CN105337751B - A kind of ACL configuration methods and device - Google Patents
A kind of ACL configuration methods and device Download PDFInfo
- Publication number
- CN105337751B CN105337751B CN201410370043.9A CN201410370043A CN105337751B CN 105337751 B CN105337751 B CN 105337751B CN 201410370043 A CN201410370043 A CN 201410370043A CN 105337751 B CN105337751 B CN 105337751B
- Authority
- CN
- China
- Prior art keywords
- layer equipment
- incoming interface
- access layer
- acl
- chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of ACL configuration methods and device, the core layer equipments being applied in virtual network device, wherein the virtual network device further includes access layer equipment, and method includes:Receive the access control list ACL list item that management level are issued for the incoming interface of virtual network device;Incoming interface included in ACL table item is obtained, determines that the incoming interface is located on access layer equipment or in core layer equipment;If it is determined that the incoming interface is located on access layer equipment, according to the cascade connection table pre-saved in core layer equipment, the chip where cascade port corresponding to the incoming interface is determined;Conversion process is carried out to the incoming interface in ACL table item, and the ACL table item after conversion process is stored in the chip where the cascade port.This programme improves the scalability of business.
Description
Technical field
The present invention relates to field of communication technology, more particularly to a kind of access control list ACL configuration method and device.
Background technology
VEM (Virtual Extend Matrix, virtual extended matrix) technologies are empty by access layer equipment and core layer equipment
It is quasi- to turn to a virtual network device, wherein access layer equipment such as ports-Extending equipment vNode, core layer equipment are set such as control
Standby vController, enormously simplifies network structure by virtually turning to a virtual network device, improves network stabilization
Property, and centralized configuration management is realized substantially.For a user, it more core layer equipments in same VEM frames and connects
Enter layer equipment and belong to same virtual network device, they are stacked by logic slot number.VSM(Virtual System
Matrix, virtual system matrix) most two core layer physical equipments are virtualized into a virtual network device by technology.
Under normal conditions, management-side to access layer equipment by issuing ACL (Access Control List, access control
List) list item, for access layer equipment by the message received progress ACL matchings, the execution obtained according to matching, which acts, sends out message
Give corresponding core layer equipment.So that core layer equipment makees safety and forwarding service to the message received, attacked with providing
Hit the business functions such as strick precaution, auditing and supervisory, quality services.
However, core layer equipment when receiving the message of access layer equipment transmission, can only carry out the message same
Safety service, scalability is relatively low, is not easy to carry out differentiation processing for service traffics.
Invention content
In view of this, a kind of ACL configuration methods of present invention offer and device, to improve scalability.
An embodiment of the present invention provides a kind of ACL configuration methods, the core layer equipment being applied in virtual network device,
In, which further includes access layer equipment, including:
Receive the access control list ACL list item that management level are issued for the incoming interface of virtual network device;
Incoming interface included in ACL table item is obtained, determines that the incoming interface is located on access layer equipment or is located at core
In layer equipment;
If it is determined that the incoming interface is located on access layer equipment, according to the cascade connection table pre-saved in core layer equipment,
Determine the chip where cascade port corresponding to the incoming interface;
Conversion process is carried out to the incoming interface in ACL table item, and the ACL table item after conversion process is stored in the cascade port
In the chip at place.
Preferably, in the case where determining that the incoming interface is located in core layer equipment, chip where the incoming interface is determined, it will
The ACL table item is stored in incoming interface institute in the chips.
Preferably, described if it is determined that the incoming interface is located on access layer equipment in the case of, according to pre- in core layer equipment
The cascade connection table first preserved, determines the chip where cascade port corresponding to the incoming interface, specifically includes:
If it is determined that in the case that the incoming interface is located on access layer equipment, the access layer equipment institute that the incoming interface is located at is determined
In slot number, according to the cascade connection table pre-saved in core layer equipment, slot number institute is right where determining the access layer equipment
The cascade port answered, and according to the cascade port calculate chip where the cascade port;Wherein, which includes access layer
The correspondence of slot number and cascade port where equipment.
Preferably, the incoming interface in the item to ACL table carries out conversion process, and the ACL table item after conversion process is protected
There are in the chip where the cascade port, specifically include:
Incoming interface in ACL table item is converted into original incoming interface, the ACL table item after conversion process is stored in the cascade
Mouth institute is in the chips;Wherein, the ACL table item after conversion process includes the correspondence of original incoming interface and execution action, the original
Beginning incoming interface is the incoming interface on access layer equipment.
Preferably, the method further includes:
When the chip where cascade port that is connected with access layer equipment changes, according to pre-recorded access layer equipment,
The corresponding of the ACL for corresponding access layer equipment that chip where cascade port, the chip preserve that be connected with the access layer equipment is closed
The ACL for corresponding access layer equipment that the chip preserves is re-issued the grade that is connected with access layer equipment after variation by system
Join mouth institute in the chips, the correspondence after record variation, and be connected with the access layer equipment where cascade port before deleting variation
The ACL for corresponding access layer equipment that chip preserves.
Preferably, described if it is determined that the incoming interface is located on access layer equipment, further include:
Judge in ACL table item that the incoming interface is corresponding and execute action, if judging result be corresponding execution action for
The message is handled in access layer equipment, then the ACL is stored in access layer equipment.
An embodiment of the present invention provides a kind of ACL configuration devices, the core layer equipment being applied in virtual network device,
In, which further includes access layer equipment, including:
Receiving unit, the access control list ACL issued for the incoming interface of virtual network device for receiving management level
List item;
Acquiring unit determines that the incoming interface is located on access layer equipment for obtaining incoming interface included in ACL table item
Or in core layer equipment;
Determination unit is used to if it is determined that the incoming interface is located at access layer equipment, pre-save according in core layer equipment
Cascade connection table, determine the chip where cascade port corresponding to the incoming interface;
Converting unit, for carrying out conversion process to the incoming interface in ACL table item, and by the ACL table item after conversion process
It is stored in the chip where the cascade port.
Preferably, the determination unit is additionally operable in the case where determining that the incoming interface is located in core layer equipment, is determined
The ACL table item is stored in incoming interface institute in the chips by chip where the incoming interface.
Preferably, the determination unit, in the case of being specifically used for if it is determined that the incoming interface is located on access layer equipment, really
Slot number where the access layer equipment that the fixed incoming interface is located at, according to the cascade connection table pre-saved in core layer equipment, really
Cascade port corresponding to slot number where the fixed access layer equipment, and according to the cascade port calculate core where the cascade port
Piece;Wherein, which includes the correspondence of slot number and cascade port where access layer equipment.
Preferably, the converting unit will turn specifically for the incoming interface in ACL table item is converted to original incoming interface
Changing treated, ACL table item is stored in cascade port institute in the chips;Wherein, the ACL table item after conversion process include it is original enter
The correspondence of interface and execution action, the original incoming interface are the incoming interface on access layer equipment.
Preferably, described device further includes:
Unit is re-issued, for when the chip where cascade port that is connected with access layer equipment changes, according to advance
What the access layer equipment of record, be connected with the access layer equipment chip where cascade port, the chip preserved is directed to corresponding access layer
The correspondence of the ACL of equipment, by the ACL for corresponding access layer equipment that the chip preserves re-issue after variation with
Access layer equipment is connected cascade port institute in the chips, the correspondence after record variation, and is set with the access layer before deleting variation
The ACL for corresponding access layer equipment that chip where standby connected cascade port preserves.
Preferably, further include:
Judging unit executes action for judging in ACL table item that the incoming interface is corresponding, if judging result is that this is corresponding
The ACL is then stored in access layer equipment by execution action to be handled the message in access layer equipment.
The embodiment of the present invention is by a kind of ACL configuration methods of offer and device, and by obtaining, outgoing packet carrying is original to be entered to connect
Mouthful, and the original incoming interface is the interface of access layer equipment, therefore know the incoming interface when message enters access layer equipment, from
And the specific transactions corresponding to original incoming interface can be carried out to the message, to improve the scalability of business.
Description of the drawings
Fig. 1 is method flow schematic diagram provided in an embodiment of the present invention;
Fig. 2 is virtual network device structural schematic diagram provided in an embodiment of the present invention;
Fig. 3 is the message format schematic diagram of addition Higig header informations provided in an embodiment of the present invention;
Fig. 4 is apparatus structure schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
According to the prior art, by issuing ACL to access layer equipment, (Access Control List access control to management-side
List processed) list item, the message received carries out ACL matchings by access layer equipment, and the execution action obtained according to matching is by message
It is sent to corresponding core layer equipment.So that core layer equipment makees safety and forwarding service to the message received, to provide
The business functions such as attack-defending, auditing and supervisory, quality services.However, same core layer equipment is receiving access layer equipment hair
When the message sent, same safety service can only be carried out to the message, therefore scalability is relatively low, be not easy to be directed to service traffics
Carry out differentiation processing.
In view of the above-mentioned problems, an embodiment of the present invention provides a kind of ACL configuration methods, it is applied in virtual network device
Core layer equipment, wherein the virtual network device further includes access layer equipment, including:
Receive the access control list ACL list item that management level are issued for the incoming interface of virtual network device;
Incoming interface included in ACL table item is obtained, determines that the incoming interface is located on access layer equipment or is located at core
In layer equipment;
If it is determined that the incoming interface is located on access layer equipment, according to the cascade connection table pre-saved in core layer equipment,
Determine the chip where cascade port corresponding to the incoming interface;
Conversion process is carried out to the incoming interface in ACL table item, and the ACL table item after conversion process is stored in the cascade port
In the chip at place.
According to said program, original incoming interface is carried by obtaining outgoing packet, and the original incoming interface is access layer equipment
Interface, therefore the incoming interface when message enters access layer equipment is known, so as to carry out original incoming interface to the message
Corresponding limited occupation, to improve the scalability of business.
As shown in Figure 1, an embodiment of the present invention provides a kind of ACL configuration methods, applied to the core in virtual network device
Central layer equipment, wherein the virtual network device further includes access layer equipment, and this method includes:
Step 101:Receive the access control list ACL list item that management level are issued for the incoming interface of virtual network device.
As shown in Fig. 2, for the connection diagram of core layer equipment and access layer equipment in virtual network device;The virtual net
Network equipment utilizes VEM technologies by two core layer equipments (vController1, vController2) and three access layer equipments
Made of virtual, wherein the incoming interface of virtual network device is the functional area of virtual network device, wherein virtual network is set
Standby incoming interface includes such as tengige1, tengige2, tengige3, tengige4, tengige5, tengige6 in Fig. 2
Equal interfaces, this six interfaces are the incoming interface in core layer equipment and the cascade port between core layer equipment and access layer equipment.
The incoming interface of virtual network device further includes the interface being located on access layer equipment:eth7、eth8、eth9、eth10、eth11、
eth12.And the interfaces such as eth0, eth1, eth2, eth3, eth4, eth5 in Fig. 2 are the internal interfaces of virtual network device, no
It is the incoming interface of virtual network device.In Fig. 2, each access layer equipment can connect multiple servers (or other networks simultaneously
Equipment, such as router, interchanger) or multiple access layer equipments connect same server (or other network equipments), for
Multiple servers carry out newsletter.
In embodiments of the present invention, in same virtual network device more core layer equipments and Duo Tai access layers set
It is standby to be stacked by logic slot number, wherein each core layer equipment corresponds to a chip, and every equipment reserves certain slot position
Number (embodiment of the present invention for every equipment for reserving 18 slot positions), then two core layer equipments at most account for 36 slot positions
(the 0th slot~the 35th slot);Each ports-Extending equipment distributes a logical slot, since the 36th slot.In Fig. 2, for example,
The logic slot number that vNode1 to vNode3 is distributed is followed successively by 36 to 38.Then, user logs in system by a unified IP address
After the system page, you can manage the interface on all logical slots and slot position in an identical manner.
The master control board card of core layer equipment receives the ACL table item that management level are issued for the incoming interface of virtual network device.
The ACL table item includes incoming interface, message characteristic and corresponding executes action.Wherein, which can be the five of message
Tuple.
For example, message characteristic is:Source IP address is 192.168.1.1, source port 10000, and purpose IP address is
121.14.88.76, destination interface 80 and transport layer protocol number be TCP (Transmission Control Protocol,
Transmission control protocol).Wherein, corresponding in the ACL table item to execute action, can will meet incoming interface, message in ACL table item
Some business board of the message up sending of feature, some business board can be with FW (FireWall, fire wall), IPS
(Intrusion Prevention System, intrusion prevention system) or UAG (Unified Audit Gateway, it is unified to examine
Count gateway) a kind of business board of function can also be that will meet the packet loss etc. of incoming interface, message characteristic in ACL table item.
Step 102:Incoming interface included in ACL table item is obtained, determines that the incoming interface is located on access layer equipment still
In core layer equipment.
It is done due to needing the message for receiving the incoming interface of access layer equipment to be sent in core layer equipment on business board
Corresponding safety service, and incoming interface of the core layer equipment when receiving the message is the grade that core layer equipment receives the message
Join mouth, ACL that cannot be corresponding to the incoming interface using access layer equipment matches the message, needs to access layer equipment
ACL corresponding to incoming interface modifies, it is therefore desirable to determine that the incoming interface of ACL table item is in core layer equipment or position
In on access layer equipment.
Step 103:If it is determined that the incoming interface is located on access layer equipment, according to the cascade pre-saved in core layer equipment
Relation table determines the chip where cascade port corresponding to the incoming interface.
If it is determined that being located in core layer equipment for the incoming interface, it is determined that the corresponding slot position of the incoming interface, and by the ACL table
In chip where item is stored in the incoming interface corresponding groove position (being subsequently described using chip where incoming interface).Wherein, it preserves
The ACL table item of chip where incoming interface in core layer equipment includes:Incoming interface, message characteristic act corresponding with execution
Relationship.By taking the incoming interface in core layer equipment is the ACL table item that the places tengige1 chip preserves as an example, as shown in table 1.
Table 1:
| Message characteristic | Incoming interface | Execute action |
| A | tengige1 | On send business board a |
If it is determined that in the case that the incoming interface is located on access layer equipment, the access layer equipment institute that the incoming interface is located at is determined
In slot number, according to the cascade connection table pre-saved in core layer equipment, slot number institute is right where determining the access layer equipment
The cascade port answered, and cascade port place chip is calculated according to the cascade port.Wherein, with the incoming interface eth7 on access layer equipment
For, the ACL table item for incoming interface eth7 distribution is the correspondence of incoming interface, message characteristic and execution action, such as 2 institute of table
Show:
Table 2:
| Message characteristic | Incoming interface | Execute action |
| B | eth7 | On send business board f |
Since access layer equipment is connected with core layer equipment by cascade port, if the ACL table item is stored in access layer
In equipment, then the incoming interface receives message can only on be sent on the cascade port that access layer equipment is connected with core layer equipment,
And can not be by the message up sending to business board f on the cascade port, therefore, it is necessary to will be directed to incoming interface on access layer equipment
ACL table item be stored on chip where the cascade port between access layer equipment and core layer equipment.
Wherein, cascade connection table includes the correspondence of slot number and cascade port where access layer equipment, as shown in table 3.
Table 3:
According to upper table it is found that firstly the need of access layer equipment slot number where determining the incoming interface, such as the incoming interface in Fig. 2
Eth7 is located on access layer equipment 1, and 1 place slot number of access layer equipment is 36.According to cascade connection table, the access layer is determined
The cascade port of core layer equipment corresponding to equipment 1 is tengige1, tengige4, and cascade is calculated according to the cascade port
Mouth tengige1 is on chip 1, and cascade port tengige4 is on chip 19.Wherein, core where calculating cascade port according to cascade port
The method of piece is the prior art, and the embodiment of the present invention does not repeat this specifically.
Preferably, however, it is determined that the incoming interface is located on access layer equipment, can also carry out ACL configurations using following methods,
Judge in ACL table item that the incoming interface is corresponding and execute action, if judging result is corresponding execution action to be set in access layer
The message is handled in standby, then the ACL is stored in access layer equipment.For example, static state MAC/IP binding functions, such as table
Shown in 4, which is:
Table 4:
| Message characteristic | Incoming interface | Execute action |
| B | eth8 | Pass through |
According to table 4 it is found that the message with B features enters access layer equipment in incoming interface eth8, shows the message and be somebody's turn to do
ACL table item successful match, then by the message, if not meeting the message characteristic and the message of corresponding incoming interface condition,
Abandon the message.Wherein, the message for meeting the message characteristic can be the report for meeting specified source IP address, source MAC and incoming interface
Text.
Further, the message that successfully passes of ACL table item is matched in access layer equipment, can also on send and the access layer
The connected cascade port of equipment, and continue the ACL table item that chip where matching cascade port preserves, to be sent into corresponding business board
Carry out corresponding business processing.
Step 104:Conversion process is carried out to the incoming interface in ACL table item, and the ACL table item after conversion process is stored in
In chip where the cascade port.
According to the cascade port corresponding to the access layer equipment found in step 103, to for incoming interface on access layer equipment
Incoming interface in the ACL table item distributed is converted, and the ACL table item after conversion process includes:Original incoming interface, message characteristic
With the correspondence of execution action, which is the incoming interface on access layer equipment.It is with original incoming interface
For eth7, as shown in table 5.
Table 5:
| Message characteristic | Original incoming interface | Execute action |
| B | eth7 | On send business board f |
Table 5 is distinguished as relative to table 2, the correspondence that ACL table item is acted by incoming interface, message characteristic and execution,
It is revised as the correspondence of original incoming interface, message characteristic and execution action.Because cascade port is receiving access layer equipment hair
When the message sent, if to ACL table item shown in the message matching list 2, entering for the message is learnt according to the ACL table item in table 2
Interface is the cascade port, and the true incoming interface of the message is eth7.Therefore access layer equipment transmission is received in cascade port
It when message, needs to ACL table item shown in the message matching list 5, learns that the original incoming interface of the message is access layer according to table 5
Incoming interface eth7 in equipment.
According to chip where the correspondence cascade port being calculated in step 103, transformed ACL table item is stored in this
Corresponding cascade port institute is in the chips.
Wherein, the message received for access layer equipment, needs to send the business board of core layer equipment to do safety in whole
Business is original incoming interface by the incoming interface of message is received on access layer equipment, between the access layer equipment and core layer equipment
Cascade port be true incoming interface, cascade port receive access layer equipment transmission message need match include original incoming interface,
The ACL table item of message characteristic and the correspondence of execution action, to do corresponding peace to the message that access layer equipment receives
Full-service.
Cascade port receives the message of access layer equipment transmission, needs to match the message using ACL table item, therefore
It needs to know the original incoming interface that access layer equipment receives the message.To make cascade port know, the message is original to enter to connect from which
Mouth access, the embodiment of the present invention, when receiving message, can be that the message adds the heads Higig letter in access layer equipment
Breath, the Higig header informations carry the original incoming interface information of the message, wherein are added with the message lattice of Higig header informations
Formula is as shown in figure 3, the Higig header informations are 12 bytes.When cascade port receive access layer equipment transmission message, to the report
Text is parsed, and the Higig header informations obtained according to parsing obtain the original incoming interface of the message, to be carried out to the message
ACL is matched, and corresponding action is executed to the message.
