CN103004145A - Flow distribution method, flow distribution device and flow distribution system for virtual private network - Google Patents
Flow distribution method, flow distribution device and flow distribution system for virtual private network Download PDFInfo
- Publication number
- CN103004145A CN103004145A CN2011800013538A CN201180001353A CN103004145A CN 103004145 A CN103004145 A CN 103004145A CN 2011800013538 A CN2011800013538 A CN 2011800013538A CN 201180001353 A CN201180001353 A CN 201180001353A CN 103004145 A CN103004145 A CN 103004145A
- Authority
- CN
- China
- Prior art keywords
- message
- network identity
- rear end
- vpn
- end equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000004458 analytical method Methods 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000012517 data analytics Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Disclosed are a flow distribution method, flow distribution device and flow distribution system for a virtual private network, relating to the field of communications and for enabling analysis of various user messages in the same VPN network. The flow distribution method includes: receiving a message sent by a device in a virtual private network (VPN) (101); parsing the message to obtain the network identifier thereof (102); judging whether or not the network identifier of the message matches a preset network identifier; the preset network identifier corresponding to a backend device group (103); if the network identifier of the message matches the preset network identifier, then parsing the message to obtain at least one of the quintuple components of the message (104); judging whether or not the at least one of the quintuple components of the message matches an ACL entry (105); and if the at least one of the quintuple components of the message matches the ACL entry, then sending the message to the backend device group corresponding to the network identifier of the message (106). The solution provided by the present invention is suitable for a data distribution scenario in a VPN network.
Description
A kind of shunt method of VPN, shunting device and separate system technical field
The present invention relates to the communications field, more particularly to a kind of shunt method of VPN, shunting device and separate system.
Background technology
Internet plays more and more important effect in people's routine work and life, if effective monitoring and management can not be carried out to internet, it will the network of country, enterprise or individual is caused harm.The technology that the monitoring for information is generally used at present is shunting.Equipment for shunting(Hereinafter referred to as shunting device)The message that the prime equipment light splitting received or mirror image are obtained, according to accesses control list(English full name is:Access Control List, hereinafter referred to as:ACL above-mentioned message) is filtered, the message for mismatching any list items of ACL is directly met into Lost and abandoned, the message for matching a certain list items of ACL is output into rear end equipment is analyzed and processed.Wherein, the acl rule is that the five-tuple for being directed to message is set.
VPN(English full name is:Virtual Private Network, hereinafter referred to as:VPN it is) in key type of broadband the Internet Protocol(English full name is:Internet Protocol, hereinafter referred to as:IP the technology of private data network) is built on network.For VPN networks, according to ACL rule-based filtering messages, actually matched just for the one or more in the five-tuple of message, multiple VPNs are may be from which results in the message for being diverted to a rear end equipment, so as to be unfavorable in same VPN 4 blunt literary analyses.
The content of the invention
Embodiments of the invention provide a kind of shunt method of VPN, shunting device and separate system, to can be to the blunt literary analysis of each user 4 in same VPN.
To reach above-mentioned purpose, one aspect of the present invention provides a kind of shunt method of VPN, including:
Receive the message that prime equipment is sent in VPN VPN;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent belonging to the message
VPN;
The message is parsed, the network identity of the message is obtained;
Judge whether described 4 blunt literary network identities match with default network identity;The default network identity is corresponding with rear end equipment group;
If the network identity of the message and default network identification match, parse the message, at least one in the blunt literary five-tuple of the ability is obtained;
Judge whether at least one in the blunt literary five-tuples of the ^ matches with ACL table;
If at least one in the 4 blunt literary five-tuple is matched with ACL table, the text is sent to rear end equipment group corresponding with the blunt literary network identities of the ^.
On the other hand embodiments of the invention provide a kind of shunting device of VPN, including:
Receiving unit, for receiving the message that prime equipment is sent in VPN VPN;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent the VPN belonging to the 4 blunt text;
First network processor, for parsing the message, obtains the network identity of the message;First matching unit, for judging whether the network identity of the message matches with default network identity;The default network identity is corresponding with rear end equipment group;
Second network processing unit, in the case of in the judged result of first matching unit for matching, parses the message, obtains at least one in the five-tuple of the message;
Second matching unit, for judging whether at least one in the blunt literary five-tuples of the ^ matches with ACL table;
First execution unit, in the case of in the judged result of second matching unit for matching, rear end equipment group corresponding with the network identity of the message is sent to by the message.
The another aspect of embodiment of invention provides a kind of shunting device of VPN, including:Prime equipment, shunting device and at least one rear end equipment group;Wherein:
The prime equipment, for obtaining the message from VPN VPN, and is sent to the shunting device;
The shunting device is above-mentioned shunting device;
At least one described rear end equipment group, message for being sent to the shunting device carries out point a kind of shunt method of VPN provided in an embodiment of the present invention, shunting device and a separate system, when the blunt literary network identity of the ability and default network identity match, the blunt text of parsing;When at least one in described 4 blunt literary five-tuples is matched with ACL table item, described 4 blunt texts are sent to rear end equipment group corresponding with the blunt literary network identity of.Because default network identity is corresponding with rear end equipment group, this ensures that the message for branching to same rear end equipment group comes from same VPN, that is, for each rear end equipment in same rear end equipment group, its message received is all from same VPN.
The accompanying drawing used required in brief description of the drawings embodiment or description of the prior art is briefly described, apparently, drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of shunt method flow chart of VPN provided in an embodiment of the present invention;Fig. 2 a are the shunt method flow chart of another VPN provided in an embodiment of the present invention;
Fig. 2 b are the shunt method flow chart of another VPN provided in an embodiment of the present invention;
Fig. 3 is a kind of shunting device structural representation of VPN provided in an embodiment of the present invention;
Fig. 4 is the shunting device structural representation of another VPN provided in an embodiment of the present invention;
Fig. 5 is the shunting device structural representation of another VPN provided in an embodiment of the present invention;
Fig. 6 is a kind of separate system schematic diagram of VPN provided in an embodiment of the present invention.Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
The embodiments of the invention provide a kind of shunt method of VPN, the executive agent of the shunt method can be a shunting device.
The shunt method of the VPN, as shown in figure 1, including:
101st, the message that prime equipment is sent in VPN VPN is received;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent the VPN belonging to the message;
If the network identity of at least two texts is identical, the VPN networks belonging at least two 4 blunt text are identical.The network identity of message can be carried in a field of the message.
For the direction of message transmissions, in an embodiment of the present invention, the prime equipment refers to the equipment that shunting device upstream is logically located in VPN networks.For example, prime equipment can be optical splitter, optical splitter sends the message that light splitting comes to shunting device.
In addition, the VPN networks can be multiprotocol label switching(English full name is:Multi-Protocol Label Switching, hereinafter referred to as:MPLS) VPN, in MPLS VPNs, the network identity is label.
102nd, the message is parsed, the network identity of the message is obtained;
For example, parsing the message, the field for the network identity that the message is carried in the message is read, the network identity of the message is obtained.
103rd, judge whether the network identity of the message matches with default network identity;The default network identity is corresponding with rear end equipment group;
For the direction of message transmissions, in embodiments of the present invention, the rear end equipment refers to VPN
The equipment in shunting device downstream is logically located in network.For example, rear end equipment can be data analytics server.
One default network identity correspondence, one rear end equipment group, the rear end equipment group includes at least one rear end equipment.Specifically a rear end equipment group includes a rear end equipment or multiple in actual applications(For example, two and two or more)Rear end equipment, can preset according to actual needs.
Because network identity is used to represent the VPN belonging to 4 blunt texts, and because default network identity is corresponding with rear end equipment group, this ensures that the blunt text of ability from same VPN can be branched to same rear end equipment group by shunting device.
It is described to judge whether described 4 blunt literary network identities match with default network identity, can be the network identity and default network identity for comparing message, if the network identity of message is identical with one in default network identity, matches, otherwise mismatch.
If the 104, described 4 blunt literary network identities and default network identification match, parse the 4 blunt text, obtain in the 4 blunt literary five-tuple at least one of;
The five-tuple includes:Source IP address, purpose IP address, protocol number, source port number and destination slogan.
Optionally, in an embodiment of the present invention, rule can be preset, in 104, the message can be parsed according to default rule.The preset rules can refer at least one rule pre-set in the five-tuple for message.For example, the preset rules can be the rule that is pre-set for the source port number in message;Then described to parse the message according to preset rules, at least one obtained in the five-tuple of the message can be:According to preset rules, the message is parsed, the source port number in the five-tuple of the message is obtained.And for example, if preset rules are set in advance for the source port number and destination slogan in message, the message can be parsed according to preset rules, obtains the source port number and destination slogan of message.
105th, judge whether at least one in described 4 blunt literary five-tuples matches with ACL table;It is described at least one of to judge in described 4 blunt literary five-tuples whether to match with ACL table, can be in the five-tuple for compare message at least one of and ACL table item, matched if identical, if not phase
It is same then mismatch.For example, the target ip address of text is identical with the target ip address that an ACL table item is stored, then matches, otherwise mismatch;And for example, 4 blunt literary source port numbers, destination slogan are stored with ACL table item source port number, destination slogan all same, then match, otherwise mismatch.
If the 106, at least one in described 4 blunt literary five-tuples is matched with ACL table, the blunt text of the ability is sent to rear end equipment group corresponding with the network identity of this article.
Due to the 4 blunt literary network identity and default network identification match, and default network identity is corresponding with rear end equipment group;Therefore, the message is sent into rear end equipment group corresponding with the network identity of the message to specifically refer to:The message is sent to and the rear end equipment group corresponding to the default network identity of the network identification match of the message.
Because the rear end equipment group includes at least one rear end equipment, in an alternate embodiment of the present invention where, message can be sent to any rear end equipment in the rear end equipment group.
The shunt method of VPN provided in an embodiment of the present invention, when the network identity of the message matches with default network identity, parses 4 blunt texts;When at least one in described 4 blunt literary five-tuples is matched with ACL table item, the message is sent to rear end equipment group corresponding with the network identity of the message.Because default network identity is corresponding with rear end equipment group, this ensures that the blunt text of the ability for branching to same rear end equipment group comes from same VPN, is analyzed so as to the message to same VPN.Optionally, as shown in Figure 2 a, in another embodiment of the present invention, 106 are specifically as follows:If at least one in the 4 blunt literary five-tuple is matched with ACL table, according to the field that user identity information is carried in described 4 blunt texts, the message is sent to a rear end equipment in rear end equipment group corresponding with the network identity of the message.
Wherein, user identity information can be the label and/or source IP address in message.Therefore, same user of the message for branching to same rear end equipment in same VPN ensure that to send message according to the field that user identity information is carried in the message.That is, for a certain rear end equipment in same rear end equipment group, its message received is all from same VPN
In same user.
For example, it is possible to use hash(English full name:Hash) technology, is shunted to the message of the different user in same VPN.The message of a user in the VPN 1 that shunting device is received, the blunt literary network identity of ability is 1,4 blunt literary network identity and default network identity 1 correspondence;Default network identity 1 is corresponding with rear end equipment group A, wherein, rear end equipment group A includes tri- rear end equipments of Al, A2, A3.When at least one in described 4 blunt literary five-tuples is matched with ACL table item, the field of user identity information will be carried in the message as the input of Hash functions, according to the output of Hash functions, the message is sent to some rear end equipment (for example, A1) in rear end equipment group A.In this scene, the output of above-mentioned Hash functions can be understood as an index, and according to the index, which rear end equipment that the message of this user should be sent in rear end equipment group be able to know that.This can not only ensure to branch to same user of the message of same rear end equipment in same VPN networks, moreover it is possible to realize load balancing in rear end equipment group, it is to avoid wherein over-burden for some or certain several rear end equipments.
Further alternative, as shown in Figure 2 b, shunt method provided in an embodiment of the present invention can also include:If any one of 103 and 105 judged result can carry out 107 to mismatch:Message is done into default treatment.
It is of course also possible to when the judged result for being 103 and 105 is mismatch, carry out 107:Message is done into default treatment.It is preferred that, above-mentioned default treatment can include:Lost abandons message;Or, stored messages.The embodiment of the present invention additionally provides the shunting device corresponding with above-mentioned shunt method, and the shunting device can be service distributing platform(English full name is Service Splitting Platform, referred to as SSP), the shunting device is used for the message that prime equipment is sent in the VPN that will receive, is diverted to rear end equipment.As shown in figure 3, the shunting device includes:
Receiving unit 31, for receiving the message that prime equipment is sent in VPN VPN;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent the VPN belonging to the 4 blunt text;
If the network identity of at least two texts is identical, the VPN networks belonging at least two 4 blunt text are identical.The network identity of message can be carried in a field of the message.
For from the direction of message transmissions, in an embodiment of the present invention, the prime equipment refers to
The equipment of shunting device upstream is logically located in VPN networks.For example, prime equipment can be optical splitter, optical splitter sends the message that light splitting comes to shunting device.
The VPN can be multiprotocol label switching MPLS VPNs, and now the network identity can be label.
First network processor 32, for parsing the message, obtains the network identity of the message;For example, parsing the message, the field for the network identity that the message is carried in the message is read, the network identity of the message is obtained.
First matching unit 33, for judging whether the network identity of the message matches with default network identity;The default network identity is corresponding with rear end equipment group;
For from the direction of message transmissions, in an embodiment of the present invention, the rear end equipment refers to the equipment that shunting device downstream is logically located in VPN networks.For example, rear end equipment can be data analytics server.
The rear end equipment group includes at least one rear end equipment.Specifically a rear end equipment group includes a rear end equipment or multiple in actual applications(For example, two and two or more)Rear end equipment, can preset according to actual needs.
Because network identity is used to represent the VPN belonging to 4 blunt texts, and because default network identity is corresponding with rear end equipment group, this ensures that the blunt text of ability from same VPN can be branched to same rear end equipment group by shunting device.
It is described to judge whether described 4 blunt literary network identities match with default network identity, can compare just blunt literary network identity and default network identity, if 4 blunt literary network identities are identical with one in default network identity, match, otherwise mismatch.
Second network processing unit 34, is additionally operable to, when the judged result of the first matching unit 33 is matching, parse the blunt texts of ^, obtain at least one in the five-tuple of this article;
Above-mentioned second network processing unit 34 and first network processor 32 can be same processors,
Can also be different processors.
The five-tuple includes:Source IP address, purpose IP address, protocol number, source port number and destination slogan.
Optionally, in an embodiment of the present invention, rule can be preset, the message can be parsed according to default rule in the second network processing unit 34.The preset rules can refer at least one rule pre-set in the five-tuple for message.For example, the preset rules can be the rule that is pre-set for the source port number in message;Then described to parse the message according to preset rules, at least one obtained in the five-tuple of the message can be:According to preset rules, the message is parsed, the source port number in the five-tuple of the message is obtained.And for example, if preset rules are set in advance for the source port number and destination slogan in message, the message can be parsed according to preset rules, obtains the source port number and destination slogan of message.
Second matching unit 35, for judging whether at least one in described 4 blunt literary five-tuples matches with ACL table;
It is described at least one of to judge in described 4 blunt literary five-tuples whether to match with ACL table, can be in the five-tuple for compare message at least one of and ACL table item, match, mismatched if differing if identical.For example, the target ip address of text is identical with the target ip address that an ACL table item is stored, then matches, otherwise mismatch;And for example, 4 blunt literary source port numbers, destination slogan are stored with ACL table item source port number, destination slogan all same, then match, otherwise mismatch.
First execution unit 36, in the case of in the judged result of second matching unit 35 for matching, rear end equipment group corresponding with the network identity of the message is sent to by the message.
It may determine that by the first matching unit 33 and obtained the 4 blunt literary network identity and default network identification match, and default network identity is corresponding with rear end equipment group;It is described the text is sent to rear end equipment group corresponding with the network identity of the message to specifically refer to:The message is sent to the rear end equipment group corresponding to the default network identity of the blunt literary network identification match of.
Because the rear end equipment group includes at least one rear end equipment, the first execution unit 36 can be with
Message is sent to any rear end equipment in rear end equipment group corresponding with the network identity of the message.The shunting device of VPN provided in an embodiment of the present invention, when the network identity of the message matches with default network identity, parses 4 blunt texts;When at least one in the blunt literary five-tuples of the ^ is matched with ACL table item, the message is sent to rear end equipment group corresponding with the network identity of the message.Because default network identity is corresponding with rear end equipment group, this ensures that the blunt text of the ability for branching to same rear end equipment group comes from same VPN, is analyzed so as to the message to same VPN.
It is preferred that, as shown in figure 4, the first execution unit 36 can include:
Shunting performs subelement 361, for when the judged result of the second matching unit 35 is matching, according to the field that user identity information is carried in the message, the message is sent to a rear end equipment in rear end equipment group corresponding with the network identity of the message.
Wherein, user identity information can be the label and/or source IP address in message.Therefore, same user of the message for branching to same rear end equipment in same VPN ensure that to send message according to the field that user identity information is carried in the message.That is, for a certain rear end equipment in same rear end equipment group, its message received is all from the same user in same VPN.
For example, it is possible to use hash(English full name:Hash) technology, is shunted to the message of the different user in same VPN.The message of a user in the VPN 1 that shunting device is received, the blunt literary network identity of ability is 1,4 blunt literary network identity and default network identity 1 correspondence;Default network identity 1 is corresponding with rear end equipment group A, wherein, rear end equipment group A includes tri- rear end equipments of Al, A2, A3.When at least one in described 4 blunt literary five-tuples is matched with ACL table item, the field of user identity information will be carried in the message as the input of Hash functions, according to the output of Hash functions, the message is sent to some rear end equipment (for example, A1) in rear end equipment group A.In this scene, the output of above-mentioned Hash functions can be understood as an index, and according to the index, which rear end equipment that the message of this user should be sent in rear end equipment group be able to know that.This can not only ensure to branch to same user of the message of same rear end equipment in same VPN networks, moreover it is possible to realize load balancing in rear end equipment group, it is to avoid wherein some
Or over-burden for certain several rear end equipment.
It is further optional, as shown in figure 5, the shunting device can also include:
Second execution unit 37, during for the judged result in the matching unit 35 of the first matching unit 33 and/or second to mismatch, default treatment is done by message.Li such as , Lost abandon message, or stored messages.
Embodiments of the invention additionally provide a kind of separate system of VPN, as shown in Fig. 6, including:Prime equipment 61, shunting device 62 and at least one rear end equipment group 63.Wherein, the prime equipment 61, for obtaining the message from VPN VPN, and is sent to shunting device;Optionally, prime equipment 61 can be optical splitter, can obtain the message from VPN with the operation such as light splitting;Certainly, prime equipment 61 can also obtain the message from VPN using the operation such as mirror image, and embodiments of the invention do not do any restriction to this.
The shunting device 62, can be the shunting device as described in any in Fig. 3-5.For example, the message for receiving the transmission of prime equipment 61, parses the message, obtains the network identity of the message;Judge whether the blunt literary network identities of the ^ match with default network identity;The default network identity is corresponding with rear end equipment group;If the network identity of the message and default network identification match, parse the text, at least one in the five-tuple of this article is obtained;Judge whether at least one matches with ACL list items in the blunt literary five-tuples of the ^;If at least one is matched with ACL list items in the 4 blunt literary five-tuple, the message is sent to rear end equipment group corresponding with the network identity of the message.No longer Redundant is stated herein.
At least one rear end equipment group 63, the text for being sent to shunting device 62 is analyzed.Optionally, a rear end equipment group includes at least one rear end equipment.For example, rear end equipment can be data analytics server, blade server or multinuclear veneer.Specifically a rear end equipment group includes a rear end equipment or multiple in actual applications(For example, two and two or more)Rear end equipment, can preset according to actual needs.Specifically, rear end equipment is analyzed message, can be behavioural analysis, data mining, association analysis, the detection of pattern match even depth bag(English full name is:Deep Packet Inspection, referred to as:DPI) technology;It can also be analyzed according to actual situation, embodiments of the invention are not limited this.
The separate system of VPN provided in an embodiment of the present invention, when the network identity of the message matches with default network identity, shunting device analytic message;When at least one in the five-tuple of the message is matched with ACL table item, the message is sent to rear end equipment group corresponding with the network identity of the message by shunting device.Because default network identity is corresponding with rear end equipment group, this ensures that the message for branching to same rear end equipment group comes from same VPN, is analyzed so as to the blunt text of the ability to same VPN.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can add the mode of required common hardware to realize by software, naturally it is also possible to by hardware, but the former is more preferably embodiment in many cases.Understood based on such, the part that technical scheme substantially contributes to prior art in other words can be embodied in the form of software product, the computer software product is stored in the storage medium that can be read, such as the floppy disk of computer, hard disk or CD etc., including some instructions are to cause a computer equipment(Can be personal computer, server, or network equipment etc.)Perform the method described in each embodiment of the invention.
It is described above; only embodiment of the invention, but protection scope of the present invention is not limited thereto, any one skilled in the art the invention discloses technical scope in; the change or replacement that can be readily occurred in, should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (9)
- Claims1st, a kind of shunt method of VPN, it is characterised in that including:Receive the message that prime equipment is sent in VPN VPN;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent the VPN belonging to the message;The message is parsed, the network identity of the message is obtained;Judge whether described 4 blunt literary network identities match with default network identity;The default network identity is corresponding with rear end equipment group;If the network identity of the message and default network identification match, parse the message, at least one in the blunt literary five-tuple of the ability is obtained;Judge whether at least one matches with access control list ACL list item in described 4 blunt literary five-tuples;If being matched with ACL table item at least one of in the five-tuple of the message, the message is sent to rear end equipment group corresponding with the 4 blunt literary network identity.2nd, shunt method according to claim 1, it is characterised in that the message is sent into the corresponding rear end equipment group of the blunt literary network identity of the ability includes:According to the field that user identity information is carried in the message, the message is sent to a rear end equipment in rear end equipment group corresponding with the network identity of the message.3rd, shunt method according to claim 1 or 2, it is characterised in that also include:If the network identity of the message is mismatched with default network identity, message is done into default treatment;And/orIf at least one in the five-tuple of the message is mismatched with ACL table, message is done into default treatment.4th, shunt method according to claim 3, it is characterised in that described message is done into default treatment to include:Lost abandons message;Or, stored messages.5th, the shunt method according to any one of claim 14 claim, it is characterised in that The VPN is multiprotocol label switching MPLS VPNs.6th, a kind of shunting device of VPN, it is characterised in that including:Receiving unit, for receiving the message that prime equipment is sent in VPN VPN;Wherein, the network identity of the message is carried in the message, and the network identity of the message is used to represent the VPN belonging to the blunt text of;First network processor, for parsing the message, obtains the network identity of the message;First matching unit, for judging whether the network identity of the message matches with default network identity;The default network identity is corresponding with rear end equipment group;Second network processing unit, during for the judged result in first matching unit for matching, parses the text, obtains at least one in the five-tuple of this article;Second matching unit, for judging whether at least one in the blunt literary five-tuples of the ^ matches with ACL table;First execution unit, during for the judged result in second matching unit for matching, rear end equipment group corresponding with the network identity of the message is sent to by the message.7th, shunting device according to claim 6, it is characterised in that first execution unit includes:Shunting performs subelement, for when the second matching unit judged result is matching, according to the field that user identity information is carried in the message, the message is sent to a rear end equipment in rear end equipment group corresponding with the network identity of the message.8th, shunting device according to claim 7, it is characterised in that the shunting device also includes:Second execution unit, during for the judged result in first matching unit and/or the second matching unit to mismatch, default treatment is done by message.9th, a kind of separate system of VPN, it is characterised in that including:Prime equipment, shunting device and at least one rear end equipment group;Wherein:The prime equipment, for obtaining the message from VPN VPN, and is sent to the shunting device; The shunting device is the shunting device any one of claim 6-8;At least one described rear end equipment group, for analyzing the message that the shunting device is sent.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/077425 WO2012159338A1 (en) | 2011-07-21 | 2011-07-21 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103004145A true CN103004145A (en) | 2013-03-27 |
| CN103004145B CN103004145B (en) | 2015-04-08 |
Family
ID=47216568
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201180001353.8A Expired - Fee Related CN103004145B (en) | 2011-07-21 | 2011-07-21 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103004145B (en) |
| WO (1) | WO2012159338A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683615A (en) * | 2018-04-28 | 2018-10-19 | 新华三技术有限公司 | Message diversion method, device and shunting interchanger |
| CN111092785A (en) * | 2019-12-05 | 2020-05-01 | 深圳市任子行科技开发有限公司 | Data monitoring method and device |
| CN113726737A (en) * | 2021-07-26 | 2021-11-30 | 绿盟科技集团股份有限公司 | Communication method, device and medium |
| CN114006831A (en) * | 2021-10-30 | 2022-02-01 | 杭州迪普信息技术有限公司 | Message data processing method and device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107872335B (en) * | 2016-09-26 | 2020-12-18 | 中国电信股份有限公司 | Security service method and system and security resource unit |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
| CN1791065A (en) * | 2005-12-20 | 2006-06-21 | 杭州华为三康技术有限公司 | Method for accessing virtual LAN |
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN101013950A (en) * | 2007-02-07 | 2007-08-08 | 杭州华为三康技术有限公司 | Method and apparatus for realizing multicasting virtual private network binding |
| WO2008140367A1 (en) * | 2007-05-09 | 2008-11-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Improved resource sharing for a private network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150493B (en) * | 2006-09-20 | 2012-06-27 | 华为技术有限公司 | A method and system for distributing service at access terminal |
| CN101478478A (en) * | 2008-12-31 | 2009-07-08 | 华为技术有限公司 | Packet processing method, apparatus and system |
| CN101640823B (en) * | 2009-09-07 | 2013-07-03 | 杭州华三通信技术有限公司 | Method and equipment for shunting multi-analysis system |
-
2011
- 2011-07-21 CN CN201180001353.8A patent/CN103004145B/en not_active Expired - Fee Related
- 2011-07-21 WO PCT/CN2011/077425 patent/WO2012159338A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN1791065A (en) * | 2005-12-20 | 2006-06-21 | 杭州华为三康技术有限公司 | Method for accessing virtual LAN |
| CN101013950A (en) * | 2007-02-07 | 2007-08-08 | 杭州华为三康技术有限公司 | Method and apparatus for realizing multicasting virtual private network binding |
| WO2008140367A1 (en) * | 2007-05-09 | 2008-11-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Improved resource sharing for a private network |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683615A (en) * | 2018-04-28 | 2018-10-19 | 新华三技术有限公司 | Message diversion method, device and shunting interchanger |
| CN108683615B (en) * | 2018-04-28 | 2022-03-11 | 新华三技术有限公司 | Message distribution method and device and distribution switch |
| CN111092785A (en) * | 2019-12-05 | 2020-05-01 | 深圳市任子行科技开发有限公司 | Data monitoring method and device |
| CN113726737A (en) * | 2021-07-26 | 2021-11-30 | 绿盟科技集团股份有限公司 | Communication method, device and medium |
| CN114006831A (en) * | 2021-10-30 | 2022-02-01 | 杭州迪普信息技术有限公司 | Message data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012159338A1 (en) | 2012-11-29 |
| CN103004145B (en) | 2015-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10680951B2 (en) | System and method for processing and forwarding transmitted information | |
| US8782787B2 (en) | Distributed packet flow inspection and processing | |
| CN108141416B (en) | Message processing method, computing equipment and message processing device | |
| US7665128B2 (en) | Method and apparatus for reducing firewall rules | |
| CN103688489B (en) | Method for strategy processing and network equipment | |
| US8489390B2 (en) | System and method for generating vocabulary from network data | |
| US7746862B1 (en) | Packet processing in a multiple processor system | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| CN103609070B (en) | Network flow detection method, system, equipment and controller | |
| CN108353068B (en) | SDN controller assisted intrusion prevention system | |
| CN103004145A (en) | Flow distribution method, flow distribution device and flow distribution system for virtual private network | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| CN114172854B (en) | Report Wen Jingxiang, mirror image configuration method, virtual switch and mirror image configuration device | |
| WO2010075728A1 (en) | Method, device and system for processing messages | |
| US8161555B2 (en) | Progressive wiretap | |
| WO2016085412A1 (en) | Systems and methods for intercepting, filtering and blocking content from internet in real-time | |
| EP2321934B1 (en) | System and device for distributed packet flow inspection and processing | |
| CN107483341B (en) | Method and device for rapidly forwarding firewall-crossing messages | |
| CN104205745B (en) | Method and device for processing message | |
| KR101275709B1 (en) | Packet processing system for network based data loss prevention capable of distributed processing depending on application protocol and method thereof | |
| CN106657087B (en) | Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol | |
| CN116016391B (en) | Message forwarding method and system based on NAT gateway | |
| CN115967544A (en) | Message processing method, attack defense device and computer readable storage medium | |
| CN114884882A (en) | Traffic visualization method, device and equipment and storage medium | |
| CN117812088A (en) | Transmission method based on virtual machine network card flow mirror image in cloud network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150408 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |