CN102404339B - Fire wall system and data processing method based on fire wall system - Google Patents

Fire wall system and data processing method based on fire wall system Download PDF

Info

Publication number
CN102404339B
CN102404339B CN201110424951.8A CN201110424951A CN102404339B CN 102404339 B CN102404339 B CN 102404339B CN 201110424951 A CN201110424951 A CN 201110424951A CN 102404339 B CN102404339 B CN 102404339B
Authority
CN
China
Prior art keywords
module
service processing
processing module
packet
diverter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110424951.8A
Other languages
Chinese (zh)
Other versions
CN102404339A (en
Inventor
杨启军
刘向明
王钟
莫宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanshi Network Communication Technology Co Ltd
Original Assignee
Hillstone Networks Communication Technology (Beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Communication Technology (Beijing) Co Ltd filed Critical Hillstone Networks Communication Technology (Beijing) Co Ltd
Priority to CN201110424951.8A priority Critical patent/CN102404339B/en
Publication of CN102404339A publication Critical patent/CN102404339A/en
Application granted granted Critical
Publication of CN102404339B publication Critical patent/CN102404339B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a fire wall system and a data processing method based on the fire wall system, wherein the system comprises two main control modules, a plurality of service processing modules, a plurality of diverter modules, a plurality of I/O (input/output) modules and a switching module; two main control modules are in a primary-backup relationship with each other to control each module, the switching module is used for forwarding data packages among all modules, the plurality of I/O modules are bound with the plurality of the diverter modules, and each I/O module is used for transmitting the received data packages to the diverter module which is bound with the I/O module; each diverter module is used for transmitting the received data packages in the same session to a service processing module; each service processing module is used for outputting the processed data packages by the I/O module. By the fire wall system, the problem that the business expansion can not be performed to a system is solved, and the quantity of the service processing module in the system can be configured as required, so as to support the business expansion of the system, thereby improving the performances of the system.

Description

Firewall system and the data processing method based on this firewall system
Technical field
The present invention relates to the communications field, in particular to a kind of firewall system and the data processing method based on this firewall system.
Background technology
At present, firewall system generally includes a CPU (Central Processing Unit, referred to as CPU), Switch (exchange) system and some I/O (Input/output, referred to as I/O) port composition, firewall system structural representation as shown in Figure 1, wherein, CPU has been responsible for the Business Processing of all fire compartment walls, the data packet stream of this firewall system is to as shown in Figure 2, first, packet enters the I/O port of this firewall system, by I/O port by Packet Generation to Switch system, through Switch system forwards to CPU, then, CPU processes this packet, and packet after treatment is arrived to I/O port through Switch system forwards, finally, I/O port will be exported in this packet slave firewall system.Above-mentioned firewall system only has a CPU to carry out Business Processing, its performance is limited to the disposal ability of the CPU in system, can not extension process performance, and in the time carrying out system upgrade, the CPU of firewall system wants interrupting service just can complete escalation process, will cause the business procession of this system reliable not like this.
Also have at present a kind of facility communication system, this facility communication system comprises mainboard and slave board, and mainboard is responsible for treatment system business, and slave board is responsible for receiving the synchronizing information from mainboard.Mainboard will configure with state information real-time synchronization to slave board, in the time carrying out software upgrading, first slave board is carried out, then configuration and state information are synchronized to this slave board, after completing, the simultaneous operation of this configuration and state information carries out active and standby switching, slave board originally becomes mainboard, the original mainboard of then upgrading again.The software of whole system just upgrades to new software version like this, and this upgrading mode is only supported the situation that the business that needs CPU to process is all processed on master control borad.
Cannot carry out the problem of business expansion for system in correlation technique, not yet propose at present effective solution.
Summary of the invention
The problem of business expansion be cannot carry out for system in correlation technique, a kind of firewall system and the data processing method based on this firewall system the invention provides, at least to address the above problem.
According to an aspect of the present invention, a kind of firewall system is provided, this system comprises: two main control modules, multiple Service Processing Modules, multiple diverter modules, multiple I/O modules and a Switching Module, wherein, two main control modules main and standby relation each other, be used for controlling above-mentioned multiple Service Processing Module, above-mentioned multiple diverter module, above-mentioned multiple I/O module and above-mentioned Switching Module, this Switching Module is for forwarding the packet of each intermodule, multiple I/O modules and the binding of multiple diverter module, each I/O module for by the Packet Generation receiving to the diverter module of its binding, each diverter module in multiple diverter modules is for giving same Service Processing Module by the Packet Generation of same session, each Service Processing Module, for the packet receiving is processed, is exported this packet after finishing dealing with by an I/O module in multiple I/O modules.
Above-mentioned diverter module comprises: load determining unit, when receiving first packet of a session, determine the loading condition of above-mentioned multiple Service Processing Modules; Selected cell, for the loading condition definite according to load determining unit, selects the Service Processing Module that first packet is corresponding; The first dividing cell, for the Service Processing Module that first package forward is selected to selected cell.
Above-mentioned diverter module comprises: map unit, and when receiving first packet of a session, the information of carrying according to the packet header of first packet is shone upon; Determining unit, for determining according to the mapping result of map unit the Service Processing Module that first packet is corresponding; The second dividing cell, for by first package forward to the definite Service Processing Module of determining unit.
Above-mentioned Service Processing Module comprises: receiving element, for receiving first packet; Creating unit, for creating the data structure of above-mentioned session according to first packet; Response unit, for replying response message to diverter module, wherein this response message carries the corresponding relation of the mark of above-mentioned session identification and Service Processing Module; Diverter module comprises: correspondence relation storage, for storing the corresponding relation of mark of above-mentioned session identification that above-mentioned response message carries and Service Processing Module; The 3rd dividing cell, for according to the above-mentioned corresponding relation of correspondence relation storage storage, is transmitted to Service Processing Module by the follow-up data bag in above-mentioned session.
Above-mentioned diverter module comprises: lock unit, for receiving after upgrading indication, is synchronized to another diverter module in multiple diverter modules by the above-mentioned corresponding relation of storing in correspondence relation storage; The first upgrading unit, for upgrading according to above-mentioned upgrading indication; Another diverter module comprises: stores synchronized unit, for storing the synchronous corresponding relation of lock unit; Switching Module comprises: unit is revised in binding, for indicating and revise above-mentioned multiple I/O modules and above-mentioned multiple diverter module binding relationship according to system configuration.
Above-mentioned Service Processing Module comprises: information synchronizing unit, and for receiving after upgrading indication, the above-mentioned data structure that creating unit is created is synchronized to another Service Processing Module in multiple Service Processing Modules; Notification unit, for send above-mentioned corresponding relation amendment advice to diverter module, wherein this amendment advice carries the mark of Service Processing Module and the mark of another Service Processing Module at self place; The second upgrading unit, for upgrading according to above-mentioned upgrading indication; Diverter module comprises: corresponding relation is revised unit, for the amendment advice sending according to notification unit, mark identical with the mark of first Service Processing Module in above-mentioned amendment advice in above-mentioned corresponding relation is revised as to the mark of second Service Processing Module in amendment advice; The 4th dividing cell, is forwarded to another Service Processing Module for revising the amended corresponding relation in unit according to corresponding relation by the follow-up data bag of above-mentioned session; Another Service Processing Module comprises: information memory cell, for storing the synchronous above-mentioned data structure of information synchronizing unit; Service Processing Unit, for processing the follow-up data bag of above-mentioned session according to the above-mentioned data structure of information memory cell storage.
According to a further aspect in the invention, provide a kind of data processing method based on above-mentioned firewall system, the method comprises: the each I/O module in multiple I/O modules receives after packet, by Packet Generation to the diverter module of its binding; Each diverter module in multiple diverter modules receives after this packet, gives the shunting rule of same Service Processing Module according to the Packet Generation in same session, gives corresponding Service Processing Module by this package forward; Each Service Processing Module receives after this packet, and this packet is processed, and after finishing dealing with, this packet is exported by an I/O module in multiple I/O modules.
Above-mentioned diverter module comprises above-mentioned package forward to corresponding Service Processing Module: diverter module receives after first packet of a session, determines the loading condition of above-mentioned multiple Service Processing Modules; Diverter module, according to the loading condition of multiple Service Processing Modules of determining, is selected the Service Processing Module that first packet is corresponding; Diverter module is given first package forward the Service Processing Module of selecting.
Above-mentioned diverter module comprises above-mentioned package forward to corresponding Service Processing Module: diverter module receives after first packet of a session, and the information of carrying according to the packet header of first packet is shone upon; Diverter module determines according to mapping result the Service Processing Module that first packet is corresponding; First package forward is given definite Service Processing Module by diverter module.
Each Service Processing Module comprises after receiving above-mentioned packet: Service Processing Module receives after first packet, creates the data structure of above-mentioned session according to first packet; Service Processing Module is replied response message to diverter module, and wherein, this response message carries the corresponding relation of the mark of above-mentioned session identification and Service Processing Module; Diverter module is stored the corresponding relation of the mark of the above-mentioned session identification that carries in above-mentioned response message and Service Processing Module; Diverter module, according to the above-mentioned corresponding relation of storage, is transmitted to Service Processing Module by the follow-up data bag in above-mentioned session.
Said method also comprises: diverter module receives after upgrading indication, and the above-mentioned corresponding relation of storage is synchronized to another diverter module in above-mentioned multiple diverter module; Then, upgrade according to above-mentioned upgrading indication; After Switching Module receiving system configuration indication, revise above-mentioned multiple I/O modules and above-mentioned multiple diverter module binding relationship according to said system configuration indication, forward the follow-up data bag in above-mentioned session according to amended binding relationship; After the synchronous corresponding relation of another diverter module storage diverter module, according to the above-mentioned corresponding relation of storage, the follow-up data bag in the above-mentioned session that Switching Module is forwarded is transmitted to Service Processing Module.
Said method also comprises: Service Processing Module receives after upgrading indication, the above-mentioned data structure creating is synchronized to another Service Processing Module in above-mentioned multiple Service Processing Module, and send above-mentioned corresponding relation amendment advice to diverter module, wherein, this amendment advice carries the mark of Service Processing Module and the mark of another Service Processing Module at self place, then, upgrade according to above-mentioned upgrading indication; Diverter module, according to the amendment advice of Service Processing Module transmission, is revised as mark identical with the mark of first Service Processing Module in above-mentioned amendment advice in above-mentioned corresponding relation the mark of second Service Processing Module in above-mentioned amendment advice; Diverter module is forwarded to another Service Processing Module according to amended above-mentioned corresponding relation by the follow-up data bag in above-mentioned session; The above-mentioned data structure that another Service Processing Module storage service processing module is synchronous, and according to the above-mentioned data structure of storage, the follow-up data bag in above-mentioned session is processed.
By the present invention, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is according to the schematic diagram of the firewall system structure of correlation technique;
Fig. 2 be according to the data packet stream of the firewall system of correlation technique to schematic diagram;
Fig. 3 is according to the structured flowchart of the firewall system of the embodiment of the present invention;
Fig. 4 is the concrete structure block diagram according to the firewall system of the embodiment of the present invention;
Fig. 5 be according to the data packet stream of the firewall system of the embodiment of the present invention to schematic diagram;
Fig. 6 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention;
Fig. 7 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention one.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, in the situation that not conflicting, the feature in embodiment and embodiment in the application can combine mutually.
In the prior art, be responsible for carrying out the processing of business because firewall system only has a CPU, therefore this systematic function is limited to the disposal ability of CPU, can not extension process performance.Based on this, the embodiment of the present invention provides a kind of firewall system and the data processing method based on this firewall system.The multiple Service Processing Modules of this firewall system, are convenient to carry out business expansion.Be elaborated below by embodiment.
This example provides a kind of firewall system, and this system comprises: two main control modules, multiple Service Processing Module, multiple diverter module, multiple I/O module and an exchange (Switch) modules.As shown in Figure 3 be the structured flowchart of firewall system, in Fig. 3, two main control modules describe as an example of the first main control module 30a and the second main control module 30b example respectively, multiple Service Processing Modules are respectively with the first Service Processing Module 32a, the second Service Processing Module 32b and the 3rd Service Processing Module 32c are that example describes, multiple diverter modules are respectively with the first diverter module 34a, the second diverter module 34b and the 3rd diverter module 34c are that example describes, multiple I/O modules are respectively with an I/O module 36a, the 2nd I/O module 36b and the 3rd I/O module 36c are that example describes, a Switching Module describes as an example of Switching Module 38 example.Below this structure is described.
Two main control modules main and standby relation each other, for controlling multiple Service Processing Modules, described multiple diverter modules, multiple I/O module and Switching Module; Switching Module (such as the Switching Module 38 in Fig. 3), is all connected with above-mentioned module, for forwarding the packet of each intermodule;
Multiple I/O modules and the binding of multiple diverter module, each I/O module (such as the I/O module 36a in Fig. 3) is connected to Switching Module 38, for by the Packet Generation receiving to the diverter module (such as the first diverter module 34a of Fig. 3) of its binding; Each diverter module (such as the first diverter module 34a in Fig. 3) in multiple diverter modules is connected to Switching Module 38, for giving same Service Processing Module (such as the first Service Processing Module 32a in Fig. 3) by the Packet Generation of same session;
Each Service Processing Module (such as the first Service Processing Module 32a in Fig. 3) is connected to Switching Module 38, for the packet receiving is processed, after finishing dealing with, this packet is exported by an I/O module in multiple I/O modules (such as the I/O module 36a in Fig. 3).
Wherein, the processing procedure of above-mentioned Service Processing Module has comprised the process that finds out interface, if the packet receiving is three layer data bags, by route querying outgoing interface; If the packet receiving is Layer 2 data bag, determine interface by target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and the output that specifically which I/O module to complete packet by can realize with reference to correlation technique, no longer describes in detail here.
Pass through said system, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Each diverter module is after receiving the packet of I/O module transmission, give the shunting rule of same Service Processing Module according to the Packet Generation in same session, give same Service Processing Module by above-mentioned Packet Generation, carry out the transmission of packet for diverter module receiving How to choose Service Processing Module after first packet, the present embodiment provides two kinds of preferred implementations, certainly, the present invention is not limited to this two kinds of execution modes, below diverter module is described respectively receiving two kinds of preferred implementations of How to choose Service Processing Module after first packet, wherein, this preferred implementation is elaborated as an example of the first diverter module 34a in Fig. 3 example.
First kind of way, the first diverter module 34a of this firewall system comprises: load determining unit, when receiving first packet of a session, determine the loading condition of multiple Service Processing Modules; Selected cell, for the loading condition definite according to load determining unit, selects the first Service Processing Module 32a that above-mentioned first packet is corresponding; The first dividing cell, is connected to selected cell, for the first Service Processing Module 32a that first package forward is selected to selected cell.Which is that the loading condition based on Service Processing Module is selected, and generally, diverter module selects a lower Service Processing Module of load to carry out the transmission of packet.
The second way, this firewall system the first diverter module 34a comprises: map unit, when receiving first packet of a session, the information of carrying according to the packet header of first packet is shone upon; Determining unit, is connected to map unit, for determine corresponding the first Service Processing Module 32a of above-mentioned first packet according to the mapping result of map unit; The second dividing cell, is connected to determining unit, for the first Service Processing Module 32a that first package forward is determined to determining unit.Which is that the mapping relations between the packet header based on first packet information and the first Service Processing Module 32a that carry are carried out the selection of Service Processing Module, such as adopting the mode of fixing mapping, 5 tuples (the object IP address, source of IP packet of calculated data bag, source destination interface and protocol number) hash (hash or be called Hash, also can be written as HASH) value, by corresponding the packet of same hash value and same Service Processing Unit, set up the mapping relations between first packet and Service Processing Module with this, thereby make the first diverter module 34a in the time receiving first packet, select the first Service Processing Module 32a and carry out the transmission of packet.In the time that diverter module receives first packet, above-mentioned two kinds of preferred implementations are convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission, Service Processing Module can be recorded, be convenient to reception and the processing of follow-up packet, therefore, in a preferred implementation of the present embodiment, to achieve these goals, Service Processing Module (this preferred implementation describes as an example of the first Service Processing Module 32a example) can comprise: receiving element, for receiving first packet; Creating unit, is connected to receiving element, for create the data structure of session according to above-mentioned first packet; Response unit, is connected to creating unit, and for replying response message to the first diverter module 34a, wherein this response message carries the corresponding relation of the mark of session identification and the first Service Processing Module 32a.By this preferred implementation, Service Processing Module can manage record by the convenient follow-up data bag effectively diverter module being sended over.Wherein, the data structure that the present embodiment creates can comprise: 5 tuples, packet incoming interface, source data packet MAC Address, the security strategy ID of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, process the part or all of parameter in the Service Processing Module ID etc. of the packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in packet and reverse data bag etc.
After diverter module receives this response message, the corresponding relation of the mark of above-mentioned session identification and Service Processing Module can be recorded, be convenient to diverter module in the time receiving follow-up packet, give corresponding Service Processing Module according to this corresponding relation by Packet Generation.Diverter module (this preferred implementation describes as an example of the first diverter module 34a example) can comprise: correspondence relation storage, for storing the corresponding relation of mark of the session identification that carries of response message that the first Service Processing Module 32a sends and the first Service Processing Module 32a; The 3rd dividing cell, is connected to correspondence relation storage, for according to this corresponding relation of correspondence relation storage storage, the follow-up data bag in session is transmitted to the first Service Processing Module 32a.
The above-mentioned corresponding relation of above-mentioned correspondence relation storage storage can be chosen in and in shunting table, carry out record, diverter module is receiving after packet, can first search shunting table, if found the corresponding relation of the session identification of this packet and the mark of Service Processing Module in this shunting table, just can determine according to the information of record which Service Processing Module this packet should send to.If do not find this corresponding relation, according to above-mentioned diverter module in two kinds of preferred implementations that receive How to choose Service Processing Module after first packet, select a Service Processing Module that load is lower, or select a Service Processing Module according to the mode of fixing mapping.In shunting table, canned data just can constantly expand like this.The corresponding relation that this preferred implementation provides make diverter module can be simple and direct fast and have planning and send packet to Service Processing Module.
The quantity of the Service Processing Module in the firewall system in above-described embodiment and each preferred implementation can be configured by demand, realize like this extensibility of systematic function, and in the time that internal system is carried out data processing, can more be added with autotelic the carrying out of planning.Firewall system is also faced with the problem of upgrading, some system of the prior art is wanted interrupting service in the time of upgrading, to cause the business procession of this system reliable not like this, although also some system is without interrupting service in the time of upgrading, this upgrading mode is only supported the system that the processing of all business is all carried out on master control borad.Therefore, the present embodiment provides a preferred implementation, as shown in Figure 4 be the concrete structure block diagram of firewall system, this system, except comprising the modules in Fig. 3, also comprises:
Diverter module (take the first diverter module 34a in Fig. 4 as example) comprising: lock unit 34a0, be used for receiving after upgrading indication, the corresponding relation of storing in correspondence relation storage is synchronized to another diverter module (take the second diverter module 34b in Fig. 4 as example) in multiple diverter modules; The first upgrading unit 34a2, is connected to lock unit 34a0, for upgrading according to above-mentioned upgrading indication;
Another diverter module (being the second diverter module 34b in Fig. 4) comprising: stores synchronized unit 34b0, is connected to lock unit 34a0, for storing the synchronous corresponding relation of lock unit 34a0; Follow-up, this diverter module will carry out the forwarding of packet according to the corresponding relation after synchronous.
Switching Module 38 comprises: unit 380 is revised in binding, for indicating and revise multiple I/O modules and multiple diverter module binding relationship according to system configuration.
In this preferred implementation, when the first diverter module 34a will upgrade, the corresponding relation of its storage is synchronized to the second diverter module 34b, then Switching Module 38 is revised I/O module and diverter module binding relationship, like this in the time that an I/O module 36a receives packet, by this Packet Generation to the second diverter module 34b; And if the packet of a session will be sent to the first Service Processing Module 32a on the first diverter module 34a, the second diverter module 34b in this preferred implementation is by this Packet Generation to the first Service Processing Module 32a.In the process that has guaranteed like this to upgrade at diverter module, the transmission of packet can not be interrupted, certainly, in the time that the first diverter module 34a will upgrade, it is selected will carry out other synchronous diverter modules of corresponding relation and have more than and be limited to the second diverter module 34b, can be any one diverter module except itself.By this preferred implementation, firewall system can carry out the updating operation of diverter module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
After the upgrading of diverter module is described, below the escalation process of Service Processing Module is described.The present embodiment provides another preferred implementation, and which comprises:
Service Processing Module (take the first Service Processing Module 32a in Fig. 4 as example) comprising: information synchronizing unit, be used for receiving after upgrading indication, the data structure that creating unit is created is synchronized to another Service Processing Module (take the second Service Processing Module 32b in Fig. 4 as example) in multiple Service Processing Modules; Notification unit, for sending corresponding relation amendment advice to diverter module (take the 3rd diverter module 34c of Fig. 4 as example), wherein this amendment advice carries the mark (i.e. the mark of the first Service Processing Module 32a) of Service Processing Module at self place and the mark of the second Service Processing Module 32b, and which Service Processing Module is these two marks indicated to be switched to which Service Processing Module; The second upgrading unit, is connected to notification unit, for upgrading according to above-mentioned upgrading indication.After the business migration of the present embodiment, main control module can be restarted, and then loads new software version.
Diverter module (i.e. the first diverter module 34a) comprising: corresponding relation is revised unit, for the amendment advice sending according to notification unit, mark identical with the mark of first Service Processing Module in this amendment advice in above-mentioned corresponding relation is revised as to the mark of second Service Processing Module in this amendment advice, the present embodiment for example, is revised as the mark of the second Service Processing Module 32b by the mark of the first Service Processing Module 32a in above-mentioned corresponding relation (shunting table); The 4th dividing cell, is connected to corresponding relation and revises unit, for revising the amended corresponding relation in unit according to corresponding relation, the follow-up data bag of above-mentioned session is forwarded to the second Service Processing Module 32b;
Another Service Processing Module (being the second Service Processing Module 32b in Fig. 4) comprising: information memory cell, is connected to information synchronizing unit, for storing the synchronous data structure of information synchronizing unit; Service Processing Unit, is connected to information memory cell, processes for the follow-up data bag of stating session according to the data structure of information memory cell storage.
In this preferred implementation, when the first Service Processing Module 32a will upgrade, the data structure of its establishment is synchronized to the second Service Processing Module 32b, then the corresponding relation of first session identification of diverter module 34c Update Table bag and the mark of the second Service Processing Module 32b, in the time that the first diverter module 34a will send packet to the first Service Processing Module 32a, the first diverter module 34a in this preferred implementation is by this Packet Generation to the second Service Processing Module 32b like this.In the process that has guaranteed like this to upgrade at Service Processing Module, make the transmission of packet can not interrupt, certainly, in the time that the first Service Processing Module 32a will upgrade, it is selected will carry out other synchronous Service Processing Modules of data structure and have more than and be limited to the second Service Processing Module 32b, can be any one Service Processing Module except itself.By this preferred implementation, firewall system can carry out the updating operation of Service Processing Module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation have been described in detail respectively the upgrading mode of diverter module and Service Processing Module, for the upgrading mode of main control module, is introduced below by preferred implementation.Two main control modules main and standby relation each other, supposes that the first main control module 30a is the main control module in major state, and the second main control module 30b is the main control module in standby state, and certainly, the main and standby relation of the two is not limited to this.Configuration, state information on the first main control module 30a can be synchronized to the second main control module 30b at any time, first to carrying out updating operation in the second main control module 30b of standby state, the first main control module 30a can continue the modules in this system to control during this period, after the updating operation of the second main control module 30b finishes, main and standby relation to two main control modules is switched, and then carries out updating operation to after switching in the first main control module 30a of standby state.This sample preferred implementation has just completed the updating operation of two main control modules under the prerequisite of non-interrupting service, has improved the traffic handing capacity of system.
In above-mentioned firewall system, employing business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized the smooth upgrade of systems soft ware.This system can be carried out business expansion, and can under the prerequisite of non-interrupting service, carry out the updating operation of system, this embodiment can also realize in machine frame formula system, such as building the firewall system of a machine frame formula, this firewall system can have 16 groove positions, comprise two master control board slot positions and two exchange board slot positions and 12 universal vat positions, I/O plate, service processing board and flow distribution plate can be inserted in this universal vat position.Main control module in the corresponding above-described embodiment of master control borad, Switching Module in the corresponding above-described embodiment of power board, I/O module in the corresponding above-described embodiment of I/O plate, the Service Processing Module in the corresponding above-described embodiment of service processing board, the diverter module in the corresponding above-described embodiment of flow distribution plate.I/O plate, what the quantity of service processing board and flow distribution plate can be according to network processes need to carry out flexible configuration.This system can configure two master control borads, two or more service processing board, and two or more flow distribution plate, this firewall system can be realized the smooth upgrade of software.While being upgrade software, do not need to restart whole system, and Business Processing is unaffected.
A kind of firewall system providing corresponding to above-described embodiment, the present embodiment provides a kind of data processing method based on this firewall system, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switching Module and I/O port.The data packet stream of this system is to as shown in Figure 5, and first, packet enters the I/O port of this firewall system, by I/O port by Packet Generation to Switch module, through Switch module forwards to diverter module; Then, diverter module is given the shunting rule of same Service Processing Module according to the Packet Generation in above-mentioned same session, give corresponding Service Processing Module by this packet via Switch module forwards; Then, this Service Processing Module is processed this packet, and packet after treatment is arrived to I/O port through Switch module forwards; Finally, I/O port will be exported in this packet slave firewall system.System in the present embodiment describes as example to comprise two main control modules, several Service Processing Modules, several diverter modules, several I/O ports and a Switch (exchange) system.Fig. 6 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention, and as shown in Figure 6, the method comprises the following steps (step S602-step S606):
Step S602, the each I/O module in multiple I/O modules receives after packet, by this Packet Generation to the diverter module of its binding.First the packet coming from an I/O port needs to give diverter module processing, in the time of system initialization, I/O port and diverter module are bound, and all packets that come from an I/O port are all given preassigned diverter module, and this binding relationship also can be changed in the time of operation.
Step S604, the each diverter module in multiple diverter modules receives after packet, gives the shunting rule of same Service Processing Module according to the Packet Generation in same session, gives corresponding Service Processing Module by this package forward.
Step S606, each Service Processing Module receives after above-mentioned packet, and this packet is processed, and after finishing dealing with, packet is exported by an I/O module in multiple I/O modules.
Wherein, the processing procedure of above-mentioned Service Processing Module has comprised the process that finds out interface, if the packet receiving is three layer data bags, by route querying outgoing interface; If the packet receiving is Layer 2 data bag, determine interface by target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and the output that specifically which I/O module to complete packet by can realize with reference to correlation technique, no longer describes in detail here.
Pass through said method, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Each diverter module is after receiving the packet of I/O module transmission, give the shunting rule of same Service Processing Module according to the Packet Generation in same session, give same Service Processing Module by above-mentioned Packet Generation, carry out the transmission of packet for diverter module receiving How to choose Service Processing Module after first packet, the present embodiment provides two kinds of preferred implementations, certainly, the present invention is not limited to this two kinds of execution modes, below diverter module is described respectively receiving two kinds of preferred implementations of How to choose Service Processing Module after first packet.
First kind of way, diverter module receives after first packet of a session, determine the loading condition of multiple Service Processing Modules, then diverter module is according to the loading condition of multiple Service Processing Modules of determining, select the Service Processing Module that first packet is corresponding, last diverter module is given above-mentioned first package forward the Service Processing Module of selecting.Which is that the loading condition based on Service Processing Module is selected, and generally, diverter module selects a lower Service Processing Module of load to carry out the transmission of packet.
The second way, diverter module receives after first packet of a session, the information of carrying according to the packet header of this first packet is shone upon, then diverter module determines according to the result of mapping the Service Processing Module that first packet is corresponding, and first package forward is given definite Service Processing Module by last diverter module.Such as adopting the mode of fixing mapping, 5 tuples (the object IP address, source of IP packet of calculated data bag, source destination interface and protocol number) hash (hash or be called Hash, also can be written as HASH) value, by corresponding the packet of same hash value and same Service Processing Unit, set up the mapping relations between first packet and Service Processing Module with this, carry out the transmission of packet thereby make diverter module select Service Processing Module in the time receiving first packet.In the time that diverter module receives first packet, above-mentioned two kinds of preferred implementations are convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission, Service Processing Module can be recorded, be convenient to reception and the processing of follow-up packet, therefore, in a preferred implementation of the present embodiment, to achieve these goals, receiving after first packet of diverter module transmission, Service Processing Module can create according to first packet the data structure of session, then Service Processing Module is replied response message to this diverter module, wherein this response message carries the corresponding relation of the mark of session identification and Service Processing Module, the corresponding relation of the session identification then carrying in above-mentioned diverter module memory response message and the mark of Service Processing Module, like this in the time that diverter module is received follow-up packet, can be according to the corresponding relation of storage, follow-up data bag in session is transmitted to Service Processing Module.By this preferred implementation, Service Processing Module can manage record by the convenient follow-up data bag effectively diverter module being sended over, then diverter module can be recorded the corresponding relation of the mark of above-mentioned session identification and Service Processing Module, be convenient to diverter module in the time receiving follow-up packet, give corresponding Service Processing Module according to this corresponding relation by Packet Generation.Wherein, the data structure that the present embodiment creates can comprise: 5 tuples, packet incoming interface, source data packet MAC Address, the security strategy ID of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, process the part or all of parameter in the Service Processing Module ID etc. of the packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in packet and reverse data bag etc.
Firewall system in above-described embodiment and each preferred implementation thereof can meet the requirement of business expansion, and in the time that internal system is carried out data processing, can more be added with autotelic the carrying out of planning.The problem of necessary interrupting service when firewall system of the prior art is also faced with upgrading.Therefore, the present embodiment provides a preferred implementation, receiving after upgrading indication, diverter module can be synchronized to the corresponding relation of storage another diverter module in multiple diverter modules, then this diverter module is upgraded according to above-mentioned upgrading indication, then after Switching Module receiving system configuration indication, revise the binding relationship of multiple I/O modules and multiple diverter modules according to this system configuration indication, forward the follow-up data bag in described session according to amended binding relationship, another diverter module is stored after the synchronous corresponding relation of above-mentioned diverter module, according to the corresponding relation of storage, follow-up data bag in the session that Switching Module is forwarded is transmitted to Service Processing Module.
Suppose that system has multiple diverter modules, wherein have two diverter modules to be called A and B, the now preparation diverter module A that will upgrade.First the shunting table on diverter module A is synchronized to diverter module B upper, follow-up, diverter module B will carry out the forwarding of packet according to the corresponding relation after synchronous.After simultaneous operation completes, the configuration of change Switch module, the flow of the I/O port of original and diverter module A binding is all transmitted to diverter module B to be processed, at this moment diverter module A will no longer receive business data packet, can upgrade and not traffic affecting processing to it, after diverter module A has upgraded.Again according to similar process upgrading diverter module B.Certainly,, in the time that diverter module will be upgraded, it is selected will carry out other synchronous diverter modules of corresponding relation and have more than and be limited to some specific diverter modules, can be any one diverter module except itself.
In the process that this preferred implementation has guaranteed to upgrade at diverter module, make the transmission of packet can not interrupt, by this preferred implementation, firewall system can carry out the updating operation of diverter module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
After the upgrading of diverter module is described, below the escalation process of Service Processing Module is described.The present embodiment provides another preferred implementation, and the process of which is as follows.Service Processing Module receives after upgrading indication, the data structure of establishment is synchronized to another Service Processing Module in multiple Service Processing Modules, and send corresponding relation amendment advice to diverter module, wherein this amendment advice carries the mark of Service Processing Module and the mark of above-mentioned another Service Processing Module at self place, which Service Processing Module is these two marks indicated to be switched to which Service Processing Module, then, above-mentioned Service Processing Module is upgraded according to upgrading indication.After the business migration of the present embodiment, main control module can be restarted, and then loads new software version.The amendment advice that diverter module sends according to above-mentioned Service Processing Module, mark identical with the mark of above-mentioned Service Processing Module in this amendment advice in corresponding relation is revised as to the mark of above-mentioned another Service Processing Module in this amendment advice, above-mentioned diverter module is forwarded to above-mentioned another Service Processing Module according to amended corresponding relation by the follow-up data bag in session, this another Service Processing Module is stored the synchronous data structure of above-mentioned Service Processing Module, then according to the data structure of storage, the follow-up data bag in session is processed.
Suppose that firewall system has multiple Service Processing Modules, wherein have two Service Processing Modules to be called A and B, prepare to want now staging business processing module A.First the session on Service Processing Module A (session) information is synchronized to Service Processing Module B upper, after simultaneous operation completes, the flow that was originally transmitted to Service Processing Module A is all transmitted to Service Processing Module B by notice diverter module.After processing like this, Service Processing Module A will no longer receive business data packet, at this moment just can upgrade to Service Processing Module A, and after the upgrading of Service Processing Module A completes, according to similar approach, then to other Service Processing Module upgradings.Certainly,, in the time that Service Processing Module will be upgraded, it is selected will carry out other synchronous Service Processing Modules of data structure and have more than and be limited to some specific Service Processing Modules, can be any one Service Processing Module except itself.
In the process that this preferred implementation has guaranteed to upgrade at Service Processing Module, make the transmission of packet can not interrupt, by this preferred implementation, firewall system can carry out the updating operation of Service Processing Module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation have been described in detail respectively the upgrading mode of diverter module and Service Processing Module, for the upgrading mode of main control module, is introduced below by preferred implementation.Two main control modules in firewall system are in active and standby logic, Your Majesty's configuration, state information can be synchronized to standby at any time, in the time that system is upgraded, and the first main control module of the standby state of upgrading, after having upgraded, more active and standby logic is switched, and then the main control module of the new standby state of upgrading.Which has completed the updating operation of two main control modules under the prerequisite of non-interrupting service, has improved the traffic handing capacity of system.
Below in conjunction with preferred embodiments and drawings, the implementation procedure of above-described embodiment is elaborated.
Embodiment mono-
Fig. 7 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention one, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switch (exchange) module and I/O port.Main control module is responsible for the control plane processing of system, two main control modules form master-slave redundancy, Service Processing Module is responsible for firewall services processing, diverter module is responsible for packet delivery to Service Processing Module, Switch module is interconnected for each module, and the business that each intermodule is mutual and control data will be forwarded by Switch module.As shown in Figure 7, the method comprises the steps (step S702-step S724):
Step S702, system upgrade is for the main control module of state.
Step S704, after the main control module of standby state has been upgraded, two main control modules carry out active and standby switching.
Step S706, the main control module of the standby state of upgrading (being the main control module of original major state).
Step S708, all Service Processing Modules are queued up, the Service Processing Module that the Service Processing Module of selecting team's head is first upgrading, next Service Processing Module is its backup module, this selection mode is not limited to this, and the present embodiment only describes in this way.
Step S710, the Service Processing Module that upgrading is selected.
Step S712, judges whether the upgrading of all Service Processing Modules all completes, if all Service Processing Modules have all been upgraded, execution step S714, if Service Processing Module has all been upgraded, performs step S716.
Step S714, ranks to all diverter modules, the diverter module that the diverter module of selecting team's head is first upgrading, next diverter module is its backup module, this selection mode is not limited to this, and the present embodiment only describes in this way, then performs step S718.
Step S716, the next module in selection queue, as upgrading module, then performs step S710;
Step S718, the diverter module that upgrading is selected.
Step S720, judges whether the upgrading of all diverter modules all completes, if all diverter modules have all been upgraded, execution step S724, if diverter module has all been upgraded, performs step S722.
Step S722, the next module in selection queue, as upgrading module, then performs step S718.
Step S724, system upgrade completes.
The method of the present embodiment can make firewall system carry out performance expansion, and the continual smooth upgrade of the business that realizes, and that this system has is highly reliable, the easily advantage such as expansion of performance.
From above description, can find out, the present invention program can realize an extendible firewall system of performance, and this system adopts, and business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized smooth upgrade, thereby realize the performance expansion of firewall system, and under the unbroken prerequisite of business, can carry out the upgrading of system, improve the reliability of system business processing.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that multiple calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, and in some cases, can carry out shown or described step with the order being different from herein, or they are made into respectively to each integrated circuit modules, or the multiple modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (11)

1. a firewall system, is characterized in that, comprising: two main control modules, multiple Service Processing Module, multiple diverter module, multiple I/O I/O module and Switching Modules; Wherein,
Two main control modules main and standby relation each other, for controlling described multiple Service Processing Module, described multiple diverter modules, described multiple I/O modules and described Switching Module;
Described Switching Module is for forwarding the packet of each intermodule;
Described multiple I/O module and the binding of described multiple diverter module, each described I/O module for by the Packet Generation receiving to the diverter module of its binding;
Each described diverter module in described multiple diverter module is for giving same Service Processing Module by the Packet Generation of same session;
Each described Service Processing Module, for the described packet receiving is processed, is exported described packet after finishing dealing with by an I/O module in described multiple I/O modules,
Wherein, described diverter module comprises:
Load determining unit, when receiving first packet of a session, determines the loading condition of described multiple Service Processing Modules;
Selected cell, for according to the definite loading condition of described load determining unit, selects described Service Processing Module corresponding to first packet;
The first dividing cell, for the Service Processing Module of selecting described first package forward to described selected cell.
2. system according to claim 1, is characterized in that, described diverter module comprises:
Map unit, when receiving first packet of a session, the information of carrying according to the packet header of described first packet is shone upon;
Determining unit, for determining described Service Processing Module corresponding to first packet according to the mapping result of described map unit;
The second dividing cell, for giving the definite Service Processing Module of described determining unit by described first package forward.
3. system according to claim 1 and 2, is characterized in that, described Service Processing Module comprises:
Receiving element, for receiving described first packet;
Creating unit, for creating the data structure of described session according to described first packet;
Response unit, for replying response message to described diverter module, wherein, described response message carries the corresponding relation of the mark of session identification and described Service Processing Module;
Described diverter module comprises: correspondence relation storage, for storing the corresponding relation of mark of described session identification that described response message carries and described Service Processing Module; The 3rd dividing cell, for according to the described corresponding relation of described correspondence relation storage storage, is transmitted to described Service Processing Module by the follow-up data bag in described session.
4. system according to claim 3, is characterized in that,
Described diverter module comprises: lock unit, for receiving after upgrading indication, is synchronized to another diverter module in described multiple diverter module by the described corresponding relation of storing in described correspondence relation storage; The first upgrading unit, for upgrading according to described upgrading indication;
Described another diverter module comprises: stores synchronized unit, for storing the synchronous corresponding relation of described lock unit; Described Switching Module comprises: unit is revised in binding, for indicating and revise described multiple I/O modules and described multiple diverter module binding relationship according to system configuration.
5. system according to claim 3, is characterized in that,
Described Service Processing Module comprises: information synchronizing unit, and for receiving after upgrading indication, the described data structure that described creating unit is created is synchronized to another Service Processing Module in described multiple Service Processing Module; Notification unit, for send described corresponding relation amendment advice to described diverter module, wherein, described amendment advice carries the mark of described Service Processing Module and the mark of described another Service Processing Module at self place; The second upgrading unit, for upgrading according to described upgrading indication;
Described diverter module comprises: corresponding relation is revised unit, for the amendment advice sending according to described notification unit, the mark of second described Service Processing Module in described amendment advice will be revised as with the mark that in described amendment advice, the mark of Service Processing Module is identical described in first in described corresponding relation; The 4th dividing cell, is forwarded to described another Service Processing Module for revise the amended corresponding relation in unit according to described corresponding relation by the follow-up data bag of described session;
Described another Service Processing Module comprises: information memory cell, for storing the synchronous described data structure of described information synchronizing unit; Service Processing Unit, for processing the follow-up data bag of described session according to the described data structure of described information memory cell storage.
6. the data processing method based on firewall system claimed in claim 1, is characterized in that, comprising:
Each described I/O module in described multiple I/O module receives after packet, by described Packet Generation to the diverter module of its binding;
Each described diverter module in described multiple diverter module receives after described packet, gives the shunting rule of same Service Processing Module according to the Packet Generation in same session, gives corresponding Service Processing Module by described package forward;
Each described Service Processing Module receives after described packet, and described packet is processed, and after finishing dealing with, described packet is exported by an I/O module in described multiple I/O modules.
7. method according to claim 6, is characterized in that, described diverter module comprises described package forward to corresponding Service Processing Module:
Described diverter module receives after first packet of a session, determines the loading condition of described multiple Service Processing Modules;
Described diverter module, according to the loading condition of described multiple Service Processing Modules of determining, is selected described Service Processing Module corresponding to first packet;
Described diverter module is given described first package forward the described Service Processing Module of selecting.
8. method according to claim 6, is characterized in that, described diverter module comprises described package forward to corresponding Service Processing Module:
Described diverter module receives after first packet of a session, and the information of carrying according to the packet header of described first packet is shone upon;
Described diverter module is determined described Service Processing Module corresponding to first packet according to mapping result;
Described diverter module is given described first package forward the described Service Processing Module of determining.
9. according to the method described in claim 7 or 8, it is characterized in that, after each described Service Processing Module receives described packet, comprise:
Described Service Processing Module receives after described first packet, creates the data structure of described session according to described first packet;
Described Service Processing Module is replied response message to described diverter module, and wherein, described response message carries the corresponding relation of the mark of session identification and described Service Processing Module;
Described diverter module is stored the corresponding relation of the mark of the described session identification that carries in described response message and described Service Processing Module;
Described diverter module, according to the described corresponding relation of storage, is transmitted to described Service Processing Module by the follow-up data bag in described session.
10. method according to claim 9, is characterized in that, described method also comprises:
Described diverter module receives after upgrading indication, and the described corresponding relation of storage is synchronized to another diverter module in described multiple diverter module; Then, upgrade according to described upgrading indication;
After described Switching Module receiving system configuration indication, revise described multiple I/O modules and described multiple diverter module binding relationship according to described system configuration indication, forward the follow-up data bag in described session according to amended binding relationship;
Described another diverter module is stored after the synchronous corresponding relation of described diverter module, and according to the described corresponding relation of storage, the follow-up data bag in the described session that described Switching Module is forwarded is transmitted to described Service Processing Module.
11. methods according to claim 9, is characterized in that, described method also comprises:
Described Service Processing Module receives after upgrading indication, the described data structure creating is synchronized to another Service Processing Module in described multiple Service Processing Module, and send described corresponding relation amendment advice to described diverter module, wherein, described amendment advice carries the mark of described Service Processing Module and the mark of described another Service Processing Module at self place, then, upgrade according to described upgrading indication;
The amendment advice that described diverter module sends according to described Service Processing Module, will be revised as the mark of second described Service Processing Module in described amendment advice with the mark that in described amendment advice, the mark of Service Processing Module is identical described in first in described corresponding relation; Described diverter module is forwarded to described another Service Processing Module according to amended described corresponding relation by the follow-up data bag in described session;
Described another Service Processing Module is stored the synchronous described data structure of described Service Processing Module, and according to the described data structure of storage, the follow-up data bag in described session is processed.
CN201110424951.8A 2011-12-16 2011-12-16 Fire wall system and data processing method based on fire wall system Active CN102404339B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110424951.8A CN102404339B (en) 2011-12-16 2011-12-16 Fire wall system and data processing method based on fire wall system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110424951.8A CN102404339B (en) 2011-12-16 2011-12-16 Fire wall system and data processing method based on fire wall system

Publications (2)

Publication Number Publication Date
CN102404339A CN102404339A (en) 2012-04-04
CN102404339B true CN102404339B (en) 2014-06-18

Family

ID=45886125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110424951.8A Active CN102404339B (en) 2011-12-16 2011-12-16 Fire wall system and data processing method based on fire wall system

Country Status (1)

Country Link
CN (1) CN102404339B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103220273B (en) * 2013-03-19 2016-01-06 汉柏科技有限公司 A kind of method and system of CPU fast-forwarding message
CN106789862B (en) * 2016-04-25 2021-05-07 新华三技术有限公司 Data synchronization method and device
CN110928568B (en) * 2019-11-05 2022-07-26 杭州衣科信息技术股份有限公司 Method for uninterrupted service when issuing and updating web application program
CN113595802A (en) * 2021-08-09 2021-11-02 山石网科通信技术股份有限公司 Upgrading method and device of distributed firewall

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101105782A (en) * 2007-08-22 2008-01-16 中兴通讯股份有限公司 Border scanning system based on high-performance computer communication framework
CN102073562A (en) * 2010-12-31 2011-05-25 山石网科通信技术(北京)有限公司 Hardware-based main/standby switch arbitration method
CN102185753A (en) * 2011-01-30 2011-09-14 广东佳和通信技术有限公司 Device for realizing dual-backup switching of Ethernet link inside communication equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100597468B1 (en) * 2005-02-03 2006-07-05 삼성전자주식회사 Data processing system and data interface method for transmission and reception mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101105782A (en) * 2007-08-22 2008-01-16 中兴通讯股份有限公司 Border scanning system based on high-performance computer communication framework
CN102073562A (en) * 2010-12-31 2011-05-25 山石网科通信技术(北京)有限公司 Hardware-based main/standby switch arbitration method
CN102185753A (en) * 2011-01-30 2011-09-14 广东佳和通信技术有限公司 Device for realizing dual-backup switching of Ethernet link inside communication equipment

Also Published As

Publication number Publication date
CN102404339A (en) 2012-04-04

Similar Documents

Publication Publication Date Title
AU2004306913B2 (en) Redundant routing capabilities for a network node cluster
TWI393401B (en) System, apparatus, method and memory having computer program embodied thereon for managing multicast routing
US7155632B2 (en) Method and system for implementing IS-IS protocol redundancy
CN112367254B (en) Cross-device link aggregation method and device and electronic device
EP3316555B1 (en) Mac address synchronization method, device and system
KR20070027566A (en) Apparatus and method for neighbor cache table synchronization
JPH11154979A (en) Multiplexed router
CN102404339B (en) Fire wall system and data processing method based on fire wall system
CN108989200B (en) Data packet forwarding method, device and system
CN104838625A (en) Communication system, control apparatus, communication control method, transfer control method, and transfer control program
CN101989953A (en) Method and equipment for sending bidirectional forwarding detection message
CN102447615A (en) Switching method and router
CN106254242A (en) A kind of data transmission method, Centralized Controller, forwarding face equipment and local terminal communicator
JP2006020034A (en) Module type packet communication node device
CN112954497B (en) Annular cascade network based on FC-AE switch
US8902734B2 (en) System and method for providing communication connection resilience
US9596129B2 (en) Communication system, control apparatus, communication apparatus, information-relaying method, and program
CN108199986B (en) Data transmission method, stacking equipment and stacking system
US20070008970A1 (en) Packet data router apparatus and method
CN105763374A (en) Route convergence method and device
JP5821641B2 (en) Network system, switch, and inter-switch setting notification method
JP2004007078A (en) Radio communication system, radio management device, accommodation device selection method and program
KR20070111789A (en) System and method for realizing pvstp using multiple stp instances
KR101641496B1 (en) Method and apparatus for updating switch states of software defined network
CN116708211A (en) Master and slave device management method, device, equipment and machine-readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: HILLSTONE NETWORKS COMMUNICATION TECHNOLOGY CO., L

Free format text: FORMER OWNER: HILLSTONE NETWORKS (BEIJING) INC.

Effective date: 20140716

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100085 HAIDIAN, BEIJING TO: 215163 SUZHOU, JIANGSU PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20140716

Address after: 215163 Jiangsu city of Suzhou province high tech Zone (Suzhou city) kolding Road No. 78 Gaoxin Software Park Building 7 floor 3

Patentee after: HILLSTONE NETWORKS

Address before: 100085 Beijing city Haidian District on the seven Street No. 1 Huizhong 3 storey building

Patentee before: Hillstone Networks Communication Technology (Beijing) Co., Ltd.

CB03 Change of inventor or designer information

Inventor after: Yang Qijun

Inventor after: Liu Xiangming

Inventor after: Wang Zhong

Inventor after: Mo Ning

Inventor after: Luo Dongping

Inventor before: Yang Qijun

Inventor before: Liu Xiangming

Inventor before: Wang Zhong

Inventor before: Mo Ning

CB03 Change of inventor or designer information
CP03 Change of name, title or address

Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province

Patentee after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD.

Address before: 215163 3rd Floor, 7th Building, High-tech Software Park, 78 Keling Road, Suzhou Science and Technology City, Jiangsu Province

Patentee before: HILLSTONE NETWORKS

CP03 Change of name, title or address