CN101764741A - Filtering and shunting device and method supporting multi-service function - Google Patents

Filtering and shunting device and method supporting multi-service function Download PDF

Info

Publication number
CN101764741A
CN101764741A CN200910199468.7A CN200910199468A CN101764741A CN 101764741 A CN101764741 A CN 101764741A CN 200910199468 A CN200910199468 A CN 200910199468A CN 101764741 A CN101764741 A CN 101764741A
Authority
CN
China
Prior art keywords
rule
result
label
policy
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910199468.7A
Other languages
Chinese (zh)
Other versions
CN101764741B (en
Inventor
张诗超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Constant technology (Shanghai) Limited by Share Ltd
Original Assignee
Shanghai EmbedWay Information Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai EmbedWay Information Technologies Co Ltd filed Critical Shanghai EmbedWay Information Technologies Co Ltd
Priority to CN200910199468.7A priority Critical patent/CN101764741B/en
Publication of CN101764741A publication Critical patent/CN101764741A/en
Application granted granted Critical
Publication of CN101764741B publication Critical patent/CN101764741B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to a filtering and shunting device and a method supporting a multi-service function. The method comprises the following steps of: matching input original data packets with regular policy library subunits established by different users one by one to form match results; processing the match results to form result labels, and establishing a mapping table among the result labels and output ports; and adding the result labels to the heads of the original data packets, obtaining the output ports according to the result labels and the mapping table, and sending the original data packets to users from the output ports. The shunting and filtering functions of a plurality of services share the processing resources in the same input unit and device, a plurality of sets of filtering and shunting policies are supported in a set of filtering and shunting devices, are completely independent, and do not interfered one another, and the requirement of the multi-service function is effectively solved.

Description

Support the filtration part flow arrangement and the method thereof of multiservice functionality
Technical field
The present invention relates to a kind of filtration shunting of packet, relate in particular to a kind of filtration part flow arrangement and method of supporting multiservice functionality.
Background technology
Recent years, the construction development of China aspect backbone network and metropolitan area network is very swift and violent, overall size is also quite big, the bandwidth of nearly all regional backbone network has all reached 10G (Gigabit, kilomegabit), the bandwidth of part backbone network has been upgraded to 40G, and total outlet bandwidth has reached the capacity of G up to a hundred in large size city, provincial city, the part megapolis has reached the capacity of last T (Terabit, gigabit).The various broadband services that infrastructure Network Based makes up are also flourish, and various broadband services and the attached safety guarantee business that thereupon develops make the filtration part flow arrangement that adapts to the roomy flow of high-band become the key element of service deployment.
Relatively the exemplary wideband business comprises at present: flow settlement system, virus are cleaned professional between the green internet business of telecommunication value-added class, broadband network service analysis, net; The safety guarantee business comprises: system for monitoring intrusion, network security audit.Because service feature and behavior is different, the deployment of all multi-services all needs and meets separately that the filtration part flow arrangement of business need carries out the preliminary treatment of front end data bag, the different rule and policies that filter and shunt are set, and the equipment of the real bearer service of convenience system is done corresponding computing and processing.These service needed are provided with corresponding filtration shunting device at same network node, and same group of backbone traffic filtered shunting.
The Chinese invention patent application of application number 200710036221.4 discloses a kind of based on integration of useful connecting data complete safe information filtering shunt, earlier packet content being carried out coarseness filters, filtered data is carried out the fine granularity filtration by content rule expression formula matching module to packet, does not temporarily have the useful data of coupling to enter the caching system that FPGA forms.In case the match is successful for the follow-up data bag, then system stamps corresponding label with the follow-up packet that reaches of buffer memory, keeps being issued to each backend application treatment facility by the order that successively arrives then with connecting.
But existing filtration shunting device is subject to the restriction of technical system framework and handling property, can only realize that a cover filters and distributing strategy, satisfies a business function, and it is supporting with it that a plurality of business just need many covers to filter part flow arrangement.For example, the packet of the filtering current shunt output that network security audit is professional corresponding can only satisfy the needs of security audit business, can't satisfy the packet demand of other broadband services such as green internet business, broadband network service analysis and safety guarantee business.Caused the significant wastage of fiber resource, equipment, the energy so undoubtedly.
Summary of the invention
The problem that the present invention solves is, under broadband services and the professional complicated main trend of safety guarantee, a kind of filtration part flow arrangement of supporting multiservice functionality is provided, the deployment that solves many Networks in the prior art needs many covers to filter part flow arrangement support, the fiber resource that causes, equipment, energy significant wastage.
In order to solve the problems of the technologies described above, the invention provides a kind of filtration part flow arrangement of supporting multiservice functionality, comprising: administrative unit, provide the interface to formulate all kinds of professional corresponding rule and policies to the user, export described rule and policy to the rule and policy library unit; The rule and policy library unit is according to described rule and policy formation rule policy library subelement; The classification and matching engine, receive packet, described packet is mated the formation matching result with described rule and policy storehouse subelement one by one, send described matching result to the service label processing engine, the reception result label adds described label as a result and also sends to converging switching engine to the packet head; The service label processing engine is handled described matching result and is formed described label as a result, exports described label as a result to the classification and matching engine, sets up the mapping table of label and output port as a result, exports described mapping table to converging switching engine; Converge switching engine, receive the packet that the packet head has described label as a result,, obtain the output port of described packet, send described packet to the user from described output port according to the mapping table of described label as a result and output port.
Described rule and policy storehouse subelement comprises described rule and policy, and described rule and policy comprises rule and forwarding behavior.
Described classification and matching engine carries out protocal analysis to described raw data packets, extracts the protocol fields content of described raw data packets, and described protocol fields content is mated with described rule and policy storehouse subelement one by one.
Described protocol fields content meets the described rule in the subelement of described rule and policy storehouse, and the described forwarding behavior of described rule correspondence is as described matching result.
Described matching result comprises: abandon, be forwarded to appointment an output port, be forwarded to one group of output port of appointment.
Described service label processing engine is carried out shifting processing and add operation to the output port in the described matching result, forms label as a result.
Described classification and matching engine adds described label as a result to the part of described initial data packet header as target MAC (Media Access Control) address.
The present invention also provides a kind of filtration shunt method of supporting multiservice functionality, it is characterized in that, comprising: formulate all kinds of professional corresponding rule and policies; According to described rule and policy formation rule policy library subelement; Receive packet, described packet is mated the formation matching result with described rule and policy storehouse subelement one by one, send described matching result; Handle described matching result and form described label as a result, export described label as a result, set up the mapping table of label and output port as a result, export described mapping table; The reception result label adds described label as a result to packet head and output; Receive the packet that the packet head has described label as a result,, obtain the output port of described packet, send described packet to the user from described output port according to the mapping table of described label as a result and output port.
