CN101488949A - Packet content detection and flow control apparatus - Google Patents
Packet content detection and flow control apparatus Download PDFInfo
- Publication number
- CN101488949A CN101488949A CNA200810155216XA CN200810155216A CN101488949A CN 101488949 A CN101488949 A CN 101488949A CN A200810155216X A CNA200810155216X A CN A200810155216XA CN 200810155216 A CN200810155216 A CN 200810155216A CN 101488949 A CN101488949 A CN 101488949A
- Authority
- CN
- China
- Prior art keywords
- input
- programmable logic
- content
- logic controller
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
This invention discloses a message content detection and flow control apparatus for network safety monitoring, network distribution and network content filtering. A third input/output opening of a main controller of the apparatus is connected with a high speed buffer area via a high speed buffer area bus as well as a fourth input/output port is connected with a programmable logic controller. A first communication port of the programmable logic controller is connected with an optical fibre output interface via a framer as well as a second communication port is connected with the optical fibre input interface. A third communication port of the programmable logic controller is connected with a parallel content addressing memory. A data packet which is accessed in the network with the speed ratio of 10G is analyzed; the data packet is classified and filtered according to fields in a data packet protocol head; the message data content is filtered and captured based on a specified rule set by the user. The gradual content level identification and flow control can be performed to the message with 10G speed ratio on the hardware level; the analysis ability of the rule table of 64K is four times than that of the original detection rule table.
Description
Technical field
Invention relates to a kind of device that network security monitoring, network shunting and Web content filter that is used for.
Background technology
At present, network shunting and content filtering device (as the device of Huawei Tech Co., Ltd's production) comprise master controller, pci interface, framer, search accelerator, this device mainly is that the packet at the network insertion of 2.5G speed carries out analyzing and processing, and some field that only is directed in the data protocol head is classified, filtered packet.System carries out filtration treatment according to the classifying rules (purpose IP address+source IP address+protocol number+destination slogan+source port number) of user oneself configuration.And its rule list is no more than 16K, 2.5G processing speed also will influence and limit the use of content detection equipment on the express network main line, the condition of search screening simultaneously constantly increases, and the high speed that the 16K rule list also more and more can't adapt to existing network requires the utilization market with complicated more analyzing and testing rule.
Summary of the invention
The purpose of invention is to provide a kind of message content to detect and flow control apparatus, and this device processing speed is greater than 2.5G, and the high speed that can satisfy network requires and complicated more analyzing and testing rule.
The purpose of invention is achieved in that this device comprises master controller, the communication connector of master controller links to each other with pci interface, first input/output port of master controller and second input/output port are connected with the many queue management devices of high-speed hardware respectively, the 3rd input/output port of master controller links to each other with high-speed buffer by the speed buffering local bus, the 4th input/output port of master controller is connected with programmable logic controller (PLC), first communication port of programmable logic controller (PLC) links to each other with the optical fiber output interface by framer, second communication port of programmable logic controller (PLC) links to each other with the optical fiber input interface, and the 3rd communication port of programmable logic controller (PLC) links to each other with parallel content adressable memory.
Invention designs at the continuous demand of present stage network high-speed development, having adopted advanced parallel content-based addressing and addressing of address table look-up algorithm, the many queue managements of high speed. not only can table look-up to the content that preceding 20 bytes of source IP address, purpose IP address, source port number, destination slogan and protocol type and message load stem are carried out combination in any, more can realize characteristic key words identification, thereby can pursue identification of newspaper content-level and Flow Control to 10G speed message at hardware level to any position in the message load.
Invention has the following advantages:
1, the packet of 10G speed network insertion is analyzed;
2, according to some field in the data pack protocol head packet is classified, filtered;
3, preceding 20 bytes of source IP address, purpose IP address, source port number, destination slogan and protocol type and the message load stem content of carrying out combination in any is tabled look-up, and more can realize the characteristic key words identification to any position in the message load;
4, can have more the user sets specific rule the message data content is filtered and intercepted and captured.Thereby can pursue identification of newspaper content-level and Flow Control to 10G speed message at hardware level;
5, the rule list of 64K is 4 times of former detection rule list analysis ability.
Description of drawings
Fig. 1 is the circuit theory schematic diagram of an embodiment of invention.
Fig. 2 is the pci interface circuit diagram among Fig. 1.
Fig. 3 is the main controller circuit figure among Fig. 1.
Fig. 4 is many queue management devices of the high-speed hardware circuit diagram among Fig. 1.
Fig. 5 is the parallel content addressable memory circuit figure among Fig. 1.
Embodiment
In Fig. 1, the communication connector A1-A31 of master controller MPU links to each other with pci interface, the first input/output port D0-D30 of master controller MPU is connected with many queue management devices of high-speed hardware IDT1, second input/output port D31-D63 of master controller MPU is connected with many queue management devices of high-speed hardware IDT2, the 3rd input/output port BA0-BA63 of master controller MPU links to each other with high-speed buffer RAM by speed buffering local bus RAM BUS, the 4th input/output port FPD0-FPD63 of master controller MPU is connected with programmable logic controller (PLC) FPGA, first communication port FPDQM0-FPDQM63 of programmable logic controller (PLC) FPGA links to each other with optical fiber output interface RJ1 by framer PMC, second communication port R0-R7 of programmable logic controller (PLC) FPGA links to each other with optical fiber input interface RJ2, and the 3rd communication port FBAA0-FBAA63 of programmable logic controller (PLC) MPU links to each other with parallel content adressable memory CAM.
The each several part power supply adopts direct current 3.3V.
Pci interface partly adopts NS8392.
Flow chart of data processing is as follows:
The 10G network message enters many queue management devices of high-speed hardware IDT and while and parallel content adressable memory CAM collaborative work by optical fiber, and the collaborative high-speed buffer RAM rule list of MPU control search accelerator PMC TEMU X336 carries out message header and message content comparison match by the rule that is stored among the CAM to the data message.And the result is sent into Control Server by pci interface handle by setting.
For 10G bit/s port, this device combines with parallel content addressed memory technology in employing RAMBUS technology and finally makes test result reach re-set target.
Master controller MPU is responsible for the management and the control of entire equipment, directly receive instruction from network management center, and be issued to each interface board execution command, each interface board is sent to master controller MPU to running status and statistics simultaneously, carry out necessary processing by master controller MPU, issue network management center when needing.Master controller MPU adopts the NP4GS3C 2.5G network processing unit of IBM, is the strong guarantee of handling top every information for the energy precise and high efficiency.
Parallel content adressable memory CAM (Content Addressable Memory) is a kind of special storage array.It has all data item of will store among input data and the CAM and compares simultaneously, judge rapidly the input data whether with CAM in stored data items be complementary, and provide the characteristics of data item corresponding address and match information, and this equipment adopts the CAM chip of MOTOROLA company--and MCM 69 C 233 realize data retrieval and matching features. be the high performance content addressable memory of a 10Gbps
It is 64 data item that MCM 69 C 233 can store 4096 width.MCM 69 C 233 have two data ports: control port (Control Port) and coupling port (Match Port).Control port is used for the operation of content-addressable memory (CAM Table), except that the increase/deletion that is used for data item, verification, statistics, can also read the information of chip internal status register.The retrieval of data is finished by the coupling port.MCM 69 C 233 are not used in the address bus of determining contents storage address, and address wire A0~A2 is used for the addressing to sheet inner control register.Writing under the CAM pattern, MCM 69 C 233 read the data item that need write from control port data wire DQ0~DQ15, and the memory address of data item is by the chip internal logic control.The user can programme to the matched rule of MCM 69 C 233, when reading CAM pattern (searching coupling), MCM 69 C 233 directly read in data from a coupling mouthful data wire MQ0~MQ31, and all data item that will import in data item and the array according to predefined matched rule walk abreast relatively.If data item exists, the index value of coupling mouthful this data item of output, and MS is 0; If data item does not exist, MS is 1.Because comparison procedure only needs a clock cycle, so speed is exceedingly fast.
Many queue management devices of high-speed hardware IDT1, IDT2:
This device adopts many formations of 10Gbps flow control chip id T 72P51777L6, and the novel memory technology of many formations of employing FIFO of this chip can be supported the realization of High Speed of QoS effectively.And can network service quality and other need design the application of queuing data rearrangement in order to improve, it had both supported that data separation was used flexibly, had avoided complicated sheet to control logic outward again.It is connected mainly by 18 read-write controller (WADEN/FSTR/WRADD/WEN/WCLK with master control borad, RADEN/ESTR/RDADD/REN/RCLK) and read-write state controller (OV/PAE/PR/PAEN/PRN, FF/PAF/PAFN), demux64 position input data line, and 64 continuous detection and queuings of finishing the data hardware level of mux output data lines.
1, many formations FIFO introduces
This device is equipped with embedded FIFO memory core and high speed queue logic, has very high data transfer bandwidth and configurability flexibly.The highest support of this device single-chip 10.2Gbps continues transmission rate and supports 32 subqueues at most, and 256 subqueues are supported in the device cascade at most.Only need a FIFO buffer memory several data to flow, help the user to select different formations to carry out independently read-write capability.
Many formations FIFO not only provides such as traditional FIFO functions such as metadata cache, the indication of queue full dummy status, Writing/Reading clock independence and Writing/Reading bus couplings, and support whole package operation pattern (Packet Mode) and data separation queuing, realize similar functions thereby eliminated the expensive complicated operations logic of former usefulness.Many formations FIFO is the memory that differentiable a plurality of logical sub formations are provided in a physical device.Can distinguish and be meant that each subqueue can independent Writing/Reading, and each subqueue there is independently state indication.
The FPGA control of the FIFO of formation more than 2
FPGA is to present three aspects of the control volume of many formations FIFO: configuration, write operation and read operation.
2.1 the configuration of many formations FIFO
Trendy many formations of IDT flow control device provides up-to-date solution to the system designer, makes only just can carry out selectable a plurality of differentiable sequential data accesses operation with a height integrated device.This flexibly function can option be set by a series of devices and realize.Different with former single formation FIFO device (as IDT 3690) is, many formations FIFO has the configurability of relative complex, except that Writing/Reading port bus width can directly be set by chip pin, also have corresponding two kinds of configuration modes: default configuration and series arrangement, wherein series arrangement claims the User Defined configuration again, is a kind of new device property.
Configurable of many formations FIFO has: (a) logical sub number of queues in the device; (b) storage depth of each subqueue; (c) PAF of each subqueue (almost full) deviant; (d) PAE of each subqueue (almost empty) deviant (general mode down effectively changes whole bag indication PR under the whole pack mode).
The user is to the very big flexibility of disposing of many formations FIFO.For instance, IDT72V51336~IDT72V51356 can be configured to 1~8 formation, and it all is separate that the degree of depth of each formation is set.Flag bit is a user-programmable, and each subqueue is independent.Configuration can be undertaken by special serial programming mouth, also can not use default mode if do not need to device programming.
Series arrangement is meant that the data of configuration many formations FIFO send into device by bit serial.At many formations FIFO device inside the register of depositing configuration data is arranged, these registers are a base unit with 18.If Q is the subqueue number of cell configuration, the maximum subqueue number that Qmax supports for this device then has (the individual register of Qmax * 4+1) in the device.The required Bit data amount Sum of single cell configuration is: 18+Qx72+1.Last bit finishes indication for configuration, if Q=8, then Sum=19+8x72=595 bit in the design.
2.2 write operation
Many formations FIFO is used in formation address Wradd/Rdadd and distinguishes each Writing/Reading subqueue, specifies new Writing/Reading subqueue with the high level of locking useful signal Waden/Raden, and it is Wen/Ren that Writing/Reading enables.The switching that many formations FIFO write operation is compared the write queue address exists delays effect, and promptly to send into new subqueue be that second of occurring in behind the new subqueue of the locking address writes the clock cycle to the data on the write bus.If can utilize this temporal aspect, two new subqueue addresses of cycle locking can accomplish that then 100% uses the write bus cycle in advance.When group queue full indication FF was effective, new data can't write this formation, and loss of data can take place.Generally, all to configure the PAF deviant, after seeing that PAFn~drag down effectively, stop write operation for fear of this situation.
2.3 read operation
Also have the relative effect of delaying of reading the formation address with the similar read operation of write operation, promptly the 3rd after the locking of new formation address reads the clock cycle, and the transformation of data that presents on the read bus is the data in the new subqueue.So lock new formation if can shift to an earlier date three cycles, then can accomplish 100% read bus utilance.When selected quene state is sky, present the overall height level on the read port.After configuring the PAE deviant, by checking the empty or non-dummy status of PAEn~just can learn formation, and carry out the action of reading or switching new formation in advance.
Claims (1)
1. a message content detects and flow control apparatus, this device comprises master controller, the communication connector of master controller links to each other with pci interface, first input/output port of master controller and second input/output port are connected with the many queue management devices of high-speed hardware respectively, the 3rd input/output port that it is characterized in that master controller links to each other with high-speed buffer by the speed buffering local bus, the 4th input/output port of master controller is connected with programmable logic controller (PLC), first communication port of programmable logic controller (PLC) links to each other with the optical fiber output interface by framer, second communication port of programmable logic controller (PLC) links to each other with the optical fiber input interface, and the 3rd communication port of programmable logic controller (PLC) links to each other with parallel content adressable memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810155216XA CN101488949A (en) | 2008-10-28 | 2008-10-28 | Packet content detection and flow control apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810155216XA CN101488949A (en) | 2008-10-28 | 2008-10-28 | Packet content detection and flow control apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101488949A true CN101488949A (en) | 2009-07-22 |
Family
ID=40891628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200810155216XA Pending CN101488949A (en) | 2008-10-28 | 2008-10-28 | Packet content detection and flow control apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101488949A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109802872A (en) * | 2019-03-19 | 2019-05-24 | 北京信而泰科技股份有限公司 | A kind of message capturing method, device and equipment |
| CN111565197A (en) * | 2020-05-28 | 2020-08-21 | 华兴源创(成都)科技有限公司 | Communication system and method for production equipment |
-
2008
- 2008-10-28 CN CNA200810155216XA patent/CN101488949A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109802872A (en) * | 2019-03-19 | 2019-05-24 | 北京信而泰科技股份有限公司 | A kind of message capturing method, device and equipment |
| CN109802872B (en) * | 2019-03-19 | 2021-07-30 | 北京信而泰科技股份有限公司 | Message capturing method, device and equipment |
| CN111565197A (en) * | 2020-05-28 | 2020-08-21 | 华兴源创(成都)科技有限公司 | Communication system and method for production equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101771627B (en) | Equipment and method for analyzing and controlling node real-time deep packet on internet | |
| WO2006069126A2 (en) | Method and apparatus to support multiple memory banks with a memory block | |
| JP4072583B2 (en) | Integrated multiport switch with shared media access control circuit | |
| CN102360342A (en) | Solid state disk for rapidly storing and displaying massive image data | |
| CN106294239A (en) | A kind of peripheral bus APB bus bridge | |
| CN110266679A (en) | Capacitor network partition method and device | |
| CN103731364B (en) | X86 platform based method for achieving trillion traffic rapid packaging | |
| CN113448402A (en) | Server supporting multi-backboard cascade | |
| CN108337286A (en) | One kind cutting packet method and device | |
| CN106372029A (en) | Point-to-point on-chip communication module based on interruption | |
| CN110515879B (en) | Asynchronous transmission device and transmission method thereof | |
| CN101488949A (en) | Packet content detection and flow control apparatus | |
| Zhang et al. | A multi-VC dynamically shared buffer with prefetch for network on chip | |
| CN201294544Y (en) | Message content detection and flow control device | |
| CN111611180B (en) | Dynamic shared buffer area supporting multiple protocols | |
| JP2015504196A (en) | Embedded memory and dedicated processor structure in integrated circuits | |
| CN100387027C (en) | Bag-preprocessing circuit assembly of interface card for high-speed network diversion equipment | |
| CN105939238A (en) | SOC isolation Memory-based 10Gbps Ethernet real-time data acquisition method | |
| CN100471175C (en) | Message storage forwarding method and message storage forwarding circuit | |
| CN103150129B (en) | PXI e interface Nand Flash data flow table access accelerated method | |
| CN107820142B (en) | Single-die optical switch structure based on high-density memory | |
| CN110321300A (en) | A kind of implementation method of signal processing data high-speed record and playback module | |
| CN109285580A (en) | Data prediction device, method and asynchronous double-end randon access memory system | |
| CN108108149A (en) | A kind of performance statistics circuit efficiently collected based on separation statistics | |
| CN105550140B (en) | A kind of electronic equipment and data processing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090722 |