CN103004145B - Flow distribution method, flow distribution device and flow distribution system for virtual private network - Google Patents
Flow distribution method, flow distribution device and flow distribution system for virtual private network Download PDFInfo
- Publication number
- CN103004145B CN103004145B CN201180001353.8A CN201180001353A CN103004145B CN 103004145 B CN103004145 B CN 103004145B CN 201180001353 A CN201180001353 A CN 201180001353A CN 103004145 B CN103004145 B CN 103004145B
- Authority
- CN
- China
- Prior art keywords
- message
- network
- network identifier
- matched
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000003287 optical effect Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000007405 data analysis Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Disclosed are a flow distribution method, flow distribution device and flow distribution system for a virtual private network, relating to the field of communications and for enabling analysis of various user messages in the same VPN network. The flow distribution method includes: receiving a message sent by a device in a virtual private network (VPN) (101); parsing the message to obtain the network identifier thereof (102); judging whether or not the network identifier of the message matches a preset network identifier; the preset network identifier corresponding to a backend device group (103); if the network identifier of the message matches the preset network identifier, then parsing the message to obtain at least one of the quintuple components of the message (104); judging whether or not the at least one of the quintuple components of the message matches an ACL entry (105); and if the at least one of the quintuple components of the message matches the ACL entry, then sending the message to the backend device group corresponding to the network identifier of the message (106). The solution provided by the present invention is suitable for a data distribution scenario in a VPN network.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a offloading method, offloading device, and offloading system for a virtual private network.
Background
The internet plays an increasingly important role in daily work and life of people, and if the internet cannot be effectively monitored and managed, the internet can cause harm to national, enterprise or personal networks. Currently, a common technique for monitoring information is offloading. The device for shunting (hereinafter referred to as shunting device) filters the received messages obtained by the light splitting or mirroring of the front-stage device according to an Access Control List (hereinafter referred to as Access Control List, hereinafter referred to as ACL), directly discards the messages not matching any entry of the ACL, and outputs the messages matching any entry of the ACL to the back-end device for analysis processing. Wherein the ACL rule is set for a five-tuple of the packet.
A Virtual Private Network (hereinafter, VPN) is a technology for constructing a Private data Network on a backbone broadband Internet Protocol (hereinafter, IP) Network. In the VPN network, the messages are filtered according to the ACL rules, and actually only one or more of the five tuples of the messages are matched, which results in that the messages shunted to one backend device may come from multiple VPN networks, thereby being unfavorable for the analysis of the messages in the same VPN network.
Disclosure of Invention
Embodiments of the present invention provide a method, a device, and a system for offloading a virtual private network, so as to analyze user packets in the same VPN network.
In order to achieve the above object, an aspect of the present invention provides a method for offloading a virtual private network, including:
receiving a message sent by a preceding-stage device in a Virtual Private Network (VPN); the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
analyzing the message to obtain the network identification of the message;
judging whether the network identification of the message is matched with a preset network identification or not; the preset network identification corresponds to a back-end equipment group;
if the network identifier of the message is matched with a preset network identifier, analyzing the message to obtain at least one item in the five-tuple of the message;
judging whether at least one of the five-tuple of the message is matched with an ACL table item;
and if at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message.
Another aspect of the embodiments of the present invention provides a offloading device for a virtual private network, including:
the receiving unit is used for receiving a message sent by a preceding stage device in a Virtual Private Network (VPN); the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
the first network processor is used for analyzing the message to obtain the network identifier of the message;
the first matching unit is used for judging whether the network identifier of the message is matched with a preset network identifier or not; the preset network identification corresponds to a back-end equipment group;
the second network processor is used for analyzing the message to obtain at least one of the quintuple of the message under the condition that the judgment result of the first matching unit is matching;
the second matching unit is used for judging whether at least one of the quintuple of the message is matched with an ACL table item;
and the first execution unit is used for sending the message to the back-end equipment group corresponding to the network identifier of the message under the condition that the judgment result of the second matching unit is matching.
Another aspect of the embodiments of the present invention provides a offloading device for a virtual private network, including: the system comprises front-end equipment, shunting equipment and at least one rear-end equipment group; wherein:
the pre-stage equipment is used for obtaining a message from a Virtual Private Network (VPN) and sending the message to the shunting equipment;
the shunting equipment is the shunting equipment;
and the at least one back-end equipment group is used for analyzing the message sent by the shunting equipment.
According to the shunting method, the shunting equipment and the shunting system of the virtual private network provided by the embodiment of the invention, when the network identifier of the message is matched with the preset network identifier, the message is analyzed; and when at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message. Because the preset network identifier corresponds to the backend device group, it can be ensured that the messages distributed to the same backend device group come from the same VPN network, that is, for each backend device in the same backend device group, the received messages all come from the same VPN network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a offloading method for a virtual private network according to an embodiment of the present invention;
fig. 2a is a flowchart of another offloading method for a virtual private network according to an embodiment of the present invention;
fig. 2b is a flowchart of another offloading method for a virtual private network according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a offloading device of a virtual private network according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another offloading device for a virtual private network according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another offloading device for a virtual private network according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a offloading system of a virtual private network according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a shunting method of a virtual private network, and an execution main body of the shunting method can be shunting equipment.
The offloading method for a virtual private network, as shown in fig. 1, includes:
101. receiving a message sent by a preceding-stage device in a Virtual Private Network (VPN); the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
and if the network identifications of the at least two messages are the same, the VPN networks to which the at least two messages belong are the same. The network identification of the message may be carried in a field of the message.
In terms of the direction of packet transmission, in the embodiment of the present invention, the former-stage device refers to a device logically located upstream of the offloading device in the VPN network. For example, the front-stage device may be an optical splitter, and the optical splitter transmits the split message to the splitting device.
In addition, the VPN network may be a Multi-protocol label Switching (hereinafter, referred to as MPLS) VPN network, and in the MPLS VPN network, the network identifier is a label.
102. Analyzing the message to obtain the network identification of the message;
for example, the message is analyzed, and a field carrying the network identifier of the message in the message is read to obtain the network identifier of the message.
103. Judging whether the network identification of the message is matched with a preset network identification or not; the preset network identification corresponds to a back-end equipment group;
in terms of the direction of message transmission, in the embodiment of the present invention, the backend device refers to a device logically located downstream from the offloading device in the VPN network. For example, the back-end device may be a data analysis server.
One preset network identifier corresponds to one back-end equipment group, and the back-end equipment group comprises at least one back-end equipment. Specifically, in practical application, whether one backend device group includes one backend device or a plurality of (for example, two or more) backend devices may be preset according to actual needs.
Because the network identifier is used for representing the VPN to which the message belongs, and the preset network identifier corresponds to the back-end equipment group, the shunting equipment can be ensured to shunt the message from the same VPN to the same back-end equipment group.
The judging whether the network identifier of the message is matched with the preset network identifier may be comparing the network identifier of the message with the preset network identifier, if the network identifier of the message is the same as one of the preset network identifiers, matching the network identifier of the message, otherwise, not matching the network identifier of the message.
104. If the network identifier of the message is matched with a preset network identifier, analyzing the message to obtain at least one item in the five-tuple of the message;
the quintuple comprises: a source IP address, a destination IP address, a protocol number, a source port number, and a destination port number.
Optionally, in the embodiment of the present invention, a rule may be preset, and in 104, the message may be analyzed according to the preset rule. The preset rule may be a rule preset for at least one of the five tuples of the packet. For example, the preset rule may be a rule preset for a source port number in a message; then, the analyzing the packet according to the preset rule to obtain at least one of the five-tuple of the packet may be: and analyzing the message according to a preset rule to obtain a source port number in the five-tuple of the message. For another example, if the preset rule is preset for the source port number and the destination port number in the message, the message may be analyzed according to the preset rule to obtain the source port number and the destination port number of the message.
105. Judging whether at least one of the five-tuple of the message is matched with an ACL table item;
the judging whether at least one of the five-tuple of the message is matched with the ACL entry may be comparing at least one of the five-tuple of the message with the ACL entry, and if the at least one of the five-tuple of the message is the same with the ACL entry, matching is performed, and if the at least one of the five-tuple of the message is not the same with the ACL entry, mismatching is performed. For example, if the target IP address of the message is the same as the target IP address stored in one ACL table entry, the matching is performed, otherwise, the matching is not performed; if the source port number and the destination port number of the message are the same as the source port number and the destination port number stored in one ACL entry, matching is performed, otherwise, mismatching is performed.
106. And if at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message.
The network identifier of the message is matched with the preset network identifier, and the preset network identifier corresponds to the back-end equipment group; therefore, sending the packet to the backend device group corresponding to the network identifier of the packet specifically means: and sending the message to a back-end equipment group corresponding to a preset network identifier matched with the network identifier of the message.
Since the backend device group includes at least one backend device, in an optional embodiment of the present invention, the packet may be sent to any backend device in the backend device group.
According to the method for shunting the virtual private network provided by the embodiment of the invention, when the network identifier of the message is matched with the preset network identifier, the message is analyzed; and when at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message. Because the preset network identification corresponds to the back-end equipment group, the messages distributed to the same back-end equipment group can be ensured to come from the same VPN network, and the messages of the same VPN network can be analyzed.
Optionally, as shown in fig. 2a, in another embodiment of the present invention, 106 may specifically be: and if at least one of the five-tuple of the message is matched with an ACL table item, sending the message to one back-end device in a back-end device group corresponding to the network identifier of the message according to a field carrying user identifier information in the message.
The user identification information may be a tag and/or a source IP address in the message. Therefore, the message is sent according to the field carrying the user identification information in the message, and the message distributed to the same back-end device can be ensured to come from the same user in the same VPN network. That is, for a certain backend device in the same backend device group, the received messages are all from the same user in the same VPN network.
For example, the Hash (full name of english: Hash) technique can be used to shunt the packets of different users in the same VPN network. A message of a user in the VPN 1 is received by the shunting device, where a network identifier of the message is 1, and the network identifier of the message corresponds to a preset network identifier 1; the preset network identifier 1 corresponds to a backend device group a, where the backend device group a includes three backend devices a1, a2, and A3. When at least one of the five-tuple of the message is matched with an ACL table entry, a field carrying user identification information in the message is used as the input of a Hash function, and the message is sent to a certain back-end device (for example, A1) in the back-end device group A according to the output of the Hash function. In this scenario, the output of the Hash function may be understood as an index, and according to the index, it can be known to which backend device in the backend device group the message of the user should be sent. This not only can ensure that the messages distributed to the same back-end device come from the same user in the same VPN network, but also can achieve load sharing in the back-end device group, avoiding the overload of one or some back-end devices.
Further optionally, as shown in fig. 2b, the shunting method provided in the embodiment of the present invention may further include: if any of the 103 and 105 results in a mismatch, 107 may be performed: the message is processed by default
Of course, if both the judgment results of 103 and 105 are not matched, 107: and performing default processing on the message. Preferably, the default processing may include: discarding the message; or, storing the message.
The embodiment of the present invention further provides a shunt device corresponding to the above shunt method, where the shunt device may be a Service Splitting Platform (abbreviated as SSP), and the shunt device is configured to shunt a received message sent by a previous stage device in the VPN to a back end device. As shown in fig. 3, the shunt device includes:
a receiving unit 31, configured to receive a message sent by a preceding device in a virtual private network VPN; the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
and if the network identifications of the at least two messages are the same, the VPN networks to which the at least two messages belong are the same. The network identification of the message may be carried in a field of the message.
In terms of the direction of packet transmission, in the embodiment of the present invention, the former-stage device refers to a device logically located upstream of the offloading device in the VPN network. For example, the front-stage device may be an optical splitter, and the optical splitter transmits the split message to the splitting device.
The VPN network may be a multiprotocol label switching MPLS VPN network-the network identification may be a label at this time.
The first network processor 32 is configured to parse the packet to obtain a network identifier of the packet;
for example, the message is analyzed, and a field carrying the network identifier of the message in the message is read to obtain the network identifier of the message.
A first matching unit 33, configured to determine whether the network identifier of the packet matches a preset network identifier; the preset network identification corresponds to a back-end equipment group;
in terms of the direction of message transmission, in the embodiment of the present invention, the backend device refers to a device logically located downstream from the offloading device in the VPN network. For example, the back-end device may be a data analysis server.
The backend device group comprises at least one backend device. Specifically, in practical application, whether one backend device group includes one backend device or a plurality of (for example, two or more) backend devices may be preset according to actual needs.
Because the network identifier is used for representing the VPN to which the message belongs, and the preset network identifier corresponds to the back-end equipment group, the shunting equipment can be ensured to shunt the message from the same VPN to the same back-end equipment group.
The judging whether the network identifier of the message is matched with the preset network identifier may be comparing the network identifier of the message with the preset network identifier, if the network identifier of the message is the same as one of the preset network identifiers, matching the network identifier of the message, otherwise, not matching the network identifier of the message.
The second network processor 34 is further configured to, when the first matching unit 33 determines that the result is a match, parse the packet to obtain at least one of the five tuples of the packet;
the second network processor 34 and the first network processor 32 may be the same processor or different processors.
The quintuple comprises: a source IP address, a destination IP address, a protocol number, a source port number, and a destination port number.
Optionally, in the embodiment of the present invention, a rule may be preset, and the second network processor 34 may analyze the packet according to the preset rule. The preset rule may be a rule preset for at least one of the five tuples of the packet. For example, the preset rule may be a rule preset for a source port number in a message; then, the analyzing the packet according to the preset rule to obtain at least one of the five-tuple of the packet may be: and analyzing the message according to a preset rule to obtain a source port number in the five-tuple of the message. For another example, if the preset rule is preset for the source port number and the destination port number in the message, the message may be analyzed according to the preset rule to obtain the source port number and the destination port number of the message.
A second matching unit 35, configured to determine whether at least one of the five-tuple elements of the packet matches an ACL entry;
the judging whether at least one of the five-tuple of the message is matched with the ACL entry may be comparing at least one of the five-tuple of the message with the ACL entry, and if the at least one of the five-tuple of the message is the same with the ACL entry, matching is performed, and if the at least one of the five-tuple of the message is not the same with the ACL entry, mismatching is performed. For example, if the target IP address of the message is the same as the target IP address stored in one ACL table entry, the matching is performed, otherwise, the matching is not performed; if the source port number and the destination port number of the message are the same as the source port number and the destination port number stored in one ACL entry, matching is performed, otherwise, mismatching is performed.
A first executing unit 36, configured to send the packet to a backend device group corresponding to the network identifier of the packet if the determination result of the second matching unit 35 is matching.
The first matching unit 33 can already determine that the network identifier of the packet matches the preset network identifier, and the preset network identifier corresponds to the backend device group; the specific step of sending the message to the back-end device group corresponding to the network identifier of the message is as follows: and sending the message to a back-end equipment group corresponding to a preset network identifier matched with the network identifier of the message.
Since the backend device group includes at least one backend device, the first execution unit 36 may send the packet to any backend device in the backend device group corresponding to the network identifier of the packet.
According to the shunting equipment of the virtual private network provided by the embodiment of the invention, when the network identifier of the message is matched with the preset network identifier, the message is analyzed; and when at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message. Because the preset network identification corresponds to the back-end equipment group, the messages distributed to the same back-end equipment group can be ensured to come from the same VPN network, and the messages of the same VPN network can be analyzed.
Preferably, as shown in fig. 4, the first execution unit 36 may include:
and the flow distribution executing subunit 361 is configured to, when the result of the determination by the second matching unit 35 is a match, send the packet to one backend device in the backend device group corresponding to the network identifier of the packet according to the field carrying the user identifier information in the packet.
The user identification information may be a tag and/or a source IP address in the message. Therefore, the message is sent according to the field carrying the user identification information in the message, and the message distributed to the same back-end device can be ensured to come from the same user in the same VPN network. That is, for a certain backend device in the same backend device group, the received messages are all from the same user in the same VPN network.
For example, the Hash (full name of english: Hash) technique can be used to shunt the packets of different users in the same VPN network. A message of a user in the VPN 1 is received by the shunting device, where a network identifier of the message is 1, and the network identifier of the message corresponds to a preset network identifier 1; the preset network identifier 1 corresponds to a backend device group a, where the backend device group a includes three backend devices a1, a2, and A3. When at least one of the five-tuple of the message is matched with an ACL table entry, a field carrying user identification information in the message is used as the input of a Hash function, and the message is sent to a certain back-end device (for example, A1) in the back-end device group A according to the output of the Hash function. In this scenario, the output of the Hash function may be understood as an index, and according to the index, it can be known to which backend device in the backend device group the message of the user should be sent. This not only can ensure that the messages distributed to the same back-end device come from the same user in the same VPN network, but also can achieve load sharing in the back-end device group, avoiding the overload of one or some back-end devices.
Further optionally, as shown in fig. 5, the flow dividing device may further include:
the second executing unit 37 is configured to perform default processing on the message when the determination result of the first matching unit 33 and/or the second matching unit 35 is not match. For example, the message is discarded, or the message is stored.
An embodiment of the present invention further provides a offloading system for a virtual private network, as shown in fig. 6, including: a foreline 61, a splitter 62 and at least one backend cluster 63. Wherein,
the front-stage device 61 is configured to obtain a message from the virtual private network VPN, and send the message to the offloading device; optionally, the preceding-stage device 61 may be an optical splitter, and may obtain a message from the VPN by performing operations such as optical splitting; of course, the front-stage device 61 may also use an operation such as mirroring to obtain the message from the VPN network, which is not limited in this embodiment of the present invention.
The shunt device 62 may be a shunt device as described in any of fig. 3-5. For example, the method is used for receiving a message sent by the preceding-stage device 61, and analyzing the message to obtain a network identifier of the message; judging whether the network identification of the message is matched with a preset network identification or not; the preset network identification corresponds to a back-end equipment group; if the network identifier of the message is matched with a preset network identifier, analyzing the message to obtain at least one item in the five-tuple of the message; judging whether at least one of the five-tuple of the message is matched with an ACL table item; and if at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message. And will not be described in detail herein.
The at least one backend device group 63 is configured to analyze the packet sent by the streaming device 62. Optionally, one backend device group includes at least one backend device. For example, the backend device may be a data analysis server, a blade server, or a multi-core single board. Specifically, in practical application, whether one backend device group includes one backend device or a plurality of (for example, two or more) backend devices may be preset according to actual needs. Specifically, the back-end device analyzes the message, and may be a Deep Packet Inspection (english is called as Deep Packet Inspection, abbreviated as DPI) technology such as behavior analysis, data mining, association analysis, pattern matching and the like; the analysis can also be performed according to the actual situation, which is not limited by the embodiment of the present invention.
In the distribution system of the virtual private network provided in the embodiment of the present invention, when the network identifier of the packet matches a preset network identifier, a distribution device parses the packet; and when at least one of the five-tuple of the message is matched with an ACL table item, the shunting equipment sends the message to a back-end equipment group corresponding to the network identifier of the message. Because the preset network identification corresponds to the back-end equipment group, the messages distributed to the same back-end equipment group can be ensured to come from the same VPN network, and the messages of the same VPN network can be analyzed.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus necessary general hardware, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be substantially implemented or a part of the technical solutions contributing to the prior art may be embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a hard disk, or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (11)
1. A method for offloading a virtual private network, comprising:
receiving a message sent by a preceding-stage device in a Virtual Private Network (VPN); the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
analyzing the message to obtain the network identification of the message;
judging whether the network identification of the message is matched with a preset network identification or not; the preset network identification corresponds to a back-end equipment group;
if the network identifier of the message is matched with a preset network identifier, analyzing the message to obtain at least one item in the five-tuple of the message;
judging whether at least one of the five-tuple of the message is matched with an Access Control List (ACL);
and if at least one of the five-tuple of the message is matched with an ACL table item, sending the message to a back-end equipment group corresponding to the network identifier of the message.
2. The offloading method of claim 1, wherein sending the packet to a backend device group corresponding to a network identifier of the packet comprises:
and sending the message to one back-end device in a back-end device group corresponding to the network identifier of the message according to the field carrying the user identifier information in the message.
3. The flow splitting method according to claim 1, further comprising:
if the network identification of the message is not matched with the preset network identification, the message is subjected to default processing; and/or
And if at least one of the five-tuple of the message is not matched with the ACL list item, performing default processing on the message.
4. The flow splitting method according to claim 2, further comprising:
if the network identification of the message is not matched with the preset network identification, the message is subjected to default processing; and/or
And if at least one of the five-tuple of the message is not matched with the ACL list item, performing default processing on the message.
5. The flow distribution method according to claim 3, wherein the default processing of the packet includes:
discarding the message; or, storing the message.
6. The flow distribution method according to claim 4, wherein the default processing of the packet includes:
discarding the message; or, storing the message.
7. The offloading method as recited in any of claims 1-6, wherein the VPN network is a multiprotocol label switching (MPLS) VPN network.
8. A offload device for a virtual private network, comprising:
the receiving unit is used for receiving a message sent by a preceding stage device in a Virtual Private Network (VPN); the network identifier of the message is carried in the message, and the network identifier of the message is used for indicating a VPN network to which the message belongs;
the first network processor is used for analyzing the message to obtain the network identifier of the message;
the first matching unit is used for judging whether the network identifier of the message is matched with a preset network identifier or not; the preset network identification corresponds to a back-end equipment group;
the second network processor is used for analyzing the message to obtain at least one item in the five-tuple of the message when the judgment result of the first matching unit is matching;
the second matching unit is used for judging whether at least one of the quintuple of the message is matched with an ACL table item;
and the first execution unit is used for sending the message to the back-end equipment group corresponding to the network identifier of the message when the judgment result of the second matching unit is matching.
9. The flow splitting device of claim 8, wherein the first execution unit comprises:
and the flow distribution execution subunit is used for sending the message to one back-end device in the back-end device group corresponding to the network identifier of the message according to the field carrying the user identifier information in the message when the judgment result of the second matching unit is matching.
10. The flow diversion apparatus of claim 9, further comprising:
and the second execution unit is used for performing default processing on the message when the judgment result of the first matching unit and/or the second matching unit is not matched.
11. A offload system for a virtual private network, comprising: the system comprises front-end equipment, shunting equipment and at least one rear-end equipment group; wherein:
the pre-stage equipment is used for obtaining a message from a Virtual Private Network (VPN) and sending the message to the shunting equipment;
the flow diversion apparatus of any one of claims 8-10;
and the at least one back-end equipment group is used for analyzing the message sent by the shunting equipment.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2011/077425 WO2012159338A1 (en) | 2011-07-21 | 2011-07-21 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103004145A CN103004145A (en) | 2013-03-27 |
| CN103004145B true CN103004145B (en) | 2015-04-08 |
Family
ID=47216568
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201180001353.8A Expired - Fee Related CN103004145B (en) | 2011-07-21 | 2011-07-21 | Flow distribution method, flow distribution device and flow distribution system for virtual private network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103004145B (en) |
| WO (1) | WO2012159338A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107872335B (en) * | 2016-09-26 | 2020-12-18 | 中国电信股份有限公司 | Security service method and system and security resource unit |
| CN108683615B (en) * | 2018-04-28 | 2022-03-11 | 新华三技术有限公司 | Message distribution method and device and distribution switch |
| CN111092785A (en) * | 2019-12-05 | 2020-05-01 | 深圳市任子行科技开发有限公司 | Data monitoring method and device |
| CN113726737A (en) * | 2021-07-26 | 2021-11-30 | 绿盟科技集团股份有限公司 | Communication method, device and medium |
| CN114006831B (en) * | 2021-10-30 | 2023-07-21 | 杭州迪普信息技术有限公司 | Message data processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
| CN1791065A (en) * | 2005-12-20 | 2006-06-21 | 杭州华为三康技术有限公司 | Method for accessing virtual LAN |
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN101013950A (en) * | 2007-02-07 | 2007-08-08 | 杭州华为三康技术有限公司 | Method and apparatus for realizing multicasting virtual private network binding |
| WO2008140367A1 (en) * | 2007-05-09 | 2008-11-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Improved resource sharing for a private network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150493B (en) * | 2006-09-20 | 2012-06-27 | 华为技术有限公司 | A method and system for distributing service at access terminal |
| CN101478478A (en) * | 2008-12-31 | 2009-07-08 | 华为技术有限公司 | Packet processing method, apparatus and system |
| CN101640823B (en) * | 2009-09-07 | 2013-07-03 | 杭州华三通信技术有限公司 | Method and equipment for shunting multi-analysis system |
-
2011
- 2011-07-21 CN CN201180001353.8A patent/CN103004145B/en not_active Expired - Fee Related
- 2011-07-21 WO PCT/CN2011/077425 patent/WO2012159338A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN1791065A (en) * | 2005-12-20 | 2006-06-21 | 杭州华为三康技术有限公司 | Method for accessing virtual LAN |
| CN101013950A (en) * | 2007-02-07 | 2007-08-08 | 杭州华为三康技术有限公司 | Method and apparatus for realizing multicasting virtual private network binding |
| WO2008140367A1 (en) * | 2007-05-09 | 2008-11-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Improved resource sharing for a private network |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012159338A1 (en) | 2012-11-29 |
| CN103004145A (en) | 2013-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| RU2647646C2 (en) | Malicious attack detection method and apparatus | |
| US11057423B2 (en) | System for distributing virtual entity behavior profiling in cloud deployments | |
| US9369435B2 (en) | Method for providing authoritative application-based routing and an improved application firewall | |
| CN108141416B (en) | Message processing method, computing equipment and message processing device | |
| US8782787B2 (en) | Distributed packet flow inspection and processing | |
| US8789135B1 (en) | Scalable stateful firewall design in openflow based networks | |
| CN103004145B (en) | Flow distribution method, flow distribution device and flow distribution system for virtual private network | |
| JP5201415B2 (en) | Log information issuing device, log information issuing method and program | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| KR101036750B1 (en) | System for blocking zombie behavior and method for the same | |
| US20180309781A1 (en) | Sdn controller assisted intrusion prevention systems | |
| CN112953949B (en) | Message header processing method, device, equipment and storage medium of network message | |
| US10148596B2 (en) | Data flow statistics collection method, system, and apparatus | |
| WO2010075728A1 (en) | Method, device and system for processing messages | |
| US20200092211A1 (en) | Packet telemetry data via first hop node configuration | |
| CN111224882A (en) | Message processing method and device and storage medium | |
| CN114172854A (en) | Message mirror image, mirror image configuration method, virtual switch and mirror image configuration device | |
| CA2738690A1 (en) | Distributed packet flow inspection and processing | |
| CN114020734A (en) | Flow statistics duplication removing method and device | |
| CN107210969B (en) | Data processing method based on software defined network and related equipment | |
| US11595419B2 (en) | Communication monitoring system, communication monitoring apparatus, and communication monitoring method | |
| US20230300045A1 (en) | Methods, systems, and computer readable media for selectively processing a packet flow using a flow inspection engine | |
| JP2008135871A (en) | Network monitoring system, network monitoring method, and network monitoring program | |
| US9736080B2 (en) | Determination method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150408 |