Background technology
NAT (Network Address Translation, network address translation) is a kind ofly to convert private net address to public network address, externally initiates the technology of visit.When message when the fire compartment wall, fire compartment wall can be set up conversational list, record is the address before the conversion of visit and the address after the conversion once, also can not cause access conflict when private net address is more than the nat address pool address.
The consistency of NAT address transition when the conversational list technology of fire compartment wall can guarantee that private user externally initiates to visit, but fire compartment wall can receive that also destination address is the message of nat address pool address usually, this type of message is to be forwarded by the router that the outlet with fire compartment wall links to each other, and this type of message can't inquire conversational list on fire compartment wall, this class message is not that private user is externally initiated the response message of visiting, and is a kind of message of unauthorized access.
Fire compartment wall is as core layer equipment, can the allocating default route point to the router that fire compartment wall exports, and destination address is address pool and this class message that can not find out conversational list on fire compartment wall, can be forwarded on the egress router by fire compartment wall, and on egress router, look into the route of address pool, this class message can be routed device again and be forwarded on the fire compartment wall.Therefore, this class message can be between the upstream plant of fire compartment wall and fire compartment wall be transmitted back and forth, is 0 to be dropped up to the TTL of this message (Time To Live, life span).Thereby this class message has formed loop between the upstream plant of fire compartment wall and fire compartment wall, and this class message will cause the significant wastage of the link congestion and the network bandwidth slightly for a long time.
Prior art does not deal with this class message, and making this class message transmit up to TTL between the upstream plant of fire compartment wall and this fire compartment wall is 0.When this class message more for a long time, this class message can take the massive band width of link, causes the congested of the performance consumption of equipment and link.
Summary of the invention
The embodiment of the invention provides a kind of methods, devices and systems that prevent that route loop from producing, and forms loop to prevent message between the egress router of fire compartment wall and fire compartment wall, avoids producing link congestion.
For achieving the above object, the embodiment of the invention provides a kind of method that prevents that route loop from producing on the one hand, comprising:
On fire compartment wall, during configuration network address transition nat address pool address, be that corresponding black hole route is added in described nat address pool address;
Be complementary if the destination address that receives is the message and the described black hole route of described nat address pool address, then abandon the message of black hole route on the described coupling.
On the other hand, the embodiment of the invention also provides a kind of device that prevents that route loop from producing, and comprising:
Adding module, when being used on fire compartment wall configuration network address transition nat address pool address, is that corresponding black hole route is added in described nat address pool address;
Message processing module (MPM) is used for then abandoning the message of black hole route on the described coupling if the destination address that receives is the message and the described black hole route of described nat address pool address to be complementary.
Again on the one hand, the embodiment of the invention also provides a kind of system that prevents that route loop from producing, and comprising:
Forwarding unit is used for sending message from external network to the user;
Fire compartment wall, be used for when configuration network address transition nat address pool address, be that described nat address pool address adds corresponding black hole route, and be the message that the message of described nat address pool address and described black hole route abandon black hole route on the described coupling when being complementary at the destination address that described forwarding unit sends.
Compared with prior art, the embodiment of the invention has the following advantages: in the embodiment of the invention, when on fire compartment wall, disposing the nat address pool address, for adding corresponding black hole route in this nat address pool address, if the destination address that receives then abandons the message that coupling goes up the black hole route for the message and the black hole route of this nat address pool address are complementary.Thereby avoided the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevented that the outbound appearance of fire compartment wall is congested, guaranteed professional normally carrying out.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention provides a kind of method that prevents that route loop from producing, and is mainly used on fire compartment wall and after the configuration NAT address transition, prevents that message from forming loop between the egress router of fire compartment wall and fire compartment wall, avoid producing link congestion.
The embodiment of the invention disposes on fire compartment wall in the NAT address, adds the black hole route automatically, and the outgoing interface of black hole route is a null interface, and all messages of black hole route all will be dropped on the matching destination address.
Egress router for slave firewall is forwarded on the fire compartment wall, destination address is the message of nat address pool address, if on the conversational list of fire compartment wall, can not find out session, at this class message, fire compartment wall will mate the black hole route of this nat address pool address correspondence on this fire compartment wall, after having found the black hole route, fire compartment wall directly abandons this class message, has avoided the generation of route loop.
As shown in Figure 1, prevent the flow chart of the method that route loop produces for the embodiment of the invention is a kind of, comprising:
Step S101 when disposing the nat address pool address on fire compartment wall, is that corresponding black hole route is added in the nat address pool address.
In the embodiment of the invention, on fire compartment wall, dispose in the nat address pool address, automatic or manual adds corresponding black hole route for the nat address pool address, this black hole route has 32 mask, guarantee that all destination addresses are the message of nat address pool address, when on fire compartment wall, can not find out session, just directly mate the black hole route.
Further, if comprise the interface IP address of fire compartment wall in the nat address pool address, then when adding the black hole route, only need add corresponding black hole route for other addresses except that above-mentioned interface IP address in the nat address pool address, and the interface IP address that is not required to be fire compartment wall adds the black hole route, thereby guarantees that destination address is that the message of the interface IP address of fire compartment wall can have access to fire compartment wall.The mask of above-mentioned black hole route is 32 mask.
Step S102 is complementary if the destination address that receives is message and the black hole route of nat address pool address, then abandons the message of black hole route on the coupling.
After having disposed the black hole route, it is after the message of nat address pool address that fire compartment wall receives destination address from external network, it with destination address the message of nat address pool address mates this nat address pool address correspondence on this fire compartment wall black hole route, on this message coupling, after the route of black hole, abandon the message that coupling goes up the black hole route.
The above-mentioned method that prevents that route loop from producing, on fire compartment wall, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevent that the outbound appearance of fire compartment wall is congested, guarantee professional normally carrying out.
As shown in Figure 2, prevent the structure chart of the device that route loop produces for the embodiment of the invention is a kind of, comprising:
Adding module 21, when being used for disposing the nat address pool address on fire compartment wall, is that corresponding black hole route is added in the nat address pool address.
Message processing module (MPM) 22 is used for then abandoning the message that coupling goes up the black hole route if the destination address that receives is the message of nat address pool address and the black hole route of adding module 21 interpolations to be complementary.
As shown in Figure 3, adding module 21 can comprise:
Route is added submodule 211, is used for when the nat address pool address comprises the interface IP address of this fire compartment wall, for adding corresponding black hole route in other addresses except that the interface IP address of this fire compartment wall in the nat address pool address.
Wherein, this device that prevents that route loop from producing can be integrated on the fire compartment wall, perhaps is an independent function entity.
By the above-mentioned device that prevents that route loop from producing, on fire compartment wall, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevent that the outbound appearance of fire compartment wall is congested, thereby guarantee professional normally carrying out.
As shown in Figure 4, prevent the structure chart of the system that route loop produces for the embodiment of the invention is a kind of, comprising:
Forwarding unit 41 is used for sending message from external network to the user;
Fire compartment wall 42, be used for when configuration nat address pool address, be that the nat address pool address adds corresponding black hole route, and be the message that the message of nat address pool address and above-mentioned black hole route abandon black hole route on the coupling when being complementary at the destination address that forwarding unit 41 sends.
Wherein, this forwarding unit 41 can be the egress router of fire compartment wall 42.
The above-mentioned system that prevents that route loop from producing, fire compartment wall 42 is when configuration nat address pool address, for adding corresponding black hole route in the nat address pool address, thereby on fire compartment wall 42, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, the outbound appearance that has prevented fire compartment wall is congested, thereby has guaranteed professional normally carrying out.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.