During described formation matching result, raw data packets is carried out protocal analysis, extract the protocol fields content of packet, this protocol fields content is mated with rule and policy storehouse subelement one by one, rule in the subelement of the described rule and policy of protocol fields content match storehouse, the forwarding behavior of described rule correspondence is as matching result.
Described formation during label, is carried out shifting processing to the output port in the described matching result as a result, the result after the shifting processing is carried out add operation form label as a result.
Compared with prior art, the invention provides a kind of filtration part flow arrangement and method of supporting the multi-service kind, processing resource in input unit that the shunt filtering function sharing of multiple business is identical and the filtration part flow arrangement, in a cover filtration part flow arrangement, support many covers to filter distributing strategy, and fully independently do not disturb mutually, meet the different packets that filter distributing strategies and export to corresponding back-end processing system from different output ports and carry out Business Processing, effectively solved the multiservice functionality demand.The present invention also provides the multi-user management interface, greatly facilitates multiple services deployment and enforcement, with rule and behavior combination, the basic-level support at convenient multi-purpose family.
Description of drawings
Fig. 1 is the structure chart that the present invention supports the filtration part flow arrangement of multiservice functionality;
Fig. 2 is the flow chart that the present invention supports the filtration shunt method of multiservice functionality.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.In the following description, be not described in detail known function and structure, because they can make the present invention because unnecessary details and confusion.
As shown in Figure 1, the invention provides a kind of filtration part flow arrangement of supporting multiservice functionality, comprising: administrative unit 1, rule and policy library unit 2, classification and matching engine 3, service label processing engine 4, converge switching engine 5.
Administrative unit 1: provide the interface to formulate all kinds of professional corresponding rule and policies to the user, output is formulated good rule and policy to rule and policy library unit 2.
Particularly, administrative unit 1 offers different user with good read-write independent of each other and administration interface, and the user sets up the rule and policy of different business correspondence according to business demand separately.After rule and policy was formulated, the rule and policy that administrative unit 1 is set up the user imported the rule and policy library unit 2 in the high-speed internal memory.
Rule and policy library unit 2: all kinds of professional corresponding rule and policy according to different user is formulated stores and forms the rule and policy storehouse subelement that belongs to different user.
In the rule and policy library unit 2 of high-speed internal memory, the rule and policy that belongs to different user foundation is dispensed in the different memory headrooms, forms separate rule and policy storehouse subelement.Each policy library subelement comprises the rule and policy that the user formulates, and rule and policy comprises rule and forwarding behavior, and described rule is to use AD HOC to describe the feature of coupling, and the forwarding behavior is to meet the behavior that this regular packet sends from the appointed output terminal mouth.
The classification and matching engine 3: receive raw data packets, with raw data packets one by one with rule and policy library unit 2 in belong to different user rule and policy storehouse subelement mate the formation matching result, send described matching result to service label processing engine 4; Receive the label as a result of service label processing engine 4 outputs, add described label as a result and also send to converging switching engine 5 to the initial data packet header.
Particularly, the packet of being finished various physical interfaces by the hardware interface chip inserts, and the raw data packets that network router is obtained exports the classification and matching engine 3 to.The classification and matching engine 3 receives raw data packets, carries out protocal analysis, extracts the protocol fields content of packet.With this protocol fields content one by one with rule and policy storehouse 2 in the rule and policy storehouse subelement set up of different user mate.After the rule in certain rule and policy storehouse subelement of protocol fields content match, the forwarding behavior of this rule correspondence is regarded as matching result.Matching result comprises: abandon, be forwarded to appointment certain output port, be forwarded to one group of output port of appointment.
The classification and matching engine 3 also receives the label data bag that service label processing engine 4 is handled output, add this as a result label to the initial data packet header as purpose MAC (Media Access Control, medium access control) part of address is sent to and converges switching engine 5.
Service label processing engine 4: handle matching result and form label as a result, export this as a result label set up the mapping table of label and output port as a result to the classification and matching engine 3, export described mapping table to converging switching engine 5.
Service label processing engine 4 is at first carried out shifting processing to the output port in the different matching results, then the result after the shifting processing is carried out add operation, forms label as a result; And, set up this mapping table of output port in label and the matching result as a result, send this mapping table to converging switching engine 5.
Converge switching engine 5: receive the packet head and have the packet of label as a result, according to the mapping table of label and output port as a result, the output port of acquisition packet sends described raw data packets to the user from described output port.
Particularly, converge switching engine 5, inquire the output port of label correspondence as a result, send packet to the user from this output port according to the label as a result of service label processing engine 4 foundation and the mapping table of output port.The mode of packet distribution can be multicast, clean culture.Belong to a plurality of user's data bag streams, be distributed to corresponding output port according to multicast mode; The data packet stream that belongs to unique user is distributed to the port of appointment according to the mode of clean culture.
Make exemplary illustration below in conjunction with Fig. 1 with the filtration part flow arrangement of supporting three business functions.In preferred embodiment, system also provides a power user, and the power user is provided with three users' management threshold number of the account, for each user disposes an Ethernet output port.Limit three user accounts and can't interfere with other either party function and administration behaviours between mutually.Finish the initiation parameter configuration of input port, comprise parameters such as CRC (Cyclic Redundancy Check, cyclic redundancy check (CRC)), scrambler.
First user, second user, the 3rd user have different numbers of the account, and each number of the account has different ID.Three users pass through network SSH (Secure Shell) respectively with the long-range entrance management of number of the account separately unit 1.Administrative unit 1 provides three separate read-writes and administration interface to three users.Behind the entrance management unit 1, three users will have corresponding authority, as check parameter, configuration, state and the traffic statistics information of input port; Dispose the rule and policy of this account, add, delete, check rule; Check parameter, configuration, state and the traffic statistics information of the output port that this number of the account has, the port working pattern of configuration expectation.
Three users are provided with its filtering rule and forwarding behavior according to the demand of different business, form rule and policy separately.The form of rule and policy is as follows:
Agreement Bag is long Source port Destination interface Source IP Purpose IP Tcp flag Burst Input port User-defined domain The forwarding behavior
Agreement: protocol=<tcp|udp|icmp|protocolnum 〉
Bag is long: size=<minsize-maxsize 〉
Source port: sport=<port_list 〉
Destination interface: dport=<port_list 〉
Source IP:sip=<ip〉[/<mask 〉]
Purpose IP:dip=<ip〉[/<mask 〉]
Tcp?flag:tcpflag=<flaglist>
Burst: ipfrag=<true | false 〉
Input port: interface=<interface_id 〉
User-defined domain: ud<ud_id 〉=<data 〉/<mask 〉
Forwarding behavior: abandon drop; Be forwarded to certain output port fw rr<port_list of appointment 〉; Be forwarded to one group of output port fw hash<hash_mode of appointment〉<port_list 〉
Administrative unit 1 will be formulated the rule and policy library unit 2 in the good rule and policy importing high-speed internal memory.In the rule and policy library unit 2 of high-speed internal memory, form the rule and policy storehouse subelement that belongs to different user.In high-speed internal memory, the rule and policy storehouse subelement that each user sets up is distinguished with the user ID of setting up this rule and policy storehouse subelement, and therefore, the rule and policy storehouse subelement that different user is set up is distributed in the different memory headrooms.The size of the memory headroom that Different Rule strategy subelement is occupied according to its regular complexity, is applied for dynamically and is discharged.This partial function can be realized by CAM technology or high-speed internal memory technology.In the present embodiment, high-speed internal memory is divided into three different spaces according to three user ID.
First user sets up the rule and policy of Email audit operations correspondence by administrative unit 1.The rule and policy that administrative unit 1 is set up first user imports the rule and policy library unit 2 in the high-speed internal memory, forms the first rule and policy storehouse subelement that belongs to first user in rule and policy library unit 2.The rule and policy regulation protocol port of the Email audit operations correspondence that first user sets up number is 25 UDP message bag, is forwarded to the output port 2 that filters part flow arrangement.The rule and policy storehouse that first user sets up is:
Matched rule: protocol=udp dport=25
Forwarding behavior: forward to port 2
Second user sets up the professional rule of correspondence policy library of intrusion detection by administrative unit 1.The rule and policy that administrative unit 1 is set up second user imports the rule and policy library unit 2 in the high-speed internal memory, forms the second rule and policy storehouse subelement that belongs to second user in rule and policy library unit 2.The professional corresponding rule and policy regulation of the intrusion detection that second user sets up meets all packets of IP section to be checked, is forwarded to the output port 23 that filters part flow arrangement.Second user's rule and policy storehouse is:
Matched rule: ip=121.15.0.0/255.255.0.0
Forwarding behavior: forward to port 23
The 3rd user sets up Web by administrative unit 1 and detects professional rule of correspondence policy library.The rule and policy that administrative unit 1 is set up the 3rd user imports the rule and policy library unit 2 in the high-speed internal memory, forms the three sigma rule policy library subelement that belongs to the 3rd user in rule and policy library unit 2.The Web that the 3rd user sets up detects professional corresponding rule and policy regulation http bag (protocol port number is 80 or 8080 Tcp bag), is forwarded to the output port 25 that filters part flow arrangement.The 3rd user's rule and policy storehouse is:
Matched rule: protocol=tcp dport=80||Protocol=tcp dport=8080
Forwarding behavior: forward to port 25
When not having rule match, the forwarding behavior of acquiescence is to abandon, and transmitting port is 0.At this moment, three users have set up three independently packet output port and rule and policy subelement, shared data bag input port and classification and matching engine 3s respectively.
Router obtains raw data packets from network, the raw data packets that input unit obtains router exports the classification and matching engine 3 to.Input unit comprises the OC3/12/48/192/768 of SDH (Synchronous Digital Hierarchy, SDH (Synchronous Digital Hierarchy)) and the interfaces such as 10/100/1000M, 10G of Ethernet (Ethernet).
The raw data packets that enters into the classification and matching engine 3 will be carried out matching inquiry one by one in belonging to three rule and policy storehouse subelements of three users, obtain three different forwarding behaviors.
In one embodiment, the IP address is that the user of 121.15.4.31 sends the smtp packet, and input unit exports packet to the classification and matching engine 3.The classification and matching engine 3 carries out full scan and protocal analysis to this packet, extracts the protocol fields content of packet.With this protocol fields content one by one with rule and policy storehouse 2 in three users first rule and policy storehouse subelement, the second rule and policy storehouse subelement, the three sigma rule policy library subelement set up mate one by one, the result is as follows:
First user: the rule of coupling protocol=udp dport=25, follow forwarding behavior forward toport 2, drawing and transmitting port is 2.
Second user: the rule of coupling ip=121.15.0.0/255.255.0.0, follow forwarding behavior forwardto port 23, drawing and transmitting port is 23.
The 3rd user 73: any rule that do not match, follow default forwarding behavior drop, drawing and transmitting port is 0 (0 port implication is drop).
Therefore, the IP address for the matching result of the smtp packet that 121.15.4.31 user sends is: transmit to output port 2,23 and 0 simultaneously, the classification and matching engine 3 exports this matching result to service label processing engine 4.
Service label processing engine 4 by displacement and additional calculation, obtains label as a result according to matching result.In preferred embodiment, the forwarding port numbers of service label processing engine 4 after with three users coupling transfers binary system to, makes transmitting port numbers after first user's the coupling and moving to left 30, and the room mends 0; Transmit port numbers after second user's the coupling and move to left 20, the room mends 0; Transmit port numbers after second user's the coupling and move to left 10, the room mends 0; Carry out add operation then, not enough position replenishes with 0, obtains the label as a result of a 40bit.
Transmitting port numbers after first user's the coupling is " 2 ", is converted into binary system " 10 " and moves to left 30, and the room mends 0; Transmitting port numbers after second user's the coupling is " 23 ", is converted into binary system and moves to left 20 for " 10111 ", and the room mends 0; Transmit port numbers " 0 " after the 3rd user's the coupling, be converted into binary zero and move to left 10, the room mends 0.Carry out the binary addition computing then, not enough position replenishes with 0, and result is gathered into the label as a result of a 40bit, obtain as a result that the label result be " ... 100000010111 ... (front is omitted 80 that are used to supply the position, 20 0 of back omissions) ".For the ease of record, also the binary system port numbers can be converted into hexadecimal " 0081700000 " (perhaps the decimal system 2171600896) label as a result of.Detailed process is as follows:
Label " ... 100000010111 ... (front is omitted 80, and the back is omitted 20 0) " is recorded in the target MAC (Media Access Control) address field of this packet head as a result, along with packet is delivered to the classification and matching engine 3 together.Service label processing engine 4 is set up as a result the mapping table of the corresponding output port 2,23 of label " ... 100000010111 ... (front is omitted 80, and the back is omitted 20 0) " and 0, and this mapping table is sent to converges switching engine 5.
The classification and matching engine 3 has as a result the transfer of data of label " ... 100000010111 ... (front is omitted 80, and the back is omitted 20 0) " to converging switching engine 5 with data packet head.Converge switching engine 5 and receive the mapping table of setting up according to service label processing engine 4, find out the corresponding output port 2,23 and 0 of label as a result in the data packet head " ... 100000010111 ... (front is omitted 80, and the back is omitted 20 0) ".
Owing to need to send same packet to output port 2,23 simultaneously, therefore, converge switching engine 5 this packet content is duplicated two parts, send packet to the first user from output port 2, first user has obtained the required packet of Email audit operations; Send packet to the second user from output port 23, second user has obtained the required packet of intrusion detection Business Processing.A plurality of output ports have caused many piece of data bag flow, but not after coupling, just to duplicate production, but produce converging output element, the great like this packet of having saved is transferred to from the classification and matching engine 3 and converges switching engine 6 shared bandwidth, has improved processing forward efficient.
In another specific embodiment, the tcp80 port data bag that the IP address sends for 121.15.4.31 user.The classification and matching engine 3 receives this packet, with the protocol fields content of packet one by one with three rule and policy storehouses 2 in the rule and policy storehouse subelement set up of three users mate one by one, matching result is to transmit to output port 0,23 and 25 simultaneously, and is specific as follows:
First user: any rule that do not match, follow default forwarding behavior drop.Drawing and transmitting port is 0 (0 port implication is drop).
Second user: the rule of coupling ip=121.15.0.0/255.255.0.0, follow forwarding behavior forwardto port 23, drawing and transmitting port is 23.
The 3rd user: the rule of coupling protocol=tcp dport=80, follow forwarding behavior forward toport 25, drawing and transmitting port is 25.
Service label processing engine 4 is according to matching result, by displacement and additional calculation, obtain as a result label " ... 00000101110000011001 ... (front is omitted 10 0; back is omitted 10 0) ", and set up as a result the mapping table of the corresponding output port 0,23 of label " ... 00000101110000011001 ... (front is omitted 10 0, and the back is omitted 10 0) " and 25.The classification and matching engine 3 has as a result the data packet transmission of label " ... 00000101110000011001 ... (front is omitted 10 0, and the back is omitted 10 0) " to converging switching engine 5 with packet header.Converge the mapping table that switching engine 5 is set up according to service label processing engine 4, find out the corresponding output port 0,23 and 25 of label as a result in the data packet head " ... 00000101110000011001 ... (front is omitted 10 0, and the back is omitted 10 0) ".Then converge switching engine 5 and duplicate two parts of these packet contents, send data to second user from output port 23, second user has obtained the required packet of intrusion detection Business Processing; Send data to the 3rd user from output port 25, the 3rd user has obtained Web and has detected the required packet of Business Processing.
The present invention also provides a kind of filtration shunt method of supporting multiservice functionality, comprising: S1: formulate all kinds of professional corresponding rule and policies; S2: according to described rule and policy, formation rule policy library subelement; S3: receive packet, described packet is mated the formation matching result with described rule and policy storehouse subelement one by one, send described matching result; S4: handle described matching result and form described label as a result, export described label as a result, set up the mapping table of label and output port as a result, export described mapping table; S5: the reception result label, add described label as a result to packet head and output; S6: receive packet,, obtain the output port of described packet, send described packet to the user from described output port according to the mapping table of described label as a result and output port with described label as a result.
In step S1, different user has different ID, and the user formulates the rule and policy that belongs to professional separately by separate read-write and administration interface.
In step S2, the rule and policy that will belong to different user ID is distributed in the different memory headrooms, formation rule policy library subelement.The size of the memory headroom that the rule and policy subelement of different I D is occupied according to its regular complexity, is applied for dynamically and is discharged.This partial function can be realized by CAM technology or high-speed internal memory technology.
In step S3, raw data packets is carried out protocal analysis, extract the protocol fields content of packet.This protocol fields content is mated with rule and policy storehouse subelement one by one.When the protocol fields content met regular in certain rule and policy storehouse subelement, the forwarding behavior of this rule correspondence was regarded as matching result.
In step S4, the output port in the different matching results is carried out shifting processing, then the result after the shifting processing is carried out add operation, form label as a result.Set up this mapping table and output of output port in label and the matching result as a result.
In step S5, the reception result label adds this label data bag to the part of initial data packet header as target MAC (Media Access Control) address, and output has the raw data packets of label as a result.
In step S6, the mode that sends packet can be multicast, clean culture.Belong to a plurality of user's data bag streams, be distributed to corresponding output port according to multicast mode; The data packet stream that belongs to unique user is distributed to the port of appointment according to the mode of clean culture.
Though the present invention discloses as above with preferred embodiment, the present invention is defined in this.Any those skilled in the art without departing from the spirit and scope of the present invention, all can do various changes and modification, so protection scope of the present invention should be with claim institute limited range.

Claims (10)

1. a filtration part flow arrangement of supporting multiservice functionality is characterized in that, comprising:
Administrative unit provides the interface to formulate all kinds of professional corresponding rule and policies to the user, exports described rule and policy to the rule and policy library unit;
The rule and policy library unit is according to described rule and policy formation rule policy library subelement;
The classification and matching engine, receive packet, described packet is mated the formation matching result with described rule and policy storehouse subelement one by one, send described matching result to the service label processing engine, the reception result label adds described label as a result and also sends to converging switching engine to the packet head;
The service label processing engine is handled described matching result and is formed described label as a result, exports described label as a result to the classification and matching engine, sets up the mapping table of label and output port as a result, exports described mapping table to converging switching engine;
Converge switching engine, receive the packet that the packet head has described label as a result,, obtain the output port of described packet, send described packet to the user from described output port according to the mapping table of described label as a result and output port.
2. filtration part flow arrangement according to claim 1 is characterized in that, described rule and policy storehouse subelement comprises described rule and policy, and described rule and policy comprises rule and forwarding behavior.
3. filtration part flow arrangement according to claim 2, it is characterized in that, described classification and matching engine carries out protocal analysis to described raw data packets, extracts the protocol fields content of described raw data packets, and described protocol fields content is mated with described rule and policy storehouse subelement one by one.
4. filtration part flow arrangement according to claim 3 is characterized in that, described protocol fields content meets the described rule in the subelement of described rule and policy storehouse, and the described forwarding behavior of described rule correspondence is as described matching result.
5. filtration part flow arrangement according to claim 4 is characterized in that, described matching result comprises: abandon, be forwarded to appointment an output port, be forwarded to one group of output port of appointment.
6. filtration part flow arrangement according to claim 5 is characterized in that, described service label processing engine is carried out shifting processing and add operation to the output port in the described matching result, forms label as a result.
7. filtration part flow arrangement according to claim 1 is characterized in that, described classification and matching engine adds described label as a result to the part of described initial data packet header as target MAC (Media Access Control) address.
8. a filtration shunt method of supporting multiservice functionality is characterized in that, comprising:
Formulate all kinds of professional corresponding rule and policies;
According to described rule and policy formation rule policy library subelement;
Receive packet, described packet is mated the formation matching result with described rule and policy storehouse subelement one by one, send described matching result;
Handle described matching result and form label as a result, export described label as a result, set up the mapping table of label and output port as a result, export described mapping table;
Receive described label as a result, add described label as a result to packet head and output;
Receive the packet that the packet head has described label as a result,, obtain the output port of described packet, send described packet to the user from described output port according to the mapping table of described label as a result and output port.
9. filtration shunt method according to claim 8, it is characterized in that, during described formation matching result, raw data packets is carried out protocal analysis, extract the protocol fields content of packet, this protocol fields content is mated with rule and policy storehouse subelement one by one, the rule in the subelement of the described rule and policy of protocol fields content match storehouse, the forwarding behavior of described rule correspondence is as matching result.
10. filtration shunt method according to claim 8 is characterized in that, described formation during label, is carried out shifting processing to the output port in the described matching result as a result, the result after the shifting processing is carried out add operation form label as a result.
CN200910199468.7A 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function Active CN101764741B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910199468.7A CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910199468.7A CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Publications (2)

Publication Number Publication Date
CN101764741A true CN101764741A (en) 2010-06-30
CN101764741B CN101764741B (en) 2012-06-06

Family

ID=42495734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910199468.7A Active CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Country Status (1)

Country Link
CN (1) CN101764741B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487530A (en) * 2010-12-02 2012-06-06 中兴通讯股份有限公司 Data distribution method and system
CN103179109A (en) * 2013-02-04 2013-06-26 上海恒为信息科技有限公司 Secondary session query function based filtering and distribution device and method thereof
CN104012052A (en) * 2011-11-10 2014-08-27 博科通讯系统有限公司 System And Method For Flow Management In Software-Defined Networks
CN105550232A (en) * 2015-12-04 2016-05-04 珠海多玩信息技术有限公司 Multi-strategy information filtering system and method
CN103685310B (en) * 2013-12-27 2017-01-04 恒为科技(上海)股份有限公司 A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network
CN107342926A (en) * 2017-06-13 2017-11-10 国家计算机网络与信息安全管理中心 A kind of method of multi-service Rapid matching distribution
CN109194759A (en) * 2018-09-14 2019-01-11 广州牧云网络科技有限公司 A kind of Network Access Method and system in front end degradation
CN109379292A (en) * 2018-10-09 2019-02-22 郑州云海信息技术有限公司 A kind of method of multicasting, virtual switch, SDN controller and storage medium
CN113360740A (en) * 2021-06-04 2021-09-07 上海天旦网络科技发展有限公司 Data packet labeling method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1287570C (en) * 2004-03-25 2006-11-29 上海复旦光华信息科技股份有限公司 High speed filtering and stream dividing method for keeping connection features
CN1321516C (en) * 2004-11-25 2007-06-13 上海复旦光华信息科技股份有限公司 Safety filtering current shunt of exchange structure based on network processor and CPU array
CN101217455B (en) * 2007-01-05 2011-07-27 上海复旦光华信息科技股份有限公司 A secure content filtering shunt based on the integration of useful connecting data
CN101478478A (en) * 2008-12-31 2009-07-08 华为技术有限公司 Packet processing method, apparatus and system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487530A (en) * 2010-12-02 2012-06-06 中兴通讯股份有限公司 Data distribution method and system
CN104012052B (en) * 2011-11-10 2018-01-30 博科通讯系统有限公司 System and method for the flow management in software defined network
CN104012052A (en) * 2011-11-10 2014-08-27 博科通讯系统有限公司 System And Method For Flow Management In Software-Defined Networks
CN103179109A (en) * 2013-02-04 2013-06-26 上海恒为信息科技有限公司 Secondary session query function based filtering and distribution device and method thereof
CN103179109B (en) * 2013-02-04 2016-12-28 恒为科技(上海)股份有限公司 Filter bypass devices and methods therefors based on two grades of session query functions
CN103685310B (en) * 2013-12-27 2017-01-04 恒为科技(上海)股份有限公司 A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network
CN106713260A (en) * 2013-12-27 2017-05-24 恒为科技(上海)股份有限公司 Dynamic data input method for VPDN (Virtual Private Dial-up Network)
CN105550232A (en) * 2015-12-04 2016-05-04 珠海多玩信息技术有限公司 Multi-strategy information filtering system and method
CN107342926A (en) * 2017-06-13 2017-11-10 国家计算机网络与信息安全管理中心 A kind of method of multi-service Rapid matching distribution
CN109194759A (en) * 2018-09-14 2019-01-11 广州牧云网络科技有限公司 A kind of Network Access Method and system in front end degradation
CN109194759B (en) * 2018-09-14 2020-12-15 广州牧云网络科技有限公司 Network access method and system for degrading at front end
CN109379292A (en) * 2018-10-09 2019-02-22 郑州云海信息技术有限公司 A kind of method of multicasting, virtual switch, SDN controller and storage medium
CN113360740A (en) * 2021-06-04 2021-09-07 上海天旦网络科技发展有限公司 Data packet labeling method and system

Also Published As

Publication number Publication date
CN101764741B (en) 2012-06-06

Similar Documents

Publication Publication Date Title
CN101764741B (en) Filtering and shunting device and method supporting multi-service function
CN100583773C (en) Method and device for controlling data link layer elements with network layer elements
JP4663643B2 (en) Method and apparatus for transferring packets in an Ethernet passive optical network
JP4898812B2 (en) Promoting service quality differentiation in Ethernet passive optical networks
US8644332B1 (en) System, method and device for high bit rate data communication over twisted pair cables
CN101841451B (en) Virtual local area network-based speed limiting method and system for cloud hosts
CN100450080C (en) Method and apparatus for astringing two layer MAC address
CN101286990B (en) Forwarding method and apparatus of double-layer multicast
CN101227404B (en) Method and apparatus for in-band managing for Ethernet switch without network manage
CN102857428B (en) A kind of message forwarding method based on Access Control List (ACL) and equipment
CN101258414A (en) Enhanced multicast VLAN registration
JP5295273B2 (en) Data stream filtering apparatus and method
CN101594243A (en) A kind of multicast spanning virtual local area networks implementation method based on optical network unit
CN107689992A (en) A kind of high performance firewall cluster implementation method
US7646713B1 (en) Method and access node configured for providing intelligent cross connection functionality
CN107579963A (en) A kind of high performance firewall cluster
CN103179109A (en) Secondary session query function based filtering and distribution device and method thereof
CN100544303C (en) The distribution method of VLAN ID
CN106888105A (en) A kind of three layers of discovery method and device of virtual link end to end
CN2938596Y (en) Device for realizing IPV6 group broadcast filter in EPON network
CN101098287B (en) Apparatus and method for implementing IPV6 multicast filtering on EPON using hardware extended mode
CN101184044A (en) Packet processing method of multicast monitoring discovery protocol
CN100512186C (en) Device and method for realizing IPV6 multicast filtering in EPON network via hardware loop mode
CN2912126Y (en) Device for realizing IPV6 cluster broadcast filtration in EPON network by means of hardware loop
CN106685788A (en) Chip achieving method of PVLAN in stacked mode

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20130105

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20130105

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20140109

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20140109

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20131216

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

Date of cancellation: 20131216

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20100630

Assignee: Yangzhou Wanfang Electronic Technology Co., Ltd.

Assignor: Shanghai Embedway Information Technologies Co., Ltd.

Contract record no.: 2014320000650

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Granted publication date: 20120606

License type: Exclusive License

Record date: 20140812

Application publication date: 20100630

Assignee: Yangzhou Wanfang Electronic Technology Co., Ltd.

Assignor: Shanghai Embedway Information Technologies Co., Ltd.

Contract record no.: 2014320000650

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Granted publication date: 20120606

License type: Exclusive License

Record date: 20140812

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20141125

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

Date of cancellation: 20141125

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20141126

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000988

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20141126

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000988

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
C56 Change in the name or address of the patentee

Owner name: HENGWEI TECHNOLOGY TECHNOLOGY (SHANGHAI) CO., LTD.

Free format text: FORMER NAME: SHANGHAI EMBEDWAY INFORMATION TECHNOLOGY CO., LTD.

CP03 Change of name, title or address

Address after: 200030 Leshan Road, Shanghai, room 33, No. 103, room

Patentee after: Constant technology (Shanghai) Limited by Share Ltd

Address before: Pudong Shanghai 200127 Lane 91, Eshan Road No. 20 (Lujiazui Software Park Building 9 Unit 2 floor tower)

Patentee before: Shanghai Embedway Information Technologies Co., Ltd.

Address after: 200030 Leshan Road, Shanghai, room 33, No. 103, room

Patentee after: Constant technology (Shanghai) Limited by Share Ltd

Address before: Pudong Shanghai 200127 Lane 91, Eshan Road No. 20 (Lujiazui Software Park Building 9 Unit 2 floor tower)

Patentee before: Shanghai Embedway Information Technologies Co., Ltd.

PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20151218

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2014990000988

Date of cancellation: 20151218

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2014990000988

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PM01 Change of the registration of the contract for pledge of patent right

Change date: 20151218

Registration number: 2014990000988

Pledgor after: Constant technology (Shanghai) Limited by Share Ltd

Pledgor before: Shanghai Embedway Information Technologies Co., Ltd.

Change date: 20151218

Registration number: 2014990000988

Pledgor after: Constant technology (Shanghai) Limited by Share Ltd

Pledgor before: Shanghai Embedway Information Technologies Co., Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20151231

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20151231

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

Date of cancellation: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

PC01 Cancellation of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20180112

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

Date of cancellation: 20180112

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

PC01 Cancellation of the registration of the contract for pledge of patent right
EC01 Cancellation of recordation of patent licensing contract
EC01 Cancellation of recordation of patent licensing contract

Assignee: YANGZHOU WANFANG ELECTRONIC TECHNOLOGY LLC

Assignor: SHANGHAI EMBEDWAY INFORMATION TECHNOLOGIES Co.,Ltd.

Contract record no.: 2014320000650

Date of cancellation: 20200628