CN102075423B - Hardware multi-level table-based method for controlling output traffic - Google Patents

Hardware multi-level table-based method for controlling output traffic Download PDF

Info

Publication number
CN102075423B
CN102075423B CN201110003670.5A CN201110003670A CN102075423B CN 102075423 B CN102075423 B CN 102075423B CN 201110003670 A CN201110003670 A CN 201110003670A CN 102075423 B CN102075423 B CN 102075423B
Authority
CN
China
Prior art keywords
flow
priority
message
flow control
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110003670.5A
Other languages
Chinese (zh)
Other versions
CN102075423A (en
Inventor
唐勇
陈曙晖
李韬
苏金树
王勇军
赵国鸿
宣蕾
刘文瀚
陆华彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN201110003670.5A priority Critical patent/CN102075423B/en
Publication of CN102075423A publication Critical patent/CN102075423A/en
Application granted granted Critical
Publication of CN102075423B publication Critical patent/CN102075423B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a hardware multi-level table-based method for controlling output traffic, which aims to solve the technical problem of controlling the traffic on the premise of ensuring completeness of flow. The technical scheme is that: a high-speed network content monitor system consisting of an input card, an output card, a control host computer and a back end analysis system is constructed, wherein a priority module is arranged in the input card, a traffic control module is arranged in the output card, and traffic control software runs on the control host computer; the priority module searches a priority number in a priority table, and transmits a message with the priority number to the output card; the traffic control module searches a traffic control table of priority corresponding to the priority number of the message, and determines that the message is transmitted or abandoned; and the traffic control software calculates the traffic, sets an abandon bit zone, and controls the traffic control module to perform traffic control. By adopting the method, the traffic control can be ensured on the premise of ensuring the completeness of the flow, the hardware logic is simple logics, the message process speed is high, and the network jittering is small.

Description

Output flow control method based on the hardware multi-level table
Technical field
The present invention relates to the control method of overburden flow on high-speed network flow monitoring field, the especially express network.
Background technology
The express network content monitoring system generally catches shunting device by front end data and the back-end analysis system forms, and general structure as shown in Figure 1.Front end data is caught shunting device and is finished the functions such as network insertion, data capture and shunting, data filtering and analysis, mainly is comprised of the input card, the output card that comprise hardware DPI (DPI: deep message detects) module.Input card receiving network data stream, hardware DPI module is wherein carried out deep message Check processing (for example rule match), message after the processing exports the back-end analysis system to from the port of output card, and output card carries out load balancing according to the load capacity of back-end analysis system.The back-end analysis system is further analyzed the message of headend equipment output, realizes network behavior audit, Network Content Audit and intrusion detection.Continuous lifting along with backbone link speed, the subject matter that the express network content monitoring system faces is: huge flow often exceeds the disposal ability of back-end analysis system, therefore headend equipment need to be controlled output flow, makes flow meet the disposal ability of back-end system by abandoning the part message.Because the back-end analysis system is usually based on stream (TCP or UDP stream; comprise all messages in session of communicating pair) carry out data analysis; so keep as far as possible " stream integrality " when requiring flow control; the message that namely abandons concentrates in a small amount of stream; and make not dropping packets of stream as much as possible, keep the stream integrality.Therefore, this just needs a kind of new flow control methods that can keep flowing integrality.
Existing flow control methods mainly contains:
1. outlet load-balancing method.Its basic thought be with flow average as far as possible distribute to a plurality of outlets, to reduce abandoning of message.But the disposal ability of considering the back-end system that each outlet connects may be different, and the actual flow size is also different, are difficult to accomplish balance, flexibly shunting in realization.What is more important, the outlet load balancing can not guarantee to flow integrality.
2. jamming control method.Most of network equipments have congestion control mechanism, and when the waiting list of message has been expired, congestion control mechanism will abandon unnecessary message, but this abandoning is at random usually, do not keep the integrality that flows.
(3.QoS Quality of Service, service quality) method.Determine the priority of message according to application protocol, when network occurs when congested, the message that priority is high can not be dropped, and can not keep the integrality that flows for the application of low priority.Simultaneously, because priority is only determined the very flexible of flow control according to application protocol.Sum up above several method, its total greatest drawback is not guarantee the integrality that flows, is difficult to satisfy the needs of express network content monitoring system.The existing network equipment adopts one or more of above method mostly, integrates and carries out flow control, but still can't guarantee for the integrality of stream.
Summary of the invention
The technical problem to be solved in the present invention is to carry out flow control under the prerequisite of the integrality that guarantees stream.
For solving above-mentioned concrete technical problems, technical scheme may further comprise the steps:
The first step makes up the express network content monitoring system, and the express network content monitoring system is comprised of input card, output card, main control system, back-end analysis system.Increase priority block in the input card, priority block links to each other with the output port of hardware DPI module and input card, it determines the priority of message from the message of hardware DPI module reception through the deep message Check processing, will determine that then the message of priority sends output card to; Output card links to each other with input card, main control system, back-end analysis system, an output card has an input port and some output ports, increase flow-control module at each output port of output card, the flow-control module of each output port links to each other with the input port of output card, main control system and back-end analysis system, and flow-control module determines message is sent or abandons; Main control system links to each other with output card, operating flux control software on it, flow control software statistics flow, and according to the Flow Control strategy setting abandons flag bit, thereby the control flow-control module carries out flow control.
Priority block is comprised of control logic and priority list.Control logic is divided into message and gets a logic and add the heading logic, message is got head that logic receives the output of hardware DPI module with the message of rule ID number, rule ID number taking-up with its head, and search priority list, obtain the corresponding relation of rule ID and priority number, find out priority number corresponding to this rule ID, by adding the heading logic priority number is added in header again.Each list item of priority list comprises rule ID value and two territories of priority number, the rule ID value is the rule number of this message coupling, priority number is priority corresponding to this rule ID value, the corresponding priority number of rule ID value, and the less expression priority of priority number is higher.The item number in these two territories is P, and P is positive integer.
The corresponding flow-control module of each output port of output card.Each flow-control module is comprised of flow control logic and P Flow Control table, i.e. the corresponding Flow Control table of each priority.Each of Flow Control table is by sequence number (ID), byte number (bytes) and abandon three territories formations of flag bit (discard).Sequence number ID by the last k position of the last n position of source IP and purpose IP altogether n+k position (n, k are more than or equal to 1 less than or equal to 32 positive integer) determine that therefore a Flow Control table one has 2 (n+k).Byte number represents some list items uninterrupted at the appointed time, abandons this list item of sign expression and abandons or transmit, and 0 for transmitting, and 1 for abandoning.The flow control logic of the flow-control module of each output port links to each other with the input port of output card, a P Flow Control table, back-end analysis system, it receives the message of input and determines the Flow Control table of the priority that this message is corresponding according to the priority of this message from the input port of output card, then according to the source IP address of this message and the list item of this Flow Control table of purpose IP address search, read and abandon flag bit discard and message repeating is still abandoned determining, and the message that forwards is upgraded the byte number bytes of its place list item.
Second step, hardware DPI module is carried out rule match according to the five-tuple of the message that flows into input card, every rule has the rule ID number of oneself, when upper certain rule of message coupling, just the ID that this is regular is added in header, is transmitted to priority block, and priority block is searched corresponding priority number according to the ID value of header in priority list, and be added in header, then will give output card with the message of priority number.
The 3rd step, the priority number that the flow-control module of output card carries according to each header is determined the Flow Control table of the priority that this message is corresponding, then be total to (n+k) position according to the last n position of message source IP address and the last k position of purpose IP address, search the 2nd of this Flow Control table (n+k)Then individual list item checks the flag bit that abandons of this list item, is 0 if abandon flag bit, then transmits this message; Be 1 if abandon flag bit, then abandon this message.And the message that forwards is upgraded the byte number of its corresponding list item.With
Figure GDA0000123235770000031
Expression output port A i(priority of 1≤i≤Z) is that j (use by the Flow Control table of 1≤j≤P) Expression output port A iPriority be the value of byte number of m item of the Flow Control table of j;
Figure GDA0000123235770000033
Expression output port A iPriority be the value that abandons flag bit of m item of the Flow Control table of j; With Expression Flow Control table
Figure GDA0000123235770000035
In abandon the set that flag bit is 0 list item.The flow control logic of flow-control module is controlled flow according to the following steps:
3.1 determine the Flow Control table of priority under this message according to the priority number of incoming message.
3.2 search the 2nd of 3.1 described Flow Control tables in (n+k) position altogether by the last n position of the source IP address of incoming message and the last k position of purpose IP address (n+k).
3.3 judge the 2nd of 3.2 described Flow Control tables (n+k)
Figure GDA0000123235770000036
Whether be 1, if be 1, dropping packets then; Otherwise, message is sent.
3.4 the size of the message that sends is added on one of the byte number of list item corresponding to this message, adds up.The 4th step, the flow control software timing reads all Flow Control tables of the flow-control module of each output port of output card, all are abandoned the byte number field summation that flag bit is 0 list item, calculate current output flow, if current output flow surpasses the port flow restriction of setting, then with priority order from low to high with the some list items in the Flow Control table abandon mark position 1, increase the flow that hardware abandons.If present flow rate limits less than port flow, then with priority order from high to low with the some list items in the Flow Control table abandon mark position 0, reduce the flow that hardware abandons.
For A is arranged 1, A 2... A zDeng the output card of Z message output port, A 1, A 2... A zLimited flow rate be respectively B 1, B 2... B z, A 1, A 2... A zSafeguard respectively the Flow Control table of P different priorities.The flow process of flow control software is:
4.1 elapsed time interval T (T sets according to the flow control needs of reality, is generally less than to equal 60 seconds), flow control software is from output port A i(read in the Flow Control table of P the priority of 1≤i≤Z) and abandon value that flag bit is byte number in each list item of 0 and summation (namely ), S iCurrent output port A iActual output total flow.If S i>B i, then turn step 4.2, otherwise turn step 4.3.
4.2 this moment output port A iTotal output flow surpassed its load limitations, take the strategy that abandons soon.Execution in step is as follows:
4.2.1 priority j is set to 1.
4.2.2 establishing the flow (flow to be discarded) of overage is S '=S i-B iThat selects some list items in the Flow Control table abandons position 1, so that the byte number sum of these list items is S ', thereby just the flow of overage is abandoned.The How to choose list item is a sub-set problem.The subclass problem can be expressed as an antithesis (G, t), and wherein G is a set { X of positive integer 1, X 2... X n), t is a positive integer, requires to find out the subset of G, itself and should be large as far as possible but can not be greater than t.Because the subclass problem is a np complete problem, the exact solution of namely only having the exponential time, here adopt introduction to algorithms (INTRODUCTION TO ALGORITHMS, Higher Education Publishing House, version in 2002, the 1046th page) the approximate data APPROX_SUBSET_SUM (G of the polynomial time announced, t) find the solution: algorithm is input as (G, t), G is the set of Flow Control table list item, t is the overburden flow, is output as the subset of G, so that the byte number sum of list item is large as far as possible but be no more than t among the G.If APPROX_SUBSET_SUM
Figure GDA0000123235770000042
Return empty set, then turn 4.2.2.1; If APPROX_SUBSET_SUM
Figure GDA0000123235770000043
Return
Figure GDA0000123235770000044
, namely all abandon and can not meet the demands, then turn 4.2.2.3; Otherwise turn 4.2.2.2.
4.2.2.1 do not need to abandon again flow, turn 4.2.3;
Whether can finish the Flow Control requirement 4.2.2.2 judge the Flow Control table of current priority, namely all be abandoned summation of byte number that flag bit is 0 list item, establish this and be Q.Again Q and extra-heavy flow S ' are made comparisons.If Q 〉=S ' is with APPROX_SUBSET_SUM
Figure GDA0000123235770000051
The set of returning (set of list item)
In all list items abandon mark position 1; Turn 4.2.3; Otherwise, carry out 4.2.2.3;
4.2.2.3 the Flow Control table of current priority can not be finished flow and abandon requirement, at first the sign that abandons of all list items of current priority Flow Control table is put 1, thereby discards the whole flows in this table.Remaining flow to be discarded need to more abandon in the higher-level flow table, makes S '=S '-Q, and Q abandons the byte number sum that flag bit is all list items of 0 in the Flow Control table of current priority.J=j+1; Turn 4.2.2.
4.2.3 finish this Flow Control, turn 4.4.
4.3 this moment output port A iTotal output flow less than its load capacity, take the strategy that recovers slowly, establish output port A this moment iHave abandon flag bit be set to all Flow Control table medium priorities of 1 the highest be H, and establish in the Flow Control table that this priority is H F arranged 1, F 2... F LIndividual list item abandons flag bit and is set to 1 (1≤L≤2 (n+k)).Then choose minimum one of byte number in these list items, namely min { T i H ( F 1 ) . bytes , T i H ( F 2 ) . bytes , . . . . . . T i H ( F L ) . bytes } , Be made as (1≤Y≤L), making this flag bit that abandons is 0, namely
Figure GDA0000123235770000054
Turn 4.4.4.4 empty the byte number of all Flow Control table list items, restart statistics, turn 4.1.
Adopt the present invention can reach following technique effect:
(a) hardware logic is simple.Priority block of the present invention and flow-control module realized by hardware, and only need to safeguard respectively priority list and Flow Control table, and the process implementation of tabling look-up is simple, so it is fast to process message speed, meets the needs of express network content monitoring system.
(b) integrality of maintenance stream.In order to guarantee the content safety application, when abandoning and recover message, operate with priority and source IP address, purpose IP address search list item, namely carry out take stream as unit, one is flowed or all is dropped, or all is retained.Overcome the shortcoming that additive method does not keep the integrality that flows.
(c) determine the Flow Control table of the priority under the message according to the result of hardware DPI module, the interested message of user can make it have higher priority, with packet loss not as far as possible.
(d) network jitter is little.If total flow surpasses limit value, then take fast drop policy, namely in the next time period extra-heavy flow is all abandoned, actual flow is reduced rapidly; If actual total flow less than limit value, is then taked slow recovery policy, namely once only recover a stream, avoided interior actual flow of short time again to surpass limit value.
Description of drawings
Fig. 1 is the described existing express network content monitoring system overall construction drawing of background technology.
Fig. 2 is the overall construction drawing of the express network content monitoring system of first step design of the present invention.
Fig. 3 is priority block structure chart of the present invention.
Fig. 4 is flow-control module structure chart of the present invention.
Fig. 5 is the flow chart that flow control logic decision of the present invention sends or abandons message.
Fig. 6 is flow control software flow pattern of the present invention.
Fig. 7 is overview flow chart of the present invention.
Fig. 8 is an example of express network content monitoring system of the present invention.
Embodiment:
Fig. 1 is the existing express network content monitoring system of background technology overall construction drawing.Front end data is caught shunting device and is finished the functions such as network insertion, data capture and shunting, data filtering and analysis, mainly is comprised of the input card, the output card that comprise hardware DPI (DPI: deep message detects) module.Input card receiving network data stream, hardware DPI module is wherein carried out deep message Check processing (for example rule match), message after the processing exports the back-end analysis system to from the port of output card, and output card carries out load balancing according to the load capacity of back-end analysis system.The back-end analysis system is further analyzed the message of headend equipment output, realizes network behavior audit, Network Content Audit and intrusion detection.
Fig. 2 is the overall construction drawing of the express network content monitoring system of first step realization of the present invention.The express network content monitoring system is comprised of input card, output card, main control system, back-end analysis system.Increase priority block in the input card, priority block links to each other with the output port of hardware DPI module and input card, it determines the priority of message from the message of hardware DPI module reception through the deep message Check processing, will determine that then the message of priority sends output card to; Output card links to each other with input card, main control system, back-end analysis system, an output card has an input port and some output ports, increase flow-control module at each output port of output card, the flow-control module of each output port links to each other with the input port of output card, main control system, back-end analysis system, and flow-control module determines message is sent or abandons; Main control system links to each other with output card, operating flux control software on it, and flow control software statistics flow, and the Flow Control strategy setting that realizes according to the present invention abandons flag bit, thus control Flow Control module is carried out flow control.
Fig. 3 is the priority block structure chart.Priority block is comprised of control logic and priority list.Control logic is divided into message and gets a logic and add the heading logic, message is got head that logic receives the output of hardware DPI module with the message of rule ID number, rule ID number taking-up with its head, and search priority list, find out corresponding priority number, by adding the heading logic priority number is added in header again.Each list item of priority list comprises rule ID value and two territories of priority number, and the rule ID value is the rule number of this message coupling, and priority number is the priority of this rule correspondence, and less expression priority is higher.The item number in these two territories is got positive integer P according to actual needs.
Fig. 4 is the flow-control module structure chart.Flow-control module is comprised of flow control logic and Flow Control table.Each of Flow Control table is by sequence number (ID), byte number (bytes) and abandon three territories formations of sign (discard).The corresponding Flow Control table of each priority, ID is determined the n+k position altogether by the last n position of source IP and the last k position of purpose IP, so Flow Control table one has 2 N+k.Byte number represents some list items uninterrupted at the appointed time, abandons this list item of sign expression and abandons or transmit, and 0 for transmitting, and 1 for abandoning.Flow control logic receives the message of input and determines the Flow Control table of the priority that this message is corresponding according to its priority, then according to the source IP address of this message and the list item of this Flow Control table of purpose IP address search, read and abandon flag bit and message repeating is still abandoned determining, and the message that forwards is upgraded the byte number of its place list item.
Fig. 5 is that flow control logic determines flow chart flow control logic that message is sent or abandons according to the last k position of the last n position of the priority of each message, source IP address and purpose IP address altogether (n+k) position (n, k are more than or equal to 1 less than or equal to 32 positive integer), search respective priority the Flow Control table the 2nd N+kIndividual list item is checked the flag bit that abandons of this list item, is 0 if abandon flag bit, then transmits this message; Be 1 if abandon flag bit, then abandon this message.Then upgrade the value of byte number of the list item of the Flow Control table corresponding with this message.
Fig. 6 is the flow control software flow pattern.
At first, the flow control software timing reads all Flow Control tables of the flow-control module of each output port of output card, and all are abandoned the byte number field summation that flag bit is 0 list item, calculates current output flow.
Then judge: if current output flow surpasses the port flow restriction of setting, then adopt subclass problem approximate data to find the solution with priority order from low to high, with the some list items in the Flow Control table abandon mark position 1, increase the flow that hardware abandons.If present flow rate limits less than port flow, then adopt slow recovery policy with priority order from high to low, with the some list items in the multistage Flow Control table abandon mark position 0, reduce the flow that hardware abandons.
At last, empty the byte number list item, in order to add up next time.
Fig. 7 is overview flow chart of the present invention.
The first step makes up the express network content monitoring system.
Second step, hardware DPI module is carried out rule match according to the five-tuple of the message that flows into input card, every rule has the rule ID number of oneself, when upper certain rule of message coupling, just the ID that this is regular is added in header, be transmitted to priority block, priority block is searched corresponding priority number according to the ID value of header in priority list, and is added in header.To give output card with the message of priority number.
The 3rd step, the flow-control module of output card according to each header carry the last n position of priority number, message source IP address and (n+k) position altogether, the last k position of purpose IP address, search the 2nd of Flow Control table corresponding to this priority (n+k)Then individual list item checks the flag bit that abandons of this list item, is 0 if abandon flag bit, then transmits this message; Be 1 if abandon flag bit, then abandon this message.
The 4th step, the flow control software timing reads all Flow Control tables of the flow-control module of each output port of output card, all are abandoned the byte number field summation that flag bit is 0 list item, calculate current output flow, if current output flow surpasses the port flow restriction of setting, then with priority order from low to high with the some list items in the Flow Control table abandon mark position 1, increase the flow that hardware abandons.If present flow rate limits less than port flow, then with priority order from high to low with the some list items in the Flow Control table abandon mark position 0, reduce the flow that hardware abandons.
Fig. 8 is the example that University of Science and Technology for National Defence adopts the express network content monitoring system of the present invention's design:
The first step makes up the express network content monitoring system.In the present invention, what input card used is OC768 (40G) ply-yarn drill, and output card adopts OC192 (10G) ply-yarn drill.The priority block of OC768 ply-yarn drill adopts the FPGA of StratixEP2SGX130F1508C4 to realize, flow-control module and flow control meter realize that flow control software is realized under the linux operating system environment with the C language in the FPGA of the Altera Stratix II of OC192 (10G) ply-yarn drill GX EP2S60GX.Each port and the IDS of output card, the back-end analysis systems such as content auditing link to each other.OC192 (10G) ply-yarn drill has four output ports, and the restriction output flow of each port is 10G.
Second step, message flow are through OC768 (40G) ply-yarn drill, and the rule that the priority block of ply-yarn drill arranges according to user in the hardware DPI module is carried out five-tuple to message and filtered to determine its priority.
The 3rd step, determined the message flow of priority through OC192 (10G) ply-yarn drill, OC192 (10G) ply-yarn drill has four output ports, and each output port has a flow-control module.The flow-control module of ply-yarn drill is safeguarded the Flow Control table of a plurality of different priorities to each output port, rear four (n=4) and rear five (k=5) totally nine of purpose IP address according to the source IP address of each message, message is mapped in the Flow Control table of corresponding priority, each Flow Control table has 2 9I.e. 512 list items.Operation is transmitted or abandoned to flow-control module according to abandoning arranging of flag bit in each port traffic control table to message.
In the 4th step, per 30 seconds of flow control software is added up byte number according to 4.1~4.4 described flow processs to the Flow Control table of each port, and the operations such as flag bit are set.

Claims (1)

1. output flow control method based on the hardware multi-level table is characterized in that may further comprise the steps:
The first step makes up the express network content monitoring system, and the express network content monitoring system is comprised of input card, output card, main control system, back-end analysis system; Increase priority block in the input card, priority block links to each other with the output port that the hardware deep message detects DPI module and input card, it is from the message of hardware DPI module reception through the deep message Check processing, determine the priority of message, will determine that then the message of priority sends output card to; Output card links to each other with input card, main control system, back-end analysis system, an output card has an input port and some output ports, increase flow-control module at each output port of output card, the flow-control module of each output port links to each other with the input port of output card, main control system, back-end analysis system, and flow-control module determines message is sent or abandons; Main control system links to each other with output card, operating flux control software on it, and flow control software statistics flow arranges and abandons flag bit, and the control flow-control module carries out flow control;
Priority block is comprised of control logic and priority list, control logic is divided into message and gets a logic and add the heading logic, message is got head that logic receives the output of hardware DPI module with the message of rule ID number, rule ID number taking-up with its head, and search priority list, obtain the corresponding relation of rule ID and priority number, find out priority number corresponding to this rule ID, by adding the heading logic priority number is added in header again; Each list item of priority list comprises rule ID value and two territories of priority number, the rule ID value is the rule number of this message coupling, priority number is priority corresponding to this rule ID value, the corresponding priority number of rule ID value, the less expression priority of priority number is higher, the item number in these two territories is P, and P is positive integer;
The corresponding flow-control module of each output port of output card, each flow-control module is comprised of flow control logic and P Flow Control table, i.e. the corresponding Flow Control table of each priority; Each of Flow Control table is by sequence number ID, byte number bytes and abandon three territories of flag bit discard and consist of; Sequence number ID determines the n+k position altogether by the last k position of the last n position of source IP and purpose IP, and n, k are more than or equal to 1 less than or equal to 32 positive integer; Byte number represents some list items uninterrupted at the appointed time, abandons this list item of sign expression and abandons or transmit, and 0 for transmitting, and 1 for abandoning; The flow control logic of the flow-control module of each output port links to each other with the input port of output card, a P Flow Control table, back-end analysis system, it receives the message of input and determines the Flow Control table of the priority that this message is corresponding according to the priority of this message from the input port of output card, then according to the source IP address of this message and the list item of this Flow Control table of purpose IP address search, read and abandon flag bit discard and message repeating is still abandoned determining, and the message that forwards is upgraded the byte number bytes of its place list item;
Second step, hardware DPI module is carried out rule match according to the five-tuple of the message that flows into input card, every rule has the rule ID number of oneself, when upper certain rule of message coupling, just the ID that this is regular is added in header, is transmitted to priority block, and priority block is searched corresponding priority number according to the ID value of header in priority list, and be added in header, will give output card with the message of priority number;
The 3rd step, the priority number that the flow-control module of output card carries according to each header is determined the Flow Control table of the priority that this message is corresponding, then be total to the n+k position according to the last n position of message source IP address and the last k position of purpose IP address, search the 2nd of this Flow Control table (n+k)Then individual list item checks the flag bit that abandons of this list item, is 0 if abandon flag bit, then transmits this message; Be 1 if abandon flag bit, then abandon this message; With
Figure FDA0000123235760000021
Expression output port A iPriority be the Flow Control table of j, 1≤i≤Z, 1≤j≤P, Z are the number of message output port,
Figure FDA0000123235760000022
Expression output port A iPriority be the value of byte number of m item of the Flow Control table of j,
Figure FDA0000123235760000023
Expression output port A iPriority be the value that abandons flag bit of m item of the Flow Control table of j, use Expression Flow Control table
Figure FDA0000123235760000025
In abandon the set that flag bit is 0 list item, the flow control logic of flow-control module is controlled flow according to the following steps:
3.1 determine the Flow Control table of priority under this message according to the priority number of incoming message;
3.2 search the 2nd of 3.1 described Flow Control tables in the n+k position altogether by the last n position of the source IP address of incoming message and the last k position of purpose IP address (n+k);
3.3 judge the 2nd of 3.2 described Flow Control tables (n+k)
Figure FDA0000123235760000026
Whether be 1, if be 1, dropping packets then; Otherwise, message is sent;
3.4 the size of the message that sends is added on one of the byte number of list item corresponding to this message, adds up;
The 4th step, the flow control software timing reads all Flow Control tables of the flow-control module of each output port of output card, all are abandoned the byte number field summation that flag bit is 0 list item, calculate current output flow, if current output flow surpasses the port flow restriction of setting, then with priority order from low to high with the some list items in the Flow Control table abandon mark position 1, increase the flow that hardware abandons; If present flow rate limits less than port flow, then with priority order from high to low with the some list items in the Flow Control table abandon mark position 0, reduce the flow that hardware abandons:
For A is arranged 1, A 2... A zThe output card of Z message output port, A 1, A 2... A zLimited flow rate be respectively B 1, B 2... B z, A 1, A 2... A zSafeguard respectively the Flow Control table of P different priorities, the flow process of flow control software is:
4.1 the elapsed time interval T, T was less than or equal to 60 seconds, and flow control software is from output port A iThe Flow Control table of P priority in read and abandon value and the summation that flag bit is byte number in each list item of 0, namely 1≤i≤Z, S iCurrent output port A iIf actual output total flow is S i>B i, then turn step 4.2, otherwise turn step 4.3;
4.2 this moment output port A iTotal output flow surpassed its load limitations, take the strategy that abandons soon, execution in step is as follows:
4.2.1 priority j is set to 1;
4.2.2 establishing the flow of overage is S '=S i-B i, that adopts that the approximate data APPROX_SUBSET_SUM (G, t) of polynomial time selects some list items in the Flow Control table abandons position 1, so that the byte number sum of these list items is S ', thereby lucky flow with overage abandons; Algorithm is input as (G, t), and G is the set of Flow Control table list item, and t is the overburden flow, is output as the subset of G, so that the byte number sum of list item is large as far as possible but be no more than t among the G; If APPROX_SUBSET_SUM
Figure FDA0000123235760000032
Return empty set, then turn 4.2.2.1; If APPROX_SUBSET_SUM
Figure FDA0000123235760000033
Return
Figure FDA0000123235760000034
Namely all abandon and to meet the demands, then turn 4.2.2.3; Otherwise turn 4.2.2.2;
4.2.2.1 do not need to abandon again flow, turn 4.2.3;
Whether can finish the Flow Control requirement 4.2.2.2 judge the Flow Control table of current priority, namely all are abandoned summation of byte number that flag bit is 0 list item, establish this and be Q, again Q and extra-heavy flow S ' are made comparisons, if Q 〉=S ' is with APPROX_SUBSET_SUM
Figure FDA0000123235760000035
All list items abandons mark position 1 in the set of returning; Turn 4.2.3; Otherwise, carry out 4.2.2.3;
4.2.2.3 the Flow Control table of current priority can not be finished flow and abandon requirement, at first the sign that abandons of all list items of current priority Flow Control table is put 1, thereby discards the whole flows in this table; Remaining flow to be discarded need to more abandon in the higher-level flow table, makes S '=S '-Q, and Q abandons the byte number sum that flag bit is all list items of 0 in the Flow Control table of current priority, and j=j+1 turns 4.2.2;
4.2.3 finish this Flow Control, turn 4.4;
4.3 this moment output port A iTotal output flow less than its load capacity, take the strategy that recovers slowly, establish output port A this moment iHave abandon flag bit be set to all Flow Control table medium priorities of 1 the highest be H, and establish in the Flow Control table that this priority is H F arranged 1, F 2... F LIndividual list item abandons flag bit and is set to 1,1≤L≤2 (n+k), then choose minimum one of byte number in these list items, namely min { T i H ( F 1 ) . bytes , T i H ( F 2 ) . bytes , . . . . . . T i H ( F L ) . bytes } , Be made as
Figure FDA0000123235760000042
1≤Y≤L, making this flag bit that abandons is 0, namely
Figure FDA0000123235760000043
Turn 4.4;
4.4 empty the byte number of all Flow Control table list items, restart statistics, turn 4.1.
CN201110003670.5A 2011-01-10 2011-01-10 Hardware multi-level table-based method for controlling output traffic Expired - Fee Related CN102075423B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110003670.5A CN102075423B (en) 2011-01-10 2011-01-10 Hardware multi-level table-based method for controlling output traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110003670.5A CN102075423B (en) 2011-01-10 2011-01-10 Hardware multi-level table-based method for controlling output traffic

Publications (2)

Publication Number Publication Date
CN102075423A CN102075423A (en) 2011-05-25
CN102075423B true CN102075423B (en) 2013-01-02

Family

ID=44033775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110003670.5A Expired - Fee Related CN102075423B (en) 2011-01-10 2011-01-10 Hardware multi-level table-based method for controlling output traffic

Country Status (1)

Country Link
CN (1) CN102075423B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763391A (en) * 2014-12-17 2016-07-13 中国移动通信集团公司 Conversation data flow processing system and method, and related equipment

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103139093B (en) * 2013-02-22 2016-01-27 桂林电子科技大学 Based on the express network data stream load equalization scheduling method of FPGA
CN104717101B (en) * 2013-12-13 2018-09-14 中国电信股份有限公司 Deep packet inspection method and system
CN107147585B (en) * 2017-03-31 2020-02-18 北京奇艺世纪科技有限公司 Flow control method and device
CN106961445B (en) * 2017-04-28 2019-10-29 中国人民解放军信息工程大学 Packet parsing device based on FPGA hardware parallel pipeline
CN107995199A (en) * 2017-12-06 2018-05-04 锐捷网络股份有限公司 The port speed constraint method and device of the network equipment
CN111200561B (en) * 2019-12-31 2022-03-15 奇安信科技集团股份有限公司 Data packet transmission method and device, computer system and readable storage medium
CN112087395B (en) * 2020-08-28 2022-06-24 浪潮云信息技术股份公司 Service type hierarchical flow control method
CN116192353B (en) * 2022-12-16 2023-10-13 中国科学院声学研究所 Multi-selector synchronous working system and method based on FPGA

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905408A (en) * 2006-08-04 2007-01-31 华为技术有限公司 Method and apparatus for monitoring message
US7263066B1 (en) * 2001-12-14 2007-08-28 Applied Micro Circuits Corporation Switch fabric backplane flow management using credit-based flow control
CN101222431A (en) * 2008-01-23 2008-07-16 中兴通讯股份有限公司 Cable fastener device with strong service quality function and its design method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7263066B1 (en) * 2001-12-14 2007-08-28 Applied Micro Circuits Corporation Switch fabric backplane flow management using credit-based flow control
CN1905408A (en) * 2006-08-04 2007-01-31 华为技术有限公司 Method and apparatus for monitoring message
CN101222431A (en) * 2008-01-23 2008-07-16 中兴通讯股份有限公司 Cable fastener device with strong service quality function and its design method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763391A (en) * 2014-12-17 2016-07-13 中国移动通信集团公司 Conversation data flow processing system and method, and related equipment
CN105763391B (en) * 2014-12-17 2019-06-25 中国移动通信集团公司 A kind of session data stream processing system, method and relevant device

Also Published As

Publication number Publication date
CN102075423A (en) 2011-05-25

Similar Documents

Publication Publication Date Title
CN102075423B (en) Hardware multi-level table-based method for controlling output traffic
CN104580222B (en) Ddos attack Distributed Detection and response method based on comentropy
US7773529B2 (en) Director device and methods thereof
CN105357068B (en) The OpenFlow method for controlling network flow that a kind of application-oriented QoS is ensured
US10523567B2 (en) Phantom queue link level load balancing system, method and device
CN105323185B (en) Method and apparatus for flow control relevant to switch architecture
US7898984B2 (en) Enhanced communication network tap port aggregator arrangement and methods thereof
CN103281252B (en) Message flow control method and device based on multi-path transmission
US20150103667A1 (en) Detection of root and victim network congestion
CN108989236B (en) Flow control method, equipment and system
EP1524807A1 (en) Creating a low bandwidth channel within a high bandwidth packet stream
CN102255754B (en) Serial accessing high speed backbone network traffic acquisition and monitoring method
CN107493209A (en) The processing unit and method of a kind of bidirectional forward detection report
CN106230654A (en) A kind of quickly realize the method that RFC2544 band background flows down maximum throughput rate
US9246823B1 (en) Remote policing in a chassis switch
CN106452964A (en) Network equipment interface cache testing system and method
CN107147585A (en) A kind of flow control methods and device
Arumaithurai et al. Nf-tcp: Network friendly tcp
CN115914115A (en) Network congestion control method, device and communication system
Kozačinski et al. Configuration of quality of service parameters in communication networks
CN102291403A (en) Method and device for implementing self-adaption of link layer protocol of POS port
CN105897614B (en) Method for routing based on multi-channel data packet priority and equipment
CN101783763A (en) Congestion prevention processing method and system
CN103532619A (en) Simulation realization and control method of GPON (gigabit passive optical network) system constructed on basis of FPGA (field programmable gate array)
JP5788827B2 (en) Communication device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB03 Change of inventor or designer information

Inventor after: Tang Yong

Inventor after: Chen Shuhui

Inventor after: Li Tao

Inventor after: Su Jinshu

Inventor after: Wang Yongjun

Inventor after: Zhao Guohong

Inventor after: Xuan Lei

Inventor after: Liu Wenhan

Inventor after: Lu Huabiao

Inventor before: Tang Yong

Inventor before: Chen Shuhui

Inventor before: Li Tao

Inventor before: Su Jinshu

Inventor before: Wang Yongjun

Inventor before: Zhao Guohong

Inventor before: Xuan Lei

Inventor before: Lu Huabiao

Inventor before: Lu Huabiao

COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: TANG YONG CHEN SHUHUI LI TAO SU JINSHU WANG YONGJUN ZHAO GUOHONG XUAN LEI LU HUABIAO LU HUABIAO TO: TANG YONG CHEN SHUHUI LI TAO SU JINSHU WANG YONGJUN ZHAO GUOHONG XUAN LEI LIU WENHAN LU HUABIAO

C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130102

Termination date: 20130110

CF01 Termination of patent right due to non-payment of annual fee