CN106067864A - A kind of message processing method and device - Google Patents

A kind of message processing method and device Download PDF

Info

Publication number
CN106067864A
CN106067864A CN201610388021.4A CN201610388021A CN106067864A CN 106067864 A CN106067864 A CN 106067864A CN 201610388021 A CN201610388021 A CN 201610388021A CN 106067864 A CN106067864 A CN 106067864A
Authority
CN
China
Prior art keywords
port
vxlan
message
vtep equipment
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610388021.4A
Other languages
Chinese (zh)
Other versions
CN106067864B (en
Inventor
黄李伟
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201610388021.4A priority Critical patent/CN106067864B/en
Publication of CN106067864A publication Critical patent/CN106067864A/en
Application granted granted Critical
Publication of CN106067864B publication Critical patent/CN106067864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/82Miscellaneous aspects
    • H04L47/825Involving tunnels, e.g. MPLS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]

Abstract

The embodiment of the invention discloses a kind of message processing method and device, method includes: a VTEP equipment receives the expansible Virtual Local Area Network VXLAN message that opposite equip. sends;Judge whether the first port receiving this VXLAN message is secure port, and wherein, this secure port is to set up the port in VXLAN tunnel;If, this VXLAN message is sent the processing unit to a VTEP equipment.The application embodiment of the present invention can carry out Screening Treatment to received VXLAN message, only by sending the processing unit to a VTEP equipment from the VXLAN message received by secure port, to reach to alleviate the effect of the Message processing burden of processing unit.

Description

A kind of message processing method and device
Technical field
The present invention relates to information security field, particularly to a kind of message processing method and device.
Background technology
In SDN (Software Defined Network, software defined network) network, use VXLAN (Virtual eXtensible Local Area Network, expansible Virtual Local Area Network) tunnel skill Art completes the encapsulation of data message, decapsulates and forward.This VXLAN is using IP network as Underlay Network, provides a user with virtual network.In VXLAN tunneling technique, there is multiple VTEP (VXLAN Tunnel End Point, VXLAN endpoint of a tunnel) equipment, can set up between this each VTEP equipment Overlay network (is i.e. set up) on the basis of underlay network in VXLAN tunnel, by set up VXLAN tunnel carries out data transmission.This VTEP equipment is the edge device of VXLAN, concrete, should VTEP equipment can be the physical equipment of a platform independent, it is also possible to be VM (Virtual Machine, virtual Machine) server at place.
During the existing VXLAN of utilization tunneling technique carries out data transmission, two ends, VXLAN tunnel Two VTEP equipment opposite equip.s each other, concrete: to set when data message is sent to VTEP by VM After Bei, this VTEP equipment receives and sends this data message to corresponding VSI (Virtual Switch Instance, virtual switch instance), the VXLAN tunnel corresponding to determine this data message, this VTEP This data message is packaged by equipment, generates message, and wherein, this message can be UDP (User Datagram Protocol, UDP) message, by VXLAN tunnel corresponding for this VSI by this UDP Message send to opposite end VTEP equipment, this opposite end VTEP equipment by the message up sending received to processing list Unit (such as: CPU) decapsulates, and obtains the data message of correspondence, and then is sent extremely by this data message Purpose VM.
In the prior art, this opposite end VTEP equipment receives message, and judges entrained by this message After destination slogan is 4789, i.e. confirms that this message is VXLAN message, and this VXLAN message is sent out Deliver to processing unit, such as: CPU, so that this VXLAN message is processed by this processing unit.
Summary of the invention
The embodiment of the invention discloses a kind of message processing method and device, with to received UDP message Carry out Screening Treatment, alleviate the Message processing burden of processing unit (such as: CPU).Concrete scheme is as follows:
On the one hand, embodiments provide a kind of message processing method, be applied to expansible virtual local area In the oneth VTEP equipment of network VXLAN, described method includes:
Receive the VXLAN message that opposite equip. sends;
Judge whether the first port receiving described VXLAN message is secure port, wherein, described safe end Mouth is the port setting up VXLAN tunnel;
If, described VXLAN message is sent the processing unit to a described VTEP equipment.
Optionally, described the first port judging to receive described VXLAN message be whether secure port it Before, a kind of message processing method that the embodiment of the present invention is provided also includes:
Obtain a described VTEP equipment for setting up the tunnel port in VXLAN tunnel;
Described judge whether the first port receiving described VXLAN message is secure port, including:
Judge whether described tunnel port exists described first port;
If existing, determine that described first port is secure port.
Optionally, a kind of message processing method that the embodiment of the present invention is provided also includes:
Obtain the corresponding relation of described tunnel port and described opposite equip.;
Described judge whether the first port receiving described VXLAN message is secure port, also includes:
Judge whether described corresponding relation exists described first port and sends the right of described VXLAN message The corresponding relation of end equipment, if existing, determines that described first port is secure port.
Optionally, a kind of message processing method that the embodiment of the present invention is provided also includes:
When judging described first port not as secure port, abandon described VXLAN message.
Optionally, described VXLAN message is being sent before the processing unit of a described VTEP equipment, A kind of message processing method that the embodiment of the present invention is provided also includes:
For secure port, the transmission rate threshold sending described VXLAN message extremely described processing unit is set Value;
The described processing unit that described VXLAN message is sent an extremely described VTEP equipment, including:
When the speed that described secure port receives VXLAN message exceedes described transmission rate threshold value, with described Transmission rate threshold value sends VXLAN message to described processing unit.
On the other hand, the embodiment of the present invention additionally provides a kind of message process device, is applied to expansible virtual In the oneth VTEP equipment of LAN VXLAN, described device includes: message receiver module, judge mould Block and sending module;
Described message receiver module: for receiving the VXLAN message that opposite equip. sends;
Described judge module: for judging whether the first port receiving described VXLAN message is safe end Mouthful, wherein, described secure port is to set up the port in VXLAN tunnel;
Described sending module: for when judging that described first port is secure port, described VXLAN is reported Literary composition sends the processing unit to a described VTEP equipment.
Optionally, a kind of message process device that the embodiment of the present invention is provided also includes acquisition module;
Described acquisition module: for judging whether the first port receiving described VXLAN message is peace described Before full port, obtain a described VTEP equipment for setting up the tunnel port in VXLAN tunnel;
Described judge module specifically for:
Judge whether described tunnel port exists described first port;
If existing, determine that described first port is secure port.
Optionally, described acquisition module is additionally operable to obtain described tunnel port pass corresponding with described opposite equip. System;
Described judge module is additionally operable to:
Judge whether described corresponding relation exists described first port and sends the right of described VXLAN message The corresponding relation of end equipment, if existing, determines that described first port is secure port.
Optionally, a kind of message process device that the embodiment of the present invention is provided also includes discard module;
Described discard module: for when judging described first port not as secure port, abandon described VXLAN message.
Optionally, a kind of message process device that the embodiment of the present invention is provided also includes arranging module:
The described module that arranges: for for secure port, transmission VXLAN message is set to described processing unit Transmission rate threshold value;
Described sending module specifically for: exceed described when described secure port receives the speed of VXLAN message During transmission rate threshold value, send VXLAN message to described processing unit with described transmission rate threshold value.
In this programme, a VTEP equipment receives the VXLAN message that opposite equip. sends;Judgement connects Whether the first port receiving this VXLAN message is secure port, and wherein, this secure port is for setting up VXLAN The port in tunnel;If, this VXLAN message is sent the processing unit to a VTEP equipment. So that received VXLAN message is carried out Screening Treatment, only by from received by secure port VXLAN message sends to the processing unit of a VTEP equipment, with reach to alleviate processing unit (such as: The effect of Message processing burden CPU).Certainly, arbitrary product or the method for implementing the present invention must differ Surely need to reach all the above advantage simultaneously.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement In example or description of the prior art, the required accompanying drawing used is briefly described, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
The schematic flow sheet of a kind of message processing method that Fig. 1 is provided by the embodiment of the present invention;
Another schematic flow sheet of a kind of message processing method that Fig. 2 is provided by the embodiment of the present invention;
The structural representation of a kind of message process device that Fig. 3 is provided by the embodiment of the present invention;
Another structural representation of a kind of message process device that Fig. 4 is provided by the embodiment of the present invention;
A kind of networking distribution schematic diagram that Fig. 5 is provided by the embodiment of the present invention;
The another kind of networking distribution schematic diagram that Fig. 6 is provided by the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, be fully described by, it is clear that described embodiment be only a part of embodiment of the present invention rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation The every other embodiment obtained under property work premise, broadly falls into the scope of protection of the invention.
It is understood that after VTEP equipment receives the VXLAN message that opposite equip. sends, no Can go to identify whether it is that (this VXLAN message is probably opposite end to self required VXLAN message processed The VXLAN message that equipment is forged, it is also possible to the VXLAN message flooded in a network, these VXLAN Message is all likely to be and need not the required message processed of this VTEP equipment), all deliver to processing unit in meeting (such as: CPU), when the quantity of the VXLAN message that this VTEP equipment receives is the biggest, undoubtedly can Cause the problem that the processing load of CPU is excessive.For example: opposite equip. passes through underlay network to this After VTEP equipment sends substantial amounts of VXLAN message (destination slogan is the message of 4789), this VTEP Equipment can deliver to CPU on whole for this substantial amounts of VXLAN message so that the processing load of CPU is excessive. Embodiments provide a kind of message processing method and device, with to received VXLAN message Carry out Screening Treatment, alleviate the Message processing burden of processing unit (such as: CPU).
A kind of message processing method provided the embodiment of the present invention first below is introduced.
It should be noted that a kind of message processing method that the embodiment of the present invention is provided can apply to expand In the oneth VTEP equipment of exhibition Virtual Local Area Network VXLAN, a VTEP equipment can be arbitrary Receiving the VTEP equipment of the VXLAN message that opposite equip. sends, wherein, this opposite equip. can be With the 2nd VTEP equipment that a VTEP equipment sets up VXLAN tunnel, it is also possible to be with this first The main frame that VTEP equipment carries out data transmission, it is also possible to be not set up VXLAN with a VTEP equipment Other VTEP equipment in tunnel.Oneth VTEP equipment can directly pass through with the 2nd VTEP equipment The VXLAN tunnel set up, carries out data (VXLAN message) transmission.In actual applications, should VTEP equipment can use virtual switch vSwitch to replace.The destination slogan of this VXLAN message is The message of 4789.
In addition, it is necessary to it is emphasized that " first " in " a VTEP equipment " in the embodiment of the present invention " second " in " the 2nd VTEP equipment " is used only for distinguishing VXLAN message from name and receives Equipment and VXLAN message send equipment, do not have any limiting meaning.
Embodiments provide a kind of message processing method, as it is shown in figure 1, may include steps of:
S101: receive the VXLAN message that opposite equip. sends;
It is understood that the destination slogan entrained by message is different, its corresponding classification is different, its In, the destination slogan of message can include 53 (corresponding domain name system DNS messages), 69 (corresponding simple File transfer protocol (FTP) TFTP message), 161 (corresponding Simple Network Management Protocol SNFP messages) and 4789 (corresponding VXLAN message).In the embodiment of the present invention, a VTEP equipment is primarily directed to be received VXLAN message (i.e. entrained destination slogan be the message of 4789) process.Oneth VTEP Equipment receives the VXLAN message that entrained port numbers is 4789 that opposite equip. sends, and wherein, opposite end sets For being probably main frame or opposite end VTEP equipment, this opposite end VTEP equipment is probably and a VTEP Equipment sets up the 2nd VTEP equipment in VXLAN tunnel, it is also possible to do not build with a VTEP equipment Other opposite ends VTEP equipment in vertical VXLAN tunnel.
S102: judge whether the first port receiving this VXLAN message is secure port, wherein, this safety Port is the port setting up VXLAN tunnel, if, perform S103;
It should be noted that a VTEP equipment can arrange one or more port, by this one Individual or multiple ports communicate with opposite equip., and a VTEP equipment can be (right with arbitrary opposite equip. End VTEP equipment) set up VXLAN tunnel, corresponding to the VXLAN tunnel of this foundation and setting Tunnel port in a VTEP equipment is secure port, accordingly, it is believed that other not with That opposite equip. (opposite end VTEP equipment) sets up VXLAN tunnel and be arranged at a VTEP and set Standby port is then non-security port.Wherein, this first port can be appointing on a VTEP equipment One port receiving VXLAN message.
Concrete, after a VTEP equipment receives this VXLAN message, it is judged that receive this VXLAN Whether the first port of message is secure port, when judging that the first port receiving this VXLAN message is During secure port, follow-up Message processing flow process can be continued executing with.In one implements, this In one VTEP equipment, by identification information, this secure port can be marked, with a VTEP Other non-security ports set by equipment make a distinction, or, secure port can be stored in safe end In oral thermometer item, accordingly, non-security port is stored in attack protection list item.Travel through this secure port list item, Judge whether this first port is stored in this secure port list item, if storage has, determine this first port For secure port, and then continue executing with follow-up Message processing flow process;If do not stored, determine this first end Mouth is non-security port.
S103: this VXLAN message is sent the processing unit to a VTEP equipment.
It should be noted that after determining that the first port receiving this VXLAN message is secure port, can To determine that this VXLAN message is the message processed needed for a VTEP equipment, this VXLAN is reported Literary composition sends the processing unit to a VTEP equipment, so that this VXLAN message is entered by this processing unit Row process, wherein, this processing unit can be CPU, this by VXLAN message send to processing unit with And VXLAN message is processed and all can use prior art by this processing unit, do not repeat at this.
The application embodiment of the present invention, a VTEP equipment receives the VXLAN message that opposite equip. sends; Judge whether the first port receiving this VXLAN message is secure port, and wherein, this secure port is for building The port in vertical VXLAN tunnel;If, this VXLAN message is sent to a VTEP equipment Processing unit.So that received VXLAN message is carried out Screening Treatment, only will be from secure port institute The VXLAN message received sends the processing unit to a VTEP equipment, to reach to alleviate process The effect of the Message processing burden of unit (such as: CPU).
In a kind of specific implementation, at described the first port judging this VXLAN message of reception it is whether Before secure port, the message processing method that the embodiment of the present invention is provided can also include:
The VTEP equipment that obtains is for setting up the tunnel port in VXLAN tunnel;
Whether described the first port judging this VXLAN message of reception is secure port (S102), including:
Judge whether this tunnel port exists this first port;
If existing, determine that this first port is secure port.
It is understood that a VTEP equipment is setting up VXLAN tunnel with opposite end VTEP equipment Time, can corresponding to this VXLAN tunnel pre-recorded and the tunnel that is arranged at a VTEP equipment Road port.The VTEP equipment that obtains is for setting up the tunnel port in VXLAN tunnel, it is judged that receive Whether the first port of this VXLAN message is present in this tunnel port, when it is present, i.e. can determine that this First port is tunnel port, is secure port, then can carry out follow-up Message processing flow process;When not In the presence of, i.e. can determine that this first port is non-tunnel port, be non-security port.It is emphasized that This secure port is to be arranged at a VTEP equipment, and the VXLAN message received can above send The port processed is carried out to processing unit.The embodiment of the present invention is possible to prevent a VTEP equipment by main frame With other VTEP equipment (not setting up the VTEP equipment in VXLAN tunnel with a VTEP equipment) The attack of the VXLAN message copied.
In a kind of specific implementation, the message processing method that the embodiment of the present invention is provided can also include:
Obtain the corresponding relation of this tunnel port and this opposite equip.;
Whether described the first port judging this VXLAN message of reception is secure port, also includes:
Judge the opposite equip. that whether there is this first port in this corresponding relation with send this VXLAN message Corresponding relation, if exist, determine that this first port is secure port.
It should be noted that for the VXLAN tunnel set up between VTEP equipment, this VXLAN All there is correspondence in tunnel and tunnel port, as it is shown in figure 5, VTEP equipment 1 (a VTEP equipment, Address is 1.1.1.1) set up with VTEP equipment 3 (opposite equip., address is 3.3.3.3) by port A VXLAN tunnel, this port A is tunnel port, and exists corresponding with opposite equip. (VTEP equipment 3) Relation.Under normal circumstances, the destination address of the VXLAN message that port A is received is (relative to first For VTEP equipment) it is 3.3.3.3 (address of VTEP equipment 3), as the VXLAN that port A is received When the destination address of message is not 3.3.3.3 (address of VTEP equipment 3), this VXLAN message also will not It is sent to processing unit.
For judging whether the first port of this reception VXLAN message (is received by secure port VXLAN message can send the port to processing unit), after determining that this first port is tunnel port, Be also predefined in the corresponding relation of acquired tunnel port and opposite equip., if exist this first port with The corresponding relation of opposite equip. (sending the equipment of this VXLAN message), if it is present determine this Single port is secure port (the VXLAN message i.e. received can send the port to processing unit).When So, whether whether this exist the step of this first port and judge in this corresponding relation in judging this tunnel port There is the step of this first port and the corresponding relation of the opposite equip. sending this VXLAN message, Ke Yitong Shi Jinhang.
Lead to it is understood that a VTEP equipment local record has with a VTEP equipment (corresponding record is in MAC Address list item or route for the MAC Address of the opposite equip. of letter or IP routing address In list item) and the port of correspondence, may determine that according to recorded MAC Address or routed ip address and carry out The port of data communication, and then may determine that the VXLAN that a VTEP equipment is set up with opposite equip. The tunnel port that tunnel is corresponding, can be defined as secure port by the tunnel port corresponding with opposite equip..
Send to the VXLAN message of a VTEP equipment from opposite equip., carry this opposite equip. MAC (Media Access Control, control media interviews) address or routed ip address, by from The MAC Address parsed in VXLAN message or routed ip address (opposite equip.), and obtained The corresponding relation of tunnel port and opposite equip., determines that whether the first port of this reception VXLAN message is Secure port, and then determine whether to carry out follow-up Message processing flow process.
For example, as it is shown in figure 5, VTEP equipment 1 (a VTEP equipment, address is 1.1.1.1) Port A and port B is set, by port A (link 1) and VTEP equipment 3 (the 2nd VTEP equipment, Address is 3.3.3.3) communicate, set up by port B and P equipment and communicate, P equipment (switch) Communicate with VTEP equipment 3 again.Between VTEP equipment 1 (by port A) and VTEP equipment 3 Set up VXLAN tunnel (tunnel 1), i.e. between VTEP equipment 1 and VTEP equipment 3, establish overlay Network, P equipment and VTEP equipment 1, VTEP equipment 3 do not set up VXLAN tunnel, i.e. from VTEP Equipment 1 arrives to P equipment again and establishes underlay network between VTEP equipment 3.For VTEP equipment 1 For, the source address of link 1 (tunnel 1) is 1.1.1.1, and destination address is 3.3.3.3, this VTEP equipment 1, by inquiring about local MAC Address list item or route table items, determines for VTEP equipment 3 (destination Location 3.3.3.3), the port-for-port A of this VTEP equipment 1, it is determined that port A is secure port.
In a kind of specific implementation, in view of the finiteness of the storage resource of a VTEP equipment this locality Consideration, the storage resource local in order to save a VTEP equipment, it is to avoid the too much this locality that takies Space resources, as in figure 2 it is shown, a kind of message processing method that the embodiment of the present invention is provided can also include:
S201: when judging this first port not as secure port, abandons this VXLAN message.
Wherein, this abandons VXLAN message can use prior art, does not repeats at this.
In a kind of specific implementation, a VTEP equipment may be provided with multiple secure port (tunnel Road port), can be carried out with opposite equip. by the plurality of secure port (and other set ports) Data communication.When multiple secure ports occurring simultaneously to the VXLAN message that processing unit sends, in order to The process of the VXLAN message that each secure port is sent by equilibrium treatment unit, can limit each peace Full port sends the transmission rate of VXLAN message to processing unit, to avoid this processing unit for processing certain The VXLAN message of individual secure port, and cause the VXLAN Message processing of other secure ports not in time Situation, by this VXLAN message send to a VTEP equipment processing unit (S103) it Before, a kind of message processing method that the embodiment of the present invention is provided can also include:
For secure port, arrange and send VXLAN message to the transmission rate threshold value of this processing unit;
The described processing unit (S103) by this VXLAN message transmission to a VTEP equipment, including:
When the speed that this secure port receives VXLAN message exceedes this transmission rate threshold value, with this transmission speed Rate threshold value sends VXLAN message to this processing unit.
It is understood that the VTEP equipment that pre-sets sends VXLAN message to this process list The transmission rate threshold value of unit, when the speed of secure port reception VXLAN message exceedes this transmission rate threshold value Time, with this transmission rate threshold value transmission VXLAN message to this processing unit, so that this processing unit is to this VXLAN message processes;When secure port receives the speed of VXLAN message not less than this transmission rate During threshold value, VXLAN message can be sent to this processing unit to receive the speed of this VXLAN message. Wherein, this transmission rate threshold value can be configured adjusting according to the performance of a VTEP equipment self.
In a kind of specific implementation, in data (VXLAN message) communication process, a VTEP May increase between equipment and opposite equip. and set up VXLAN tunnel, or a VTEP equipment is with right End communication between devices link (route) sends and changes, and (sends to processing in order to avoid needs self process Unit processes) the loss of VXLAN message, when this secure port is stored in secure port list item Time middle, can periodically or non-periodically update this secure port list item.
For example, as it is shown in figure 5, underlay net between VTEP equipment 1 and VTEP equipment 3 Network breaks down, and the port in the tunnel 1 caused in overlay network on VTEP equipment 1 switches (existing Technology is had to realize), i.e. corresponding with VTEP equipment 3 secure port is switched to port B by port A, when inciting somebody to action When this secure port is stored in secure port list item, it is necessary to this secure port list item is updated, with Avoid the need for delivering on this VTEP equipment 1 loss of the VXLAN message that processing unit CPU processes.
As shown in Figure 6, on the basis of Fig. 5, between VTEP equipment 1 and VTEP equipment 2, pass through The port C of VTEP equipment 1 sets up VXLAN tunnel (tunnel 2), for VTEP equipment 1, The source address in tunnel 2 is 1.1.1.1, and destination address is 2.2.2.2, then correspond to this VTEP equipment 2, be somebody's turn to do Secure port on VTEP equipment 1 is port C, and in order to avoid delivering on this VTEP equipment 1 of needs The loss of the VXLAN message that processing unit CPU processes, need to be by the port corresponding with this VTEP equipment 2 C is it is also determined that be secure port.
Corresponding to said method embodiment, the embodiment of the present invention additionally provides a kind of message process device, permissible It is applied to expansible Virtual Local Area Network VXLAN the oneth VTEP equipment, as it is shown on figure 3, described device is permissible Including: message receiver module 301, judge module 302 and sending module 303;
Described message receiver module 301: for receiving the VXLAN message that opposite equip. sends;
Described judge module 302: for judging whether the first port receiving described VXLAN message is safety Port, wherein, described secure port is to set up the port in VXLAN tunnel;
Described sending module 303: for when judging that described first port is secure port, by described VXLAN Message sends the processing unit to a described VTEP equipment.
The application embodiment of the present invention, a VTEP equipment receives the VXLAN message that opposite equip. sends; Judge whether the first port receiving this VXLAN message is secure port, and wherein, this secure port is for building The port in vertical VXLAN tunnel;If, this VXLAN message is sent to a VTEP equipment Processing unit.So that received VXLAN message is carried out Screening Treatment, only will be from secure port institute The VXLAN message received sends the processing unit to a VTEP equipment, to reach to alleviate process The effect of the Message processing burden of unit (such as: CPU).
In a kind of specific implementation, as shown in Figure 4, based on 301~303, the embodiment of the present invention is carried A kind of message process device of confession can also include acquisition module 401;
Described acquisition module 401: at described the first port judging to receive described VXLAN message whether Before secure port, obtain a described VTEP equipment for setting up the tunnel port in VXLAN tunnel;
Described judge module 302 specifically for:
Judge whether described tunnel port exists described first port;
If existing, determine that described first port is secure port.
In a kind of specific implementation, the acquisition module 401 that the embodiment of the present invention is provided is additionally operable to obtain Described tunnel port and the corresponding relation of described opposite equip.;
Described judge module 302 is additionally operable to:
Judge whether described corresponding relation exists described first port and sends the right of described VXLAN message The corresponding relation of end equipment, if existing, determines that described first port is secure port.
In a kind of specific implementation, a kind of message process device that the embodiment of the present invention is provided also may be used To include discard module;
Described discard module: for when judging described first port not as secure port, abandon described VXLAN message.
In a kind of specific implementation, a kind of message process device that the embodiment of the present invention is provided also may be used To include arranging module:
The described module that arranges: for for secure port, transmission VXLAN message is set to described processing unit Transmission rate threshold value;
Described sending module 303 specifically for: when described secure port receive VXLAN message speed exceed During described transmission rate threshold value, send VXLAN message to described processing unit with described transmission rate threshold value.
For systems/devices embodiment, owing to it is substantially similar to embodiment of the method, so the ratio described Relatively simple, relevant part sees the part of embodiment of the method and illustrates.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply these Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " comprising " Or its any other variant is intended to comprising of nonexcludability, so that include the mistake of a series of key element Journey, method, article or equipment not only include those key elements, but also other including being not expressly set out Key element, or also include the key element intrinsic for this process, method, article or equipment.Do not having In the case of more restrictions, statement " including ... " key element limited, it is not excluded that including described wanting Process, method, article or the equipment of element there is also other identical element.
One of ordinary skill in the art will appreciate that all or part of step realizing in said method embodiment The program that can be by completes to instruct relevant hardware, and described program can be stored in computer-readable Take in storage medium, the storage medium obtained designated herein, such as: ROM/RAM, magnetic disc, CD etc..
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All any modification, equivalent substitution and improvement etc. made within the spirit and principles in the present invention, are all contained in In protection scope of the present invention.

Claims (10)

1. a message processing method, it is characterised in that be applied to expansible Virtual Local Area Network VXLAN A VTEP equipment in, described method includes:
Receive the VXLAN message that opposite equip. sends;
Judge whether the first port receiving described VXLAN message is secure port, wherein, described safe end Mouth is the port setting up VXLAN tunnel;
If, described VXLAN message is sent the processing unit to a described VTEP equipment.
Method the most according to claim 1, it is characterised in that judge to receive described VXLAN described Before whether the first port of message is secure port, described method also includes:
Obtain a described VTEP equipment for setting up the tunnel port in VXLAN tunnel;
Described judge whether the first port receiving described VXLAN message is secure port, including:
Judge whether described tunnel port exists described first port;
If existing, determine that described first port is secure port.
Method the most according to claim 2, it is characterised in that also include:
Obtain the corresponding relation of described tunnel port and described opposite equip.;
Described judge whether the first port receiving described VXLAN message is secure port, also includes:
Judge whether described corresponding relation exists described first port and sends the right of described VXLAN message The corresponding relation of end equipment, if existing, determines that described first port is secure port.
4. according to the method described in any one of claim 1-3, it is characterised in that also include:
When judging described first port not as secure port, abandon described VXLAN message.
5. according to the method described in any one of claim 1-3, it is characterised in that described VXLAN is being reported Literary composition sent before the processing unit of a described VTEP equipment, and described method also includes:
For secure port, the transmission rate threshold value sending VXLAN message extremely described processing unit is set;
The described processing unit that described VXLAN message is sent an extremely described VTEP equipment, including:
When the speed that described secure port receives VXLAN message exceedes described transmission rate threshold value, with described Transmission rate threshold value sends VXLAN message to described processing unit.
6. a message process device, it is characterised in that be applied to expansible Virtual Local Area Network VXLAN A VTEP equipment in, described device includes: message receiver module, judge module and sending module;
Described message receiver module: for receiving the VXLAN message that opposite equip. sends;
Described judge module: for judging whether the first port receiving described VXLAN message is safe end Mouthful, wherein, described secure port is to set up the port in VXLAN tunnel;
Described sending module: for when judging that described first port is secure port, described VXLAN is reported Literary composition sends the processing unit to a described VTEP equipment.
Device the most according to claim 6, it is characterised in that described device also includes acquisition module;
Described acquisition module: for judging whether the first port receiving described VXLAN message is peace described Before full port, obtain a described VTEP equipment for setting up the tunnel port in VXLAN tunnel;
Described judge module specifically for:
Judge whether described tunnel port exists described first port;
If existing, determine that described first port is secure port.
Device the most according to claim 7, it is characterised in that described acquisition module is additionally operable to obtain institute State the corresponding relation of tunnel port and described opposite equip.;
Described judge module is additionally operable to:
Judge whether described corresponding relation exists described first port and sends the right of described VXLAN message The corresponding relation of end equipment, if existing, determines that described first port is secure port.
9. according to the device described in any one of claim 6-8, it is characterised in that described device also includes abandoning Module;
Described discard module: for when judging described first port not as secure port, abandon described VXLAN message.
10. according to the device described in any one of claim 6-8, it is characterised in that described device also includes setting Put module:
The described module that arranges: for for secure port, transmission VXLAN message is set to described processing unit Transmission rate threshold value;
Described sending module specifically for: exceed described when described secure port receives the speed of VXLAN message During transmission rate threshold value, send VXLAN message to described processing unit with described transmission rate threshold value.
CN201610388021.4A 2016-06-02 2016-06-02 Message processing method and device Active CN106067864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610388021.4A CN106067864B (en) 2016-06-02 2016-06-02 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610388021.4A CN106067864B (en) 2016-06-02 2016-06-02 Message processing method and device

Publications (2)

Publication Number Publication Date
CN106067864A true CN106067864A (en) 2016-11-02
CN106067864B CN106067864B (en) 2021-05-07

Family

ID=57420537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610388021.4A Active CN106067864B (en) 2016-06-02 2016-06-02 Message processing method and device

Country Status (1)

Country Link
CN (1) CN106067864B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474507A (en) * 2018-11-27 2019-03-15 新华三技术有限公司 A kind of message forwarding method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140269705A1 (en) * 2013-03-15 2014-09-18 International Business Machines Corporation Heterogeneous overlay network translation for domain unification
CN104780165A (en) * 2015-03-27 2015-07-15 杭州华三通信技术有限公司 Security verification method and equipment for incoming label of message
CN104954218A (en) * 2014-03-24 2015-09-30 杭州华三通信技术有限公司 Distributed virtual switching device and forwarding method
US20150381386A1 (en) * 2014-06-30 2015-12-31 Arista Networks, Inc. Method and system for vxlan encapsulation offload

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140269705A1 (en) * 2013-03-15 2014-09-18 International Business Machines Corporation Heterogeneous overlay network translation for domain unification
CN104954218A (en) * 2014-03-24 2015-09-30 杭州华三通信技术有限公司 Distributed virtual switching device and forwarding method
US20150381386A1 (en) * 2014-06-30 2015-12-31 Arista Networks, Inc. Method and system for vxlan encapsulation offload
CN104780165A (en) * 2015-03-27 2015-07-15 杭州华三通信技术有限公司 Security verification method and equipment for incoming label of message

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109474507A (en) * 2018-11-27 2019-03-15 新华三技术有限公司 A kind of message forwarding method and device
CN109474507B (en) * 2018-11-27 2020-12-04 新华三技术有限公司 Message forwarding method and device

Also Published As

Publication number Publication date
CN106067864B (en) 2021-05-07

Similar Documents

Publication Publication Date Title
CN104243265B (en) A kind of gateway control method, apparatus and system based on virtual machine (vm) migration
CN104506408B (en) The method and device of data transfer based on SDN
CN103441932B (en) A kind of Host routes list item generates method and apparatus
CN104780088A (en) Service message transmission method and equipment
CN106453124A (en) Traffic scheduling method and device
CN108092934A (en) Safety service system and method
CN102594818A (en) Network access permission control method, device and related equipment
CN103095521A (en) Control method, control system and control device for flow detection, controller and detection equipment
CN103718527A (en) Communication security processing method, apparatus and system
CN110798459B (en) Multi-safety-node linkage defense method based on safety function virtualization
CN104184708A (en) Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device)
CN110063045B (en) Message processing method and device in cloud computing system
CN105262753A (en) System and method for achieving security policy based on SDN virtual switch
CN101415002B (en) Method for preventing message aggression, data communication equipment and communication system
CN104301449A (en) Method and device for modifying IP address
CN105429946A (en) System and method of preventing forging IP address based on SDN virtual switch
CN103905383B (en) A kind of data message forwarding method, device and system
CN106067864A (en) A kind of message processing method and device
Odi et al. The proposed roles of VLAN and inter-VLAN routing in effective distribution of network services in Ebonyi State University
CN106878202A (en) A kind of message processing method and device
KR101952187B1 (en) Method and apparatus for processing service node ability, service classifier and service controller
CN106878075A (en) A kind of message processing method and device
CN104219160A (en) Method and device for generating input parameter
CN103889021A (en) Low power and lossy network member updating method and DODAG root node
CN101262503B (en) Method for withdrawing user IP addresses of DHCP device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang Province, No. six and road, No. 310

Applicant before: Huasan Communication Technology Co., Ltd.

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant