的每一者可包含多於一個項目。若僅預期一個項目,則將使用術語「單一」或類似語言。此外,如本文中所使用,在多個項目及/或多個項目類別的列表之前的術語「中的任一者」意欲包含所述項目及/或所述項目類別(個別地或結合其他項目及/或其他項目類別)「中的任一者」、「的任何組合」、「中的任何多個」及/或「中的多個的任何組合」。此外,如本文中所使用,術語「集合」意欲包含任何數目個項目,包含零個。此外,如本文中所使用,術語「數目」意欲包含任何數目,包含零個。 No element, act, or instruction used in the detailed description of the disclosed embodiments of the present application should be construed as critical or essential to the present disclosure unless explicitly described as such. Furthermore, as used herein, each of the indefinite articles "a (a)" and "an (an)" may include more than one item. If only one item is expected, the term "single" or similar language will be used. Further, as used herein, the term "any of" preceding a list of items and/or categories of items is intended to include the item and/or the category of items (either individually or in combination with other items) and/or other item categories) "Any of," "Any combination of," "Any of," and/or "Any combination of, of." Furthermore, as used herein, the term "collection" is intended to encompass any number of items, including zero. Furthermore, as used herein, the term "number" is intended to include any number, including zero.

所屬技術領域中具通常知識者將顯而易見,可在不脫離本揭露的範疇或精神的情況下,對所揭露實施例作出各種修改及變化。鑒於前述,本揭露意欲涵蓋修改及變化,其限制條件為所述修改及變化在隨附申請專利範圍及其等效物內。 It will be apparent to those of ordinary skill in the art that various modifications and variations of the disclosed embodiments can be made without departing from the scope or spirit of the present disclosure. In view of the foregoing, this disclosure is intended to cover modifications and variations, provided that such modifications and variations are within the scope of the appended claims and their equivalents.

S501、S502、S503、S504、S505、S506、S507:步驟S501, S502, S503, S504, S505, S506, S507: Steps

Claims (11)

一種用於基於虛擬區域網路識別符的單向傳輸的交換器裝置,包括: 交換器,包括: 第一埠; 第二埠; 第三埠,配置成經由第一路徑耦接至所述第一埠且經由第二路徑耦接至所述第二埠;以及 控制器,耦接至所述第一埠、所述第二埠以及所述第三埠;以及 第一可程式化邏輯裝置,耦接至所述第三埠,其中 所述第一埠自第一外部裝置接收第一資料封包; 所述控制器用對應於所述第一路徑的第一虛擬區域網路識別符封裝所述第一資料封包以產生第二資料封包; 所述第一可程式化邏輯裝置自所述第三埠接收所述第二資料封包且根據第一過濾規則過濾所述第二資料封包; 回應於所述第二資料封包與所述第一過濾規則匹配,所述第一可程式化邏輯裝置藉由對應於所述第二路徑的第二虛擬區域網路識別符重寫所述第一虛擬區域網路識別符以產生第三資料封包;且 所述第一可程式化邏輯裝置經由所述第二路徑將所述第三資料封包傳輸至所述第二埠,以便經由所述第二埠輸出所述第三資料封包。 A switch device for unidirectional transmission based on a virtual local area network identifier, comprising: switches, including: the first port; the second port; a third port configured to be coupled to the first port via a first path and to the second port via a second path; and a controller coupled to the first port, the second port and the third port; and a first programmable logic device coupled to the third port, wherein the first port receives a first data packet from a first external device; the controller encapsulates the first data packet with a first virtual area network identifier corresponding to the first path to generate a second data packet; the first programmable logic device receives the second data packet from the third port and filters the second data packet according to a first filtering rule; In response to the second data packet matching the first filter rule, the first programmable logic device overwrites the first with a second virtual area network identifier corresponding to the second path a virtual local area network identifier to generate the third data packet; and The first programmable logic device transmits the third data packet to the second port through the second path so as to output the third data packet through the second port. 如請求項1所述的交換器裝置,其中所述第二資料封包包括目的地位址,其中所述第一可程式化邏輯裝置儲存映射表,其中 所述第一可程式化邏輯裝置回應於所述目的地位址與所述第二虛擬區域網路識別符之間的映射關係記錄於所述映射表中而藉由所述第二虛擬區域網路識別符重寫所述第一虛擬區域網路識別符。 The switch device of claim 1, wherein the second data packet includes a destination address, wherein the first programmable logic device stores a mapping table, wherein The first programmable logic device records the mapping relationship between the destination address and the second virtual local area network identifier in the mapping table through the second virtual local area network The identifier overrides the first virtual area network identifier. 如請求項2所述的交換器裝置,其中所述第一可程式化邏輯裝置回應於所述目的地位址與所述第二虛擬區域網路識別符之間的所述映射關係未記錄於所述映射表中而丟棄所述第二資料封包。The switch device of claim 2, wherein the first programmable logic device responds that the mapping relationship between the destination address and the second virtual area network identifier is not recorded in the into the mapping table and discard the second data packet. 如請求項2所述的交換器裝置,其中所述第二資料封包更包括框檢查順序,其中所述第一可程式化邏輯裝置回應於藉由所述第二虛擬區域網路識別符重寫所述第一虛擬區域網路識別符而更新所述框檢查順序以產生所述第三資料封包。The switch device of claim 2, wherein the second data packet further includes a frame check sequence, wherein the first programmable logic device responds to overwriting by the second virtual area network identifier The frame check sequence is updated by the first virtual area network identifier to generate the third data packet. 如請求項1所述的交換器裝置,其中 所述第一埠自所述第一外部裝置接收位址查詢封包且將所述位址查詢封包傳輸至所述第三埠,其中所述位址查詢封包包括網際網路協定位址; 所述第一可程式化邏輯裝置自所述第三埠接收所述位址查詢封包且產生對應於所述位址查詢封包的回應封包;且 所述第一可程式化邏輯裝置經由所述第三埠將所述回應封包傳輸至所述第一埠。 The switch device of claim 1, wherein the first port receives an address query packet from the first external device and transmits the address query packet to the third port, wherein the address query packet includes an internet protocol address; the first programmable logic device receives the address query packet from the third port and generates a response packet corresponding to the address query packet; and The first programmable logic device transmits the response packet to the first port via the third port. 如請求項5所述的交換器裝置,其中所述第一可程式化邏輯裝置儲存映射表,其中所述第一可程式化邏輯裝置藉由以下產生所述回應封包: 回應於所述網際網路協定位址與媒體存取控制位址之間的映射關係記錄於所述映射表中而將所述回應封包的源位址設定為與所述網際網路協定位址相關聯的所述媒體存取控制位址。 The switch device of claim 5, wherein the first programmable logic device stores a mapping table, wherein the first programmable logic device generates the response packet by: In response to the mapping relationship between the IP address and the MAC address being recorded in the mapping table, the source address of the response packet is set to be the same as the IP address the associated media access control address. 如請求項5所述的交換器裝置,其中所述第一可程式化邏輯裝置藉由以下產生所述回應封包: 經由所述第二埠將所述網際網路協定位址廣播至第二外部裝置; 回應於廣播所述網際網路協定位址而經由所述第二埠自所述第二外部裝置接收媒體存取控制位址;以及 將所述回應封包的源位址設定為所述媒體存取控制位址。 The switch device of claim 5, wherein the first programmable logic device generates the response packet by: broadcasting the Internet Protocol address to a second external device via the second port; receiving a media access control address from the second external device via the second port in response to broadcasting the internet protocol address; and Setting the source address of the response packet as the MAC address. 如請求項7所述的交換器裝置,其中所述第一可程式化邏輯裝置儲存映射表,其中所述第一可程式化邏輯裝置回應於自所述第二外部裝置接收所述媒體存取控制位址而將所述網際網路協定位址與所述媒體存取控制位址之間的映射關係添加至所述映射表。The switch device of claim 7, wherein the first programmable logic device stores a mapping table, wherein the first programmable logic device is responsive to receiving the media access from the second external device The mapping relationship between the Internet Protocol address and the MAC address is added to the mapping table by controlling the address. 如請求項6所述的交換器裝置,其中所述第一可程式化邏輯裝置進一步藉由以下產生所述回應封包: 將所述回應封包的目標硬體位址設定為所述媒體存取控制位址。 The switch device of claim 6, wherein the first programmable logic device further generates the response packet by: The target hardware address of the response packet is set as the MAC address. 如請求項1所述的交換器裝置,其中所述第一過濾規則對應於埠編號或傳輸協定中的至少一者,其中所述傳輸協定包括Modbus協定、IEC 60870-5-104協定、分散式網路協定以及可程式化邏輯控制器協定中的一者。The switch device of claim 1, wherein the first filtering rule corresponds to at least one of a port number or a transmission protocol, wherein the transmission protocol includes Modbus protocol, IEC 60870-5-104 protocol, decentralized One of a network protocol and a programmable logic controller protocol. 一種基於虛擬區域網路識別符的單向傳輸的通訊方法,包括: 經由第一路徑耦接交換器的第一埠與所述交換器的第三埠,經由第二路徑耦接所述交換器的第二埠與所述第三埠以及耦接第一可程式化邏輯裝置與所述第三埠; 由所述第一埠自第一外部裝置接收第一資料封包; 用對應於所述第一路徑的第一虛擬區域網路識別符封裝所述第一資料封包以產生第二資料封包; 由所述第一可程式化邏輯裝置自所述第三埠接收所述第二資料封包; 由所述第一可程式化邏輯裝置根據第一過濾規則過濾所述第二資料封包; 回應於所述第二資料封包與所述第一過濾規則匹配,藉由對應於所述第二路徑的第二虛擬區域網路識別符重寫所述第一虛擬區域網路識別符以產生第三資料封包;以及 由所述第一可程式化邏輯裝置經由所述第二路徑將所述第三資料封包傳輸至所述第二埠,以便經由所述第二埠輸出所述第三資料封包。 A communication method for unidirectional transmission based on a virtual local area network identifier, comprising: The first port of the switch and the third port of the switch are coupled via a first path, the second port of the switch and the third port are coupled via a second path, and the first programmable port is coupled via a second path a logic device and the third port; receiving, by the first port, a first data packet from a first external device; encapsulating the first data packet with a first virtual area network identifier corresponding to the first path to generate a second data packet; receiving, by the first programmable logic device, the second data packet from the third port; filtering the second data packet by the first programmable logic device according to a first filtering rule; In response to the second data packet matching the first filter rule, rewriting the first virtual area network identifier with the second virtual area network identifier corresponding to the second path to generate a first virtual area network identifier three data packets; and The third data packet is transmitted by the first programmable logic device to the second port via the second path so as to output the third data packet via the second port.
TW110122755A 2021-01-15 2021-06-22 Communication method for one-way transmission based on vlan id and switch device using the same TWI773394B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163137761P 2021-01-15 2021-01-15
US63/137,761 2021-01-15

Publications (2)

Publication Number Publication Date
TWI773394B true TWI773394B (en) 2022-08-01
TW202231031A TW202231031A (en) 2022-08-01

Family

ID=83782454

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110122755A TWI773394B (en) 2021-01-15 2021-06-22 Communication method for one-way transmission based on vlan id and switch device using the same

Country Status (1)

Country Link
TW (1) TWI773394B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020009083A1 (en) * 2000-06-09 2002-01-24 Broadcom Corporation Gigabit switch with multicast handling
US7706433B2 (en) * 2002-03-21 2010-04-27 Broadcom Corporation Physical layer device having an analog SERDES pass through mode
TW201519607A (en) * 2013-09-25 2015-05-16 Cavium Inc Semiconductor with virtualized computation and switch resources

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020009083A1 (en) * 2000-06-09 2002-01-24 Broadcom Corporation Gigabit switch with multicast handling
US7706433B2 (en) * 2002-03-21 2010-04-27 Broadcom Corporation Physical layer device having an analog SERDES pass through mode
TW201519607A (en) * 2013-09-25 2015-05-16 Cavium Inc Semiconductor with virtualized computation and switch resources

Also Published As

Publication number Publication date
TW202231031A (en) 2022-08-01

Similar Documents

Publication Publication Date Title
RU2735725C1 (en) Method and device for processing and sending packets, pe node and node
TWI646804B (en) Systems and methods for externalizing network functions via packet trunking
US7996894B1 (en) MAC address modification of otherwise locally bridged client devices to provide security
KR102251661B1 (en) Logical router
US10148459B2 (en) Network service insertion
US7738457B2 (en) Method and system for virtual routing using containers
US9414136B2 (en) Methods and apparatus to route fibre channel frames using reduced forwarding state on an FCoE-to-FC gateway
CN106713103B (en) Method and system for virtual and physical network integration
US9246800B1 (en) Interface for extending service capabilities of a network device
US20170085478A1 (en) Methods, systems and apparatus for the interconnection of fibre channel over ethernet devices
RU2544766C2 (en) Method, device and system for routing data between network segments
US8498295B1 (en) Modular lightweight tunneling mechanisms for transitioning between network layer protocols
US20120177044A1 (en) Methods, systems and apparatus for the interconnection of fibre channel over ethernet devices using shortest path bridging
US20220029950A1 (en) Fast distribution of port identifiers for rule processing
US8532107B1 (en) Accepting packets with incomplete tunnel-header information on a tunnel interface
WO2010151571A2 (en) Method and apparatus for implementing l2 vpns on an ip network
WO2013063791A1 (en) Nat/firewall accelerator
WO2015150272A1 (en) METHOD FOR PROCESSING VxLAN DATA UNITS
US11477048B2 (en) Communication method for one-way transmission based on VLAN ID and switch device using the same
US20150200848A1 (en) Single Hop Overlay Architecture for Line Rate Performance in Campus Networks
TWI773394B (en) Communication method for one-way transmission based on vlan id and switch device using the same
US11637775B2 (en) Methods and systems for location identifier based forwarding
US20190028436A1 (en) Apparatus and method for forwarding of data packets
US20230117644A1 (en) Methods and systems for processing network packets using a service device in a smart switch
US20240129080A1 (en) Methods and systems for selectively applying a transform to a packet