CN107241208A

CN107241208A - A kind of message forwarding method, the first interchanger and related system

Info

Publication number: CN107241208A
Application number: CN201610186891.3A
Authority: CN
Inventors: 杨华志
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-03-29
Filing date: 2016-03-29
Publication date: 2017-10-10
Anticipated expiration: 2036-03-29
Also published as: CN107241208B

Abstract

The embodiment of the present application discloses a kind of message forwarding method, the first interchanger and related system, and this method includes：First interchanger receives the multiple messages for coming from first network, first interchanger sends multiple messages to the first fire wall and the second fire wall respectively, the message that first interchanger is sent to the first fire wall and the second fire wall is identical, so that the first fire wall and the second fire wall set up the session entry of the affiliated session of session first message all in accordance with the session first message in multiple messages, session entry includes five-tuple, and whether the message that five-tuple is used to judge to flow through fire wall belongs to session；First interchanger receives the message for the session for coming from the second network that the first fire wall is sent；First interchanger forwards the message for the session for coming from the second network to first network.Using the application, the session entry that the second fire wall can be set up in the first fire wall failure based on itself takes over the business of first fire wall, it is to avoid service disconnection.

Description

A kind of message forwarding method, the first interchanger and related system

Technical field

The present invention relates to field of computer technology, more particularly to a kind of message forwarding method, the first interchanger and Related system.

Background technology

Software virtual machine (Virtual Machine ware, VMware), kernel virtual machine (Kernel-based Virtual Machine, KVM) etc. the principle of the virtualization technology of environment be by the physical resource of a physical machine Invent multiple virtual machines (Virtual Machine, VM) so that each VM can realize physical machine Function.As network function virtualizes constantly drilling for (Network Function Virtualization, NFV) Enter, many traditional gateways, such as fire wall, router will be all deployed on virtual machine.It is multiple virtual Formed between machine mutually redundant disaster tolerance mechanism can avoid gateway running in there is network traffics institute The situation of the service disconnection of carrying.

Refer to Fig. 1, Fig. 1 is the fire wall of the prior art based on virtual technology, i.e. virtual firewall, The schematic diagram of a scenario E-Packeted, wherein except by taking virtual firewall 101 and virtual firewall 102 as an example Outside virtual firewall, it is also possible to there is other virtual firewalls, Fig. 1 simply using 2 virtual firewalls as Example is illustrated.Virtual firewall 101 and virtual firewall 102 are assisted by virtual router redundance Discuss (Virtual Router Redundancy Protocol, VRRP) formation backup group 100, the backup group 100 Can from comprising multiple virtual firewalls in elect a virtual firewall as main virtual firewall, except this Virtual firewall outside main virtual firewall is standby virtual firewall.The dialogue-based list item pair of master firewall Message carries out the processing such as packet filtering, or strategy matching.When main virtual firewall breaks down, backup group 100 can re-elect out a virtual firewall as new main virtual firewall, interchanger 103 and interchanger 104 to the backup group 100 send message when, only can receive and forward the message by main virtual firewall.

The defect of prior art is, packet filtering is carried out to message because fire wall is normally based on session entry, Or the processing such as strategy matching.Therefore current main virtual firewall needs periodically will currently lead virtual fire prevention Session entry on wall is backuped on current standby virtual firewall, just can guarantee that standby virtual firewall in main void Intend that when fire wall breaks down the business on the main virtual firewall can be taken over based on the session entry backed up. It can cause some service disconnections if the session entry is backed up not in time.

The content of the invention

The embodiment of the invention discloses a kind of business retransmission method, the first interchanger and related system, it can solve Certainly not timely backup session list item and the problem of cause service disconnection.

In a first aspect, the embodiment of the present invention provides a kind of business retransmission method, this method includes：

First interchanger receives the multiple messages for coming from first network, first interchanger and the first fire prevention Wall, the second fire wall are connected with the first network, and the multiple message is the first network and the second net The message transmitted between network, first fire wall is master firewall, and second fire wall is standby anti- Wall with flues, first fire wall and the second fire wall are connected with first interchanger and second switch respectively, The second switch also with second network connection；

First interchanger sends the multiple report to first fire wall and second fire wall respectively Text, the message that first interchanger is sent to first fire wall and second fire wall is identical, So that first fire wall and second fire wall are built all in accordance with the session first message in the multiple message The session entry of the affiliated session of session first message is found, the session entry includes five-tuple, described five yuan Whether the message that group is used to judge to flow through fire wall belongs to the session；

First interchanger receives the meeting for coming from second network that first fire wall is sent The message of words；

Come from the session of second network described in first interchanger to first network forwarding Message.

By performing above-mentioned steps, the first interchanger sends same report to the first fire wall and the second fire wall Text so that the first message of the first fire wall and the second fire wall in the message sets up identical conversational list , so, second fire wall need not back up the session entry from first fire wall, when the When one fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation takes over this Business on first fire wall, it is to avoid service disconnection.

With reference in a first aspect, in the first possible implementation of first aspect, first interchanger After sending the multiple message to first fire wall and second fire wall respectively, methods described is also Including：

Whether the first fire wall described in the first exchange machine testing breaks down, or first interchanger Whether the link between first fire wall interrupts；

If first interchanger detect the first fire wall failure or first interchanger with Link down between first fire wall, then first interchanger receive and forward it is described second fire prevention The message for the session for coming from second network that wall is sent.

With reference to the first possible implementation of first aspect, in second of possible realization of first aspect In mode, whether the first fire wall described in the first exchange machine testing breaks down, and is specially：

First interchanger by two-way converting testing mechanism BFD detect first fire wall whether failure.

Specifically, interchanger itself detect first fire wall whether failure, so as to detect this first prevent Message forwarding strategy is adjusted during wall with flues failure in time, the performance of interchanger is improved.

With reference to second of possible reality of the first possible implementation of first aspect, or first aspect Existing mode, in the third possible implementation of first aspect, first interchanger detects described Before link down between first fire wall failure or first interchanger and first fire wall, Methods described also includes：

What first interchanger did not received that second fire wall sends comes from the described of second network The message of session, or receive and abandon the institute for coming from second network that second fire wall is sent State the message of session.

With reference to the third possible implementation of first aspect, in the 4th kind of possible realization of first aspect In mode, first interchanger connects including first interchanger is connected with first fire wall first Mouthful, and the second interface that first interchanger is connected with second fire wall,

First interchanger detect the first fire wall failure or first interchanger with it is described Before link down between first fire wall, the first interface is arranged to main interface, and described second connects Mouth is arranged to standby interface；First interchanger is received by the first interface and forwards described first to prevent The message for the session for coming from second network that wall with flues is sent, first interchanger does not receive institute The message of the session for coming from second network of the second fire wall transmission is stated, or by described standby The message for the session for coming from second network that second fire wall described in interface is sent, and lose Abandon by the standby interface to the session for coming from second network message；

First interchanger detect the first fire wall failure or first interchanger with it is described After link down between first fire wall, methods described also includes：

The first interface is set to standby interface, the second interface main interface is set to, by described Second interface receives and forwarded the session for coming from second network of the second fire wall transmission Message.

Second aspect, the embodiment of the present invention provides a kind of first interchanger, and first interchanger includes network Interface, processor and memory, wherein：

The network interface is used to receive message and sends message；

The memory is used for store instruction and data；

The processor, for reading the instruction and data stored in the memory, performs following operation：

Received by the network interface and come from multiple messages of first network, first interchanger and the One fire wall, the second fire wall are connected with the first network, the multiple message be the first network with The message transmitted between second network, first fire wall is master firewall, and second fire wall is Slave firewall, first fire wall and the second fire wall are exchanged with first interchanger and second respectively Machine connect, the second switch also with second network connection；

Send the multiple to first fire wall and second fire wall respectively by the network interface Message, the message sent by the network interface to first fire wall and second fire wall is phase With, so that first fire wall and second fire wall are first all in accordance with the session in the multiple message Message sets up the session entry of the affiliated session of session first message, and the session entry includes five-tuple, institute State five-tuple be used for judge flow through the message of fire wall and whether belong to the session；

Come from by what network interface reception first fire wall was sent described in second network The message of session；

By the meeting for coming from second network described in the network interface to first network forwarding The message of words.

By performing aforesaid operations, the first interchanger sends same report to the first fire wall and the second fire wall Text so that the first message of the first fire wall and the second fire wall in the message sets up identical conversational list , so, second fire wall need not back up the session entry from first fire wall, when the When one fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation takes over this Business on first fire wall, it is to avoid service disconnection.

With reference to second aspect, in the first possible implementation of second aspect, the processor passes through After the network interface sends the multiple message to first fire wall and second fire wall respectively, The processor is additionally operable to：

Detect whether first fire wall breaks down, or first interchanger and the described first fire prevention Whether the link between wall interrupts；

If between the first fire wall failure or first interchanger and first fire wall Link down, then received by the network interface and forward coming from for the second fire wall transmission described The message of the session of second network.

With reference to the first possible implementation of second aspect, in second of possible realization of second aspect In mode, the processor detects whether first fire wall breaks down, and is specially：

By two-way converting testing mechanism BFD detect first fire wall whether failure.

With reference to second of possible reality of the first possible implementation of second aspect, or second aspect Existing mode, in the third possible implementation of second aspect, the processor detects described first Before link down between fire wall failure or first interchanger and first fire wall, institute Processor is stated to be additionally operable to：

The message for the session for coming from second network that second fire wall is sent is not received, or Person receives the meeting for coming from second network that second fire wall is sent by the network interface The message of words, and abandon the report for the session for coming from second network that second fire wall is sent Text.

With reference to the third possible implementation of second aspect, in the 4th kind of possible realization of second aspect In mode, the network interface includes the first interface that first interchanger is connected with first fire wall, And the second interface that first interchanger is connected with second fire wall,

The processor detects the first fire wall failure or first interchanger and described first Before link down between fire wall, the first interface is arranged to main interface, the second interface quilt It is set to standby interface；First interchanger is received by the first interface and forwards first fire wall The message of the session for coming from second network sent, first interchanger does not receive described the The message for the session for coming from second network that two fire walls are sent, or connect by described second Mouth receives the message for the session for coming from second network that second fire wall is sent, and abandons The message of the session for coming from second network received by the second interface；

The processor detects the first fire wall failure or first interchanger and described first After link down between fire wall, the first interface is set to standby interface, by the second interface Main interface is set to, is received by the second interface and forwards what second fire wall sent to come from institute State the message of the session of the second network.

The third aspect, the embodiment of the present invention provides a kind of first interchanger, and first interchanger includes being used for Perform the functional unit of the part or all of step of any implementation of first aspect of the embodiment of the present invention.

Fourth aspect, the embodiment of the present invention provides a kind of message forwarding system, and the system includes first and exchanged Machine, second switch, the first fire wall and the second fire wall, wherein, first interchanger and first is prevented Wall with flues, the second fire wall are connected with the first network, and first fire wall is master firewall, described Second fire wall is slave firewall, and first fire wall and the second fire wall are exchanged with described first respectively Machine and second switch connection, the second switch also with second network connection, wherein：

First interchanger, multiple messages of first network is come from for receiving, the multiple message is described The message transmitted between first network and the second network；Respectively to first fire wall and second fire prevention Wall sends the multiple message, and first interchanger is sent out to first fire wall and second fire wall The message sent is identical；

First fire wall and second fire wall, are respectively used to what is sent according to first interchanger Session first message in the multiple message sets up the session entry of the affiliated session of session first message, described Session entry includes five-tuple, and whether the message that the five-tuple is used to judge to flow through fire wall belongs to the meeting Words；

First fire wall, is additionally operable to first interchanger forwarding from described in second network The message of session；

First interchanger, be additionally operable to reception the first fire wall transmission comes from second network The session message；

First interchanger, be additionally operable to the first network forwarding described in come from second network The message of the session.

By running the system, the first interchanger sends same message to the first fire wall and the second fire wall, So that the first message of the first fire wall and the second fire wall in the message sets up identical session entry, So, second fire wall need not back up the session entry from first fire wall, when first anti- Wall with flues break down when, second fire wall can be directly based upon itself foundation session entry take over this first Business on fire wall, it is to avoid service disconnection.

With reference to fourth aspect, in the first possible implementation of fourth aspect, first interchanger The first interface being connected including first interchanger with first fire wall, and first interchanger The second interface being connected with second fire wall, second fire wall is additionally operable to exchange to described first Machine forwards the message of the session from second network；

First interchanger, for detect first fire wall whether failure or it is described first exchange Whether the link between machine and first fire wall interrupts, and detect the first fire wall failure, Or set the first interface before the link down between first interchanger and first fire wall Main interface is set to, the second interface is set to standby interface；Detect the first fire wall failure, Or set the first interface after the link down between first interchanger and first fire wall Standby interface is set to, the second interface is set to main interface；

Detect the first fire wall failure or first interchanger and first fire wall it Between link down before, by the first interface and the second interface receive respectively it is described first fire prevention The message for the session for coming from second network that wall and second fire wall are sent, and abandon logical Cross the message for the session from second network that the second interface is received；

Detect the first fire wall failure or first interchanger and first fire wall it Between link down after, pass through coming from that the second interface receives that second fire wall sends respectively The message of the session of second network, and connect to first network forwarding by the second interface What is received comes from the message of the session of second network.

With reference to fourth aspect, in second of possible implementation of fourth aspect, second fire wall, It is additionally operable to whether detection second fire wall is slave firewall, if the second fire wall is slave firewall, Then forbid forwarding the message of the session from second network to first interchanger, forbid to institute State the message that second switch forwards the session from the first network.

By implementing the embodiment of the present invention, the first interchanger sends same to the first fire wall and the second fire wall Message so that the first message of the first fire wall and the second fire wall in the message sets up identical meeting List item is talked about, so, second fire wall need not back up the session entry from first fire wall, When the first fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation connects For the business on first fire wall, it is to avoid service disconnection.

Brief description of the drawings

In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing The accompanying drawing used required in example or description of the prior art is briefly described.

Fig. 1 is the schematic diagram of a scenario of the fire wall forwarding service of the prior art based on virtual technology；

Fig. 2 is a kind of schematic flow sheet of business retransmission method provided in an embodiment of the present invention；

Fig. 3 is a kind of schematic diagram of a scenario of business forwarding provided in an embodiment of the present invention；

Fig. 4 is a kind of schematic diagram of a scenario of logical links provided in an embodiment of the present invention；

Fig. 5 is a kind of structural representation of first interchanger provided in an embodiment of the present invention；

Fig. 6 is the structural representation of another the first interchanger provided in an embodiment of the present invention；

Fig. 7 is a kind of structural representation of message forwarding system provided in an embodiment of the present invention.

Embodiment

The technical scheme of the embodiment of the present invention is described in detail below in conjunction with the accompanying drawing of the embodiment of the present invention.

Fig. 2 is referred to, Fig. 2 is a kind of schematic flow sheet of business retransmission method provided in an embodiment of the present invention, This method includes but is not limited to following steps.

Step S201：First interchanger receives the multiple messages for coming from first network.

In order to be better understood from the scheme of the embodiment of the present invention, the embodiment of the present invention is answered with reference first to Fig. 3 It is introduced with scene.In Fig. 3, the first interchanger 311 and the first fire wall 312, the second fire wall 313 It is connected with first network, the fire wall 312 of second switch 314 and first, the second fire wall 313 and second Network is connected, and the first fire wall 312 is master firewall, and the second fire wall 313 is slave firewall, should First interchanger 311 and the second switch 314 know that first fire wall 311 is master firewall, It is slave firewall to know second fire wall 314；There are one or more clients in the first network, There is also one or more clients in second network, no matter the first network in client to this second Client in network sends any message, the message will be sent into first interchanger 311 first, on It can be synchronization transmission to state " multiple messages ", or successively sent in a period of time, on State the type that " multiple " in " multiple messages " are intended to not limit the message of transmission.Correspondingly, first hand over The message that 311 receptions of changing planes are sent from the first network.

It should be noted that the first fire wall 312 and the second fire wall 313 in the embodiment of the present invention are external With identical address information, for example, with the virtual procotol of identical (Internet Protocol, IP) address and virtual media access control (Media Access Control, MAC) address, this first The source address for the message that fire wall 312 is sent to first interchanger 311 and second fire wall 313 to this The source address for the message that first interchanger 311 is sent is identical, and first fire wall 312 is to the second switch The message that the source address of 314 messages sent is sent with second fire wall 313 to the second switch 314 Source address is identical.Optionally, first fire wall 312 and second fire wall 313 can be prevented for virtual Wall with flues or physics fire wall, first interchanger 311 and the second switch 314 can be virtual switch Or physical switches.

In a kind of optional scheme, first interface 3111 and second interface are included on first interchanger 311 3112, the 3rd interface 3141 and the 4th interface 3142, first interchanger are included in the second switch 314 311 are connected by the first interface 3111 with first fire wall 312, form the first interchanger 314 of connection With the first link 315 of the first fire wall 312, first interchanger 311 by the second interface 3112 with Second fire wall 313 is connected, and forms the second link for connecting the fire wall of the first interchanger 311 and second 316, the second switch 314 is connected by the 3rd interface 3141 with first fire wall 312, the company of being formed Connect the 3rd link 317 of the fire wall 312 of second switch 314 and first, second switch 314 by this Four interfaces 3142 are connected with second fire wall 313, form the connection fire wall of second switch 314 and second 313 the 4th link 318.As shown in figure 4, can be by way of link aggregation by the He of the first link 315 Second link 316 bundle the fire wall to be formed in a logical links, Fig. 4 it is actual refer to first prevent The fire wall 313 of wall with flues 312 and second, does not draw individually respectively.Similarly, will by way of link aggregation 3rd link 317 and the 4th link 318 bundle to form one article of logical links, and the link aggregation can be with For manual link aggregation, or based on static link polymerization control protocol (Link Aggregation Control Protocol, LACP) link aggregation.First interchanger 311 and second switch 314 can be based on pre- The first fire wall 312 and the main and standby relation of the second fire wall 313 first set, and detect the first fire wall 312 With the running status of the second fire wall 313, it is then based on the main and standby relation and running status etc. to determine to use Which link, the first interchanger 311 and second switch 314 be able to will need to make by eth-trunk mechanism Interface on link switches to the higher interface of main interface, i.e. priority, message is passed through the master The corresponding link of interface sends and receives.It is follow-up succinct in order to describe, each equipment, interface, link are described Deng when all no longer indicate numbering, for example, the first interchanger 311 is described as the first interchanger, no longer band numbering 311。

Step S202：First interchanger sends the plurality of message to the first fire wall and the second fire wall respectively.

Specifically, first interchanger receive after the plurality of message by the plurality of message be transmitted to respectively this One fire wall and second fire wall, multiple messages that first interchanger is sent to first fire wall and to Multiple messages that second fire wall is sent are identical.For example, first interchanger passes through the first interface and Two interfaces send the plurality of message and send the plurality of message to realize to first fire wall and the second fire wall. First interchanger can give first fire wall and the second fire wall to send the plurality of message simultaneously, can also Successively order is sent, and when successively order is sent out, which first sends out hair after which wouldn't be restricted herein, preferably , first interchanger gives first fire wall and the second fire wall to send the plurality of message simultaneously.

Step S203：First fire wall and second fire wall receive the report of first interchanger transmission Text, judges to whether there is first message in the message that receives, if setting up session according to the first message in the presence of if.

Specifically, first fire wall and second fire wall each receive the message of first interchanger transmission, And each the message received is parsed to judge whether include first message in the message received；Below Citing is illustrated to the first message, and the customer end A in first network is entered with the customer end B in the second network Need first to set up session before communication words, the session transmissions data, customer end A can be based on after session establishment Setting up session with customer end B needs to realize by sending first message, and the first message is to set up TCP/IP connections When three-way handshake process in SYN (full name：Synchronous) message, customer end A and customer end B it Between establish after session, you can send datagram to transmit data based on the session.First fire wall and Second fire wall is parsed to judge that the message received is first message after message is received to message Or the data message after session establishment.

When first fire wall judges the message received for first message, five included in the first message are obtained Tuple, the five-tuple includes：Source IP address, source port, purpose IP address, destination interface and protocol number, Then session entry is set up according to the five-tuple, the information of above-mentioned five-tuple is included in the session entry；Equally Ground, when second fire wall judges the message received for first message, also obtains five yuan in the first message Group simultaneously sets up session entry based on the five-tuple；Due to first interchanger to first fire wall and this second Fire wall send message it is identical, as long as therefore send first message do not occur packet loss in transmitting procedure Situation, then first fire wall identical can be set up based on the identical first message received with second fire wall Session entry.

" five-tuple " in the embodiment of the present invention is illustrated below, it is assumed that the IP of the customer end A Address is 192.168.1.1, and user abc initiates TCP connections to customer end B using port 20000, passed through FTP (File Transfer Protocol, FTP) downloads file from customer end B, customer end B IP address is that 1.1.1.1 is 30000 there is provided the port numbers of service, then customer end A is sent to customer end B The information of five-tuple that includes of first message it is as shown in table 1.

Source IP address	Source port	Purpose IP address	Destination interface	Agreement
					192.168.1.1	20000	1.1.1.1	30000	TCP

Table 1

The five-tuple be used for first fire wall and second fire wall judge subsequently received message whether be The message for the session set up, if in the message that finds to receive after subsequently received packet parsing Comprising five-tuple it is identical with the five-tuple in the session set up, then show that the message received belongs to above-mentioned The message of session.It should be noted that, although the source IP in Tables 1 and 2 is exchanged with purpose IP address, Source port is exchanged with destination interface, but the five-tuple shown in table 2 is identical with the five-tuple shown in table 1.

Source IP address	Source port	Purpose IP address	Destination interface	Agreement
					1.1.1.1	30000	192.168.1.1	20000	TCP

Table 2

In a kind of optional scheme, first fire wall and the second fire wall are also based on the foundation of seven tuples Session, seven tuple many " application " and " user " two factors on the basis of five-tuple, for example, It is above-mentioned FTP to be somebody's turn to do " application ", and it is above-mentioned abc to be somebody's turn to do " user ".It should be noted that judging that message is During no message for the session set up, except judging whether the message includes above-mentioned five-tuple, or seven Outside tuple, it is also possible to judge the message whether include other factors, other factors specifically have which factor this Place wouldn't be restricted.

Step S204：The message received is transmitted to second switch by first fire wall.

Specifically, when the message that first fire wall is received include first message when, first fire wall except Set up based on the first message outside session, in a kind of optional scheme, first fire wall can also judge itself Slave firewall or master firewall, if master firewall then first fire wall by the first message The second switch is transmitted to, because first fire wall is configured as master firewall when starting, therefore First fire wall can forward the first message second switch；In another optional scheme, this One fire wall does not judge it itself is master firewall or slave firewall, but directly by the head received Message is transmitted to the second switch.The first message is ultimately sent to the customer end B by the second switch Afterwards to set up the session between customer end A and customer end B.

Further, included in first fire wall receives the message that first interchanger is sent and remove first message During data message in addition, first fire wall judges that the data message is according to the session entry having built up The no message for the corresponding session of the session entry, can in one kind if the data message is the message of the session In the scheme of choosing, first fire wall is after knowing that itself is master firewall, according to corresponding with the session Filtering policy or forwarding strategy are handled message, such as according to corresponding with the session tactful by the data Message is transmitted to the second switch；In another optional scheme, first fire wall will directly be received The data message forwarding arrived gives the second switch.

The processing method to message of second fire wall with the first firewall class seemingly.When second fire wall is received When the message arrived includes first message, second fire wall based on the first message in addition to setting up session, in one kind In optional scheme, second fire wall can also judge it itself is slave firewall or master firewall, such as Fruit is slave firewall, then second fire wall is received the first message and set up based on the first message after session, Discard the first message, because second fire wall is configured as slave firewall when starting, therefore this Two fire walls can discard the first message.In another optional scheme, second fire wall does not judge certainly Body is master firewall or slave firewall, but directly by the first message received be transmitted to this second Interchanger.

Further, when the second fire wall receive first interchanger transmission message in include except first message with During outer data message, whether second fire wall judges the data message according to the session entry having built up It is optional in one kind if the data message is the message of the session for the message of the corresponding session of the session entry Scheme in, second fire wall is known after as slave firewall, and the data message is discarded； In another optional scheme, second fire wall directly by the data message forwarding received to this second Interchanger.

First fire wall illustrated below and second fire wall how to judge oneself be master firewall also It is slave firewall：For example, being in the phase in VRRP agreements when first fire wall and second fire wall During with backup group, first fire wall and second fire wall can be known by VRRP agreements from Priority in backup group, shows first fire prevention if the priority of first fire wall is not highest Wall belongs to slave firewall in the backup group, and this is shown if the highest priority of first fire wall First fire wall belongs to master firewall in the backup group；If the priority of second fire wall is not most High then shows that second fire wall belongs to slave firewall in the backup group, if second fire wall Highest priority then shows that second fire wall belongs to master firewall in the backup group；First fire prevention Wall can also know the height of own priority by other means, for example, first interchanger or this second Interchanger sends a notification message to second fire wall and the second fire wall, so which to be informed as master firewall, Which is slave firewall.

Step S205：Second switch sends the message from second network to first fire wall.

Specifically, after the session establishment success between customer end A and customer end B, customer end B can lead to The message that second network sends the session to