In embodiments of the present invention, when the chip where cascade port that is connected with access layer equipment changes, according to advance
What the access layer equipment of record, be connected with the access layer equipment chip where cascade port, the chip preserved is directed to corresponding access layer
The correspondence of the ACL of equipment, by the ACL for corresponding access layer equipment that the chip preserves re-issue after variation with
Access layer equipment is connected cascade port institute in the chips, the correspondence after record variation, and is set with the access layer before deleting variation
The ACL for corresponding access layer equipment that chip where standby connected cascade port preserves.For example, access layer equipment 1 is set with core layer
Standby 1 is connected by cascade port 1, is preserved in core layer equipment 1:Access layer equipment 1,1 place chip 1 of cascade port and chip 1
The correspondence of the ACL for access layer equipment 1 of middle preservation, when access layer equipment 1 and 1 port of core layer equipment, with core
Layer equipment 2 is connected by cascade port 2, then according to the correspondence preserved in core layer equipment 1, the needle that will be preserved in chip 1
The ACL of access layer equipment 1 is saved in 2 place chip 2 of cascade port, core layer equipment 2 records:Access layer equipment 1, cascade port
The correspondence of the ACL for access layer equipment 1 preserved in 2 place chips 2 and chip 2, and delete and preserved in chip 1
The ACL for access layer equipment 1.To avoid newly-increased cascade port from leading to holiday flow or delete part cascade port to cause
The case where ACL table item wastes.
As shown in figure 4, the embodiment of the present invention additionally provides a kind of ACL configuration devices, it is applied in virtual network device
Core layer equipment, wherein the virtual network device further includes access layer equipment, including:
Receiving unit 401, the accesses control list issued for the incoming interface of virtual network device for receiving management level
ACL table item;
Acquiring unit 402 determines that the incoming interface is set positioned at access layer for obtaining incoming interface included in ACL table item
It is standby upper or in core layer equipment;
Determination unit 403, is used for if it is determined that the incoming interface is located at access layer equipment, according to being protected in advance in core layer equipment
The cascade connection table deposited, determines the chip where cascade port corresponding to the incoming interface;
Converting unit 404, for carrying out conversion process to the incoming interface in ACL table item, and by the ACL table after conversion process
Item is stored in the chip where the cascade port.
Further, the determination unit 403 is additionally operable in the situation for determining that the incoming interface is located in core layer equipment
Under, it determines chip where the incoming interface, which is stored in incoming interface institute in the chips.
Further, the determination unit 403 is specifically used for if it is determined that the incoming interface is located at the situation on access layer equipment
Under, slot number where the access layer equipment that the incoming interface is located at is determined, according to the cascade connection pre-saved in core layer equipment
Table determines the cascade port corresponding to the slot number of access layer equipment place, and calculates institute's cascade port place according to the cascade port
Chip;Wherein, which includes the correspondence of slot number and cascade port where access layer equipment.
Further, the converting unit 404, specifically for the incoming interface in ACL table item is converted to original incoming interface,
ACL table item after conversion process is stored in cascade port institute in the chips;Wherein, the ACL table item after conversion process includes original
The correspondence of beginning incoming interface and execution action.
Further, described device further includes:
Unit 405 is re-issued, for when the chip where cascade port that is connected with access layer equipment changes, according to pre-
What the access layer equipment that first records, be connected with the access layer equipment chip where cascade port, the chip preserved accesses for corresponding
The correspondence of the ACL of layer equipment, after the ACL for corresponding access layer equipment which preserves is re-issued variation
It is connected cascade port with access layer equipment in the chips, the correspondence after record variation, and delete and change the preceding and access layer
The ACL for corresponding access layer equipment that chip where the connected cascade port of equipment preserves.
Further, further include:
Judging unit 406 executes action for judging in ACL table item that the incoming interface is corresponding, if judging result is that this is right
The ACL is then stored in access layer equipment by the execution action answered to be handled the message in access layer equipment.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
With within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of protection of the invention god.
Claims (12)
1. a kind of ACL configuration methods, the core layer equipment being applied in virtual network device, wherein the virtual network device is also
Including access layer equipment, which is characterized in that including:
Receive the access control list ACL list item that management level are issued for the incoming interface of virtual network device;
Incoming interface included in ACL table item is obtained, determines that the incoming interface is located on access layer equipment or is set positioned at core layer
It is standby upper;
If it is determined that the incoming interface is located on access layer equipment, according to the cascade connection table pre-saved in core layer equipment, determine
Chip where cascade port corresponding to the incoming interface;
Conversion process is carried out to the incoming interface in ACL table item, and the ACL table item after conversion process is stored in where the cascade port
Chip in.
2. according to the method described in claim 1, it is characterized in that, in the situation for determining that the incoming interface is located in core layer equipment
Under, it determines chip where the incoming interface, which is stored in incoming interface institute in the chips.
3. according to the method described in claim 1, it is characterized in that, described if it is determined that the incoming interface is located on access layer equipment
In the case of, according to the cascade connection table pre-saved in core layer equipment, determine the core where cascade port corresponding to the incoming interface
Piece specifically includes:
If it is determined that in the case that the incoming interface is located on access layer equipment, slot where the access layer equipment that the incoming interface is located at is determined
Position number, according to the cascade connection table pre-saved in core layer equipment, corresponding to slot number where determining the access layer equipment
Cascade port, and according to the cascade port calculate chip where the cascade port;Wherein, which includes access layer equipment
The correspondence of place slot number and cascade port.
4. according to the method described in claim 1, it is characterized in that, incoming interface in the item to ACL table carries out conversion process,
And be stored in the ACL table item after conversion process in the chip where the cascade port, it specifically includes:
Incoming interface in ACL table item is converted into original incoming interface, the ACL table item after conversion process is stored in the cascade port institute
In the chips;Wherein, the correspondence that the ACL table item after conversion process includes original incoming interface with execution action, this it is original enter
Interface is the incoming interface on access layer equipment.
5. according to Claims 1 to 4 any one of them method, which is characterized in that the method further includes:
When the chip where cascade port that is connected with access layer equipment changes, according to pre-recorded access layer equipment and it is somebody's turn to do
The correspondence for the ACL for corresponding access layer equipment that chip, the chip where the connected cascade port of access layer equipment preserve, by
The ACL for corresponding access layer equipment that the chip preserves re-issues the cascade port institute that is connected with access layer equipment after variation
In the chips, record variation after correspondence, and delete variation before be connected with the access layer equipment cascade port place chip guarantor
The ACL for corresponding access layer equipment deposited.
6. according to the method described in claim 1, it is characterized in that, described if it is determined that the incoming interface is located on access layer equipment,
Further include:
Judge in ACL table item that the incoming interface is corresponding and execute action, if judging result is corresponding execution action to access
The message received to the incoming interface in layer equipment is handled, then the ACL is stored in access layer equipment.
7. a kind of ACL configuration devices, the core layer equipment being applied in virtual network device, wherein the virtual network device is also
Including access layer equipment, which is characterized in that including:
Receiving unit, the access control list ACL list item issued for the incoming interface of virtual network device for receiving management level;
Acquiring unit determines that the incoming interface is located on access layer equipment still for obtaining incoming interface included in ACL table item
In core layer equipment;
Determination unit, for if it is determined that the incoming interface is located at access layer equipment, according to the grade pre-saved in core layer equipment
Join relation table, determines the chip where cascade port corresponding to the incoming interface;
Converting unit for carrying out conversion process to the incoming interface in ACL table item, and the ACL table item after conversion process is preserved
In the chip where the cascade port.
8. device according to claim 7, which is characterized in that the determination unit is additionally operable to determining the incoming interface position
In the case of in core layer equipment, chip where the incoming interface is determined, chip where which is stored in the incoming interface
In.
9. device according to claim 7, which is characterized in that the determination unit is specifically used for if it is determined that the incoming interface
In the case of on access layer equipment, slot number where determining the access layer equipment that the incoming interface is located at is set according to core layer
The cascade connection table pre-saved in standby determines the cascade port corresponding to the slot number of access layer equipment place, and according to the grade
Join mouth calculate chip where the cascade port;Wherein, which includes slot number where access layer equipment and cascade
The correspondence of mouth.
10. device according to claim 7, which is characterized in that the converting unit, being specifically used for will be in ACL table item
Incoming interface is converted to original incoming interface, and the ACL table item after conversion process is stored in cascade port institute in the chips;Wherein, turn
Changing treated, ACL table item includes the correspondence of original incoming interface and execution action, which is positioned at access layer
Incoming interface in equipment.
11. according to claim 7~10 any one of them device, which is characterized in that described device further includes:
Unit is re-issued, for when the chip where cascade port that is connected with access layer equipment changes, according to pre-recorded
Access layer equipment, with the access layer equipment be connected cascade port where chip, the chip preserve be directed to corresponding access layer equipment
ACL correspondence, by the ACL for corresponding access layer equipment that the chip preserves re-issue after variation with access
Layer equipment be connected cascade port institute in the chips, record variation after correspondence, and delete variation before with the access layer equipment phase
The ACL for corresponding access layer equipment that even chip where cascade port preserves.
12. device according to claim 7, which is characterized in that further include:
Judging unit executes action for judging in ACL table item that the incoming interface is corresponding, if judging result is the corresponding execution
Action is handled for the message received to the incoming interface in access layer equipment, then the ACL is stored in access layer equipment
In.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410370043.9A CN105337751B (en) | 2014-07-30 | 2014-07-30 | A kind of ACL configuration methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410370043.9A CN105337751B (en) | 2014-07-30 | 2014-07-30 | A kind of ACL configuration methods and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105337751A CN105337751A (en) | 2016-02-17 |
| CN105337751B true CN105337751B (en) | 2018-09-04 |
Family
ID=55288066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410370043.9A Active CN105337751B (en) | 2014-07-30 | 2014-07-30 | A kind of ACL configuration methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105337751B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830295B (en) * | 2019-11-08 | 2022-07-29 | 迈普通信技术股份有限公司 | Equipment management method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1826769A (en) * | 2003-09-18 | 2006-08-30 | 思科技术公司 | Virtual network device |
| CN102413190A (en) * | 2011-12-19 | 2012-04-11 | 广东电子工业研究院有限公司 | Network architecture based on cloud computing and virtual network management method thereof |
-
2014
- 2014-07-30 CN CN201410370043.9A patent/CN105337751B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1826769A (en) * | 2003-09-18 | 2006-08-30 | 思科技术公司 | Virtual network device |
| CN102413190A (en) * | 2011-12-19 | 2012-04-11 | 广东电子工业研究院有限公司 | Network architecture based on cloud computing and virtual network management method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 基于OpenvSwitch的虚拟网络访问控制研究;李锐,叶家炜,何东杰,才华;《计算机应用与软件》;20140531;第31卷(第5期);第308-311页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105337751A (en) | 2016-02-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10728176B2 (en) | Ruled-based network traffic interception and distribution scheme | |
| CN106161335B (en) | A kind for the treatment of method and apparatus of network packet | |
| US8559429B2 (en) | Sequential frame forwarding | |
| US9088437B2 (en) | Method and device for processing source role information | |
| CN105490961A (en) | Message processing method, and device and network device | |
| CN105634956B (en) | A kind of message forwarding method, device and system | |
| WO2015101119A1 (en) | Flow table matching method and apparatus, and openflow exchanging system | |
| CN105337890B (en) | A kind of control strategy generation method and device | |
| EP3720075B1 (en) | Data transmission method and virtual switch | |
| KR101855742B1 (en) | Method and apparatus for destination based packet forwarding control in software defined networking | |
| CN105227463A (en) | Communication means in a kind of distributed apparatus between business board | |
| US20180287932A1 (en) | Identification of an sdn action path based on a measured flow rate | |
| CN105991460B (en) | Flow load retransmission method, master control borad, business board and the network equipment | |
| CN104734953B (en) | The method, apparatus and interchanger of two layers of message isolation are realized based on VLAN | |
| CN106603550A (en) | Network isolation method and network isolation device | |
| CN105429881B (en) | A kind of method for forwarding multicast message and device | |
| CN102984031A (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
| CN103179044B (en) | The implementation method of traffic management, equipment and system | |
| CN101355585B (en) | System and method for protecting information of distributed architecture data communication equipment | |
| CN103685257B (en) | A kind of DHCP network protection system and method | |
| KR101870146B1 (en) | Method and apparatus for destination based packet forwarding control in software defined networking of leaf-spine architecture | |
| CN107135185A (en) | A kind of attack processing method, equipment and system | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN102355358B (en) | Method and device for realizing multicast | |
| CN107483341A (en) | A kind of across fire wall packet fast forwarding method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |