CN101355418A - Method, apparatus and system for preventing route loop from generating - Google Patents
Method, apparatus and system for preventing route loop from generating Download PDFInfo
- Publication number
- CN101355418A CN101355418A CNA2008101669559A CN200810166955A CN101355418A CN 101355418 A CN101355418 A CN 101355418A CN A2008101669559 A CNA2008101669559 A CN A2008101669559A CN 200810166955 A CN200810166955 A CN 200810166955A CN 101355418 A CN101355418 A CN 101355418A
- Authority
- CN
- China
- Prior art keywords
- address
- black hole
- route
- compartment wall
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The embodiment of the invention discloses a method, a device and a system for preventing the generation of a routing loop. The method for preventing the generation of the routing loop comprises the following steps: when a network address is configured on a firewall to convert an address of an NAT address pool, a corresponding black hole routing is added to the address of the NAT address pool; if a received destination address is the message of the address of the NAT address pool which is matched with the black hole routing, the message matched with the black hole routing is abandoned. Through the technical proposal provided by the embodiment of the invention, an message for access violation is prevented from forming a loop between the firewall and a port router of the firewall, congestion is prevented from occurring on an output link of the firewall, and normal process of a service is ensured.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of methods, devices and systems that prevent that route loop from producing.
Background technology
NAT (Network Address Translation, network address translation) is a kind ofly to convert private net address to public network address, externally initiates the technology of visit.When message when the fire compartment wall, fire compartment wall can be set up conversational list, record is the address before the conversion of visit and the address after the conversion once, also can not cause access conflict when private net address is more than the nat address pool address.
The consistency of NAT address transition when the conversational list technology of fire compartment wall can guarantee that private user externally initiates to visit, but fire compartment wall can receive that also destination address is the message of nat address pool address usually, this type of message is to be forwarded by the router that the outlet with fire compartment wall links to each other, and this type of message can't inquire conversational list on fire compartment wall, this class message is not that private user is externally initiated the response message of visiting, and is a kind of message of unauthorized access.
Fire compartment wall is as core layer equipment, can the allocating default route point to the router that fire compartment wall exports, and destination address is address pool and this class message that can not find out conversational list on fire compartment wall, can be forwarded on the egress router by fire compartment wall, and on egress router, look into the route of address pool, this class message can be routed device again and be forwarded on the fire compartment wall.Therefore, this class message can be between the upstream plant of fire compartment wall and fire compartment wall be transmitted back and forth, is 0 to be dropped up to the TTL of this message (Time To Live, life span).Thereby this class message has formed loop between the upstream plant of fire compartment wall and fire compartment wall, and this class message will cause the significant wastage of the link congestion and the network bandwidth slightly for a long time.
Prior art does not deal with this class message, and making this class message transmit up to TTL between the upstream plant of fire compartment wall and this fire compartment wall is 0.When this class message more for a long time, this class message can take the massive band width of link, causes the congested of the performance consumption of equipment and link.
Summary of the invention
The embodiment of the invention provides a kind of methods, devices and systems that prevent that route loop from producing, and forms loop to prevent message between the egress router of fire compartment wall and fire compartment wall, avoids producing link congestion.
For achieving the above object, the embodiment of the invention provides a kind of method that prevents that route loop from producing on the one hand, comprising:
On fire compartment wall, during configuration network address transition nat address pool address, be that corresponding black hole route is added in described nat address pool address;
Be complementary if the destination address that receives is the message and the described black hole route of described nat address pool address, then abandon the message of black hole route on the described coupling.
On the other hand, the embodiment of the invention also provides a kind of device that prevents that route loop from producing, and comprising:
Adding module, when being used on fire compartment wall configuration network address transition nat address pool address, is that corresponding black hole route is added in described nat address pool address;
Message processing module (MPM) is used for then abandoning the message of black hole route on the described coupling if the destination address that receives is the message and the described black hole route of described nat address pool address to be complementary.
Again on the one hand, the embodiment of the invention also provides a kind of system that prevents that route loop from producing, and comprising:
Forwarding unit is used for sending message from external network to the user;
Fire compartment wall, be used for when configuration network address transition nat address pool address, be that described nat address pool address adds corresponding black hole route, and be the message that the message of described nat address pool address and described black hole route abandon black hole route on the described coupling when being complementary at the destination address that described forwarding unit sends.
Compared with prior art, the embodiment of the invention has the following advantages: in the embodiment of the invention, when on fire compartment wall, disposing the nat address pool address, for adding corresponding black hole route in this nat address pool address, if the destination address that receives then abandons the message that coupling goes up the black hole route for the message and the black hole route of this nat address pool address are complementary.Thereby avoided the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevented that the outbound appearance of fire compartment wall is congested, guaranteed professional normally carrying out.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, the accompanying drawing of required use is done to introduce simply in will describing embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 prevents the flow chart of the method that route loop produces for the embodiment of the invention is a kind of;
Fig. 2 prevents the structure chart of the device that route loop produces for the embodiment of the invention is a kind of;
Fig. 3 prevents the structure chart of the device that route loop produces for embodiment of the invention another kind;
Fig. 4 prevents the structure chart of the system that route loop produces for the embodiment of the invention is a kind of.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The embodiment of the invention provides a kind of method that prevents that route loop from producing, and is mainly used on fire compartment wall and after the configuration NAT address transition, prevents that message from forming loop between the egress router of fire compartment wall and fire compartment wall, avoid producing link congestion.
The embodiment of the invention disposes on fire compartment wall in the NAT address, adds the black hole route automatically, and the outgoing interface of black hole route is a null interface, and all messages of black hole route all will be dropped on the matching destination address.
Egress router for slave firewall is forwarded on the fire compartment wall, destination address is the message of nat address pool address, if on the conversational list of fire compartment wall, can not find out session, at this class message, fire compartment wall will mate the black hole route of this nat address pool address correspondence on this fire compartment wall, after having found the black hole route, fire compartment wall directly abandons this class message, has avoided the generation of route loop.
As shown in Figure 1, prevent the flow chart of the method that route loop produces for the embodiment of the invention is a kind of, comprising:
Step S101 when disposing the nat address pool address on fire compartment wall, is that corresponding black hole route is added in the nat address pool address.
In the embodiment of the invention, on fire compartment wall, dispose in the nat address pool address, automatic or manual adds corresponding black hole route for the nat address pool address, this black hole route has 32 mask, guarantee that all destination addresses are the message of nat address pool address, when on fire compartment wall, can not find out session, just directly mate the black hole route.
Further, if comprise the interface IP address of fire compartment wall in the nat address pool address, then when adding the black hole route, only need add corresponding black hole route for other addresses except that above-mentioned interface IP address in the nat address pool address, and the interface IP address that is not required to be fire compartment wall adds the black hole route, thereby guarantees that destination address is that the message of the interface IP address of fire compartment wall can have access to fire compartment wall.The mask of above-mentioned black hole route is 32 mask.
Step S102 is complementary if the destination address that receives is message and the black hole route of nat address pool address, then abandons the message of black hole route on the coupling.
After having disposed the black hole route, it is after the message of nat address pool address that fire compartment wall receives destination address from external network, it with destination address the message of nat address pool address mates this nat address pool address correspondence on this fire compartment wall black hole route, on this message coupling, after the route of black hole, abandon the message that coupling goes up the black hole route.
The above-mentioned method that prevents that route loop from producing, on fire compartment wall, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevent that the outbound appearance of fire compartment wall is congested, guarantee professional normally carrying out.
As shown in Figure 2, prevent the structure chart of the device that route loop produces for the embodiment of the invention is a kind of, comprising:
Adding module 21, when being used for disposing the nat address pool address on fire compartment wall, is that corresponding black hole route is added in the nat address pool address.
Message processing module (MPM) 22 is used for then abandoning the message that coupling goes up the black hole route if the destination address that receives is the message of nat address pool address and the black hole route of adding module 21 interpolations to be complementary.
As shown in Figure 3, adding module 21 can comprise:
Route is added submodule 211, is used for when the nat address pool address comprises the interface IP address of this fire compartment wall, for adding corresponding black hole route in other addresses except that the interface IP address of this fire compartment wall in the nat address pool address.
Wherein, this device that prevents that route loop from producing can be integrated on the fire compartment wall, perhaps is an independent function entity.
By the above-mentioned device that prevents that route loop from producing, on fire compartment wall, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, prevent that the outbound appearance of fire compartment wall is congested, thereby guarantee professional normally carrying out.
As shown in Figure 4, prevent the structure chart of the system that route loop produces for the embodiment of the invention is a kind of, comprising:
Wherein, this forwarding unit 41 can be the egress router of fire compartment wall 42.
The above-mentioned system that prevents that route loop from producing, fire compartment wall 42 is when configuration nat address pool address, for adding corresponding black hole route in the nat address pool address, thereby on fire compartment wall 42, do in the NAT conversion, can avoid the message of unauthorized access between the egress router of fire compartment wall and fire compartment wall, to form loop, the outbound appearance that has prevented fire compartment wall is congested, thereby has guaranteed professional normally carrying out.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (8)
1, a kind of method that prevents that route loop from producing is characterized in that, comprising:
On fire compartment wall, during configuration network address transition nat address pool address, be that corresponding black hole route is added in described nat address pool address;
Be complementary if the destination address that receives is the message and the described black hole route of described nat address pool address, then abandon the message of black hole route on the described coupling.
2, the method for claim 1 is characterized in that, if comprise the interface IP address of described fire compartment wall in the described nat address pool address,
On described fire compartment wall, during configuration network address transition nat address pool address, be that corresponding black hole route is added in other addresses except that the interface IP address of described fire compartment wall in the described nat address pool address.
3, the method for claim 1 is characterized in that, described black hole route for described nat address pool address interpolation correspondence specifically comprises:
For described nat address pool address automatic or manual adds corresponding black hole route.
4, as any described method of claim 1 to 3, it is characterized in that described black hole route has 32 mask.
5, a kind of device that prevents that route loop from producing is characterized in that, comprising:
Adding module, when being used on fire compartment wall configuration network address transition nat address pool address, is that corresponding black hole route is added in described nat address pool address;
Message processing module (MPM) is used for then abandoning the message of black hole route on the described coupling if the destination address that receives is the message and the described black hole route of described nat address pool address to be complementary.
6, device as claimed in claim 5 is characterized in that, described interpolation module comprises:
Route is added submodule, is used for when described nat address pool address comprises the interface IP address of described fire compartment wall, for adding corresponding black hole route in other addresses except that the interface IP address of described fire compartment wall in the described nat address pool address.
7, device as claimed in claim 5 is characterized in that, the described device that prevents that route loop from producing is integrated on the described fire compartment wall, perhaps is an independent function entity.
8, a kind of system that prevents that route loop from producing is characterized in that, comprising:
Forwarding unit is used for sending message from external network to the user;
Fire compartment wall, be used for when configuration network address transition nat address pool address, be that described nat address pool address adds corresponding black hole route, and be the message that the message of described nat address pool address and described black hole route abandon black hole route on the described coupling when being complementary at the destination address that described forwarding unit sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101669559A CN101355418B (en) | 2008-09-28 | 2008-09-28 | Method, apparatus and system for preventing route loop from generating |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101669559A CN101355418B (en) | 2008-09-28 | 2008-09-28 | Method, apparatus and system for preventing route loop from generating |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101355418A true CN101355418A (en) | 2009-01-28 |
| CN101355418B CN101355418B (en) | 2012-11-21 |
Family
ID=40308031
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101669559A Active CN101355418B (en) | 2008-09-28 | 2008-09-28 | Method, apparatus and system for preventing route loop from generating |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101355418B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025572A (en) * | 2011-01-10 | 2011-04-20 | 中国科学院软件研究所 | Method for preventing and monitoring Internet loop |
| CN102176784A (en) * | 2010-12-30 | 2011-09-07 | 北京星网锐捷网络技术有限公司 | Method for preventing loop circuit of wireless local area network and wireless access point equipment |
| CN106550058A (en) * | 2015-09-17 | 2017-03-29 | 群晖科技股份有限公司 | Network address translation penetration method and system using same |
-
2008
- 2008-09-28 CN CN2008101669559A patent/CN101355418B/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102176784A (en) * | 2010-12-30 | 2011-09-07 | 北京星网锐捷网络技术有限公司 | Method for preventing loop circuit of wireless local area network and wireless access point equipment |
| CN102176784B (en) * | 2010-12-30 | 2014-06-04 | 北京星网锐捷网络技术有限公司 | Method for preventing loop circuit of wireless local area network and wireless access point equipment |
| CN102025572A (en) * | 2011-01-10 | 2011-04-20 | 中国科学院软件研究所 | Method for preventing and monitoring Internet loop |
| CN102025572B (en) * | 2011-01-10 | 2012-12-19 | 中国科学院软件研究所 | Method for preventing and monitoring Internet loop |
| CN106550058A (en) * | 2015-09-17 | 2017-03-29 | 群晖科技股份有限公司 | Network address translation penetration method and system using same |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101355418B (en) | 2012-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7664119B2 (en) | Method and apparatus to perform network routing | |
| US7466694B2 (en) | Routing protocol with packet network attributes for improved route selection | |
| US7969890B2 (en) | Methods, systems, and computer program products for load balanced and symmetric path computations for VoIP traffic engineering | |
| EP1906600A1 (en) | Packet relay apparatus | |
| KR100804664B1 (en) | Packet communication network and packet communication method | |
| US8588399B2 (en) | Call routing method: routing to out-of-network representative having ability to speak specific language, if interpreter of network and interpreter of entity are not available to take call | |
| CN110832826A (en) | Flow control for probabilistic relays in blockchain networks | |
| CN109379450B (en) | Network interface interaction management method and device, computer equipment and storage medium | |
| AU2009200973B2 (en) | Device with Ethernet switch function and single Ethernet connector | |
| CN101355418B (en) | Method, apparatus and system for preventing route loop from generating | |
| CN101309220A (en) | Flow control method and apparatus | |
| US20070180080A1 (en) | Method and apparatus for partitioning resources within a session-over-internet-protocol (SoIP) session controller | |
| CA2502075A1 (en) | Method for the automatic configuration of an ip telephony device and/or data, system and device implementing same | |
| Cisco | Cisco Systems Users Magazine | |
| Cisco | Cisco Systems Users Magazine | |
| Cisco | Cisco Systems Users Magazine | |
| Cisco | Cisco Systems Users Magazine | |
| JP2005269434A (en) | Voip voice communication system | |
| US8553570B1 (en) | Systems and methods of routing IP telephony data packet communications | |
| Manfred | Circuit switching versus packet switching | |
| CN100469047C (en) | Construction of a path through a packet network | |
| US9906567B2 (en) | Systems and methods of routing IP telephony data packet communications | |
| JP2007228403A (en) | Gateway device and resource assigning method | |
| JP2011176467A (en) | Connection condition managing device, connection condition management system, terminal, connection condition management method, connection condition management program, and terminal program | |
| JP2004312380A (en) | Band control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220915 Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041 Patentee after: Chengdu Huawei Technologies Co.,Ltd. Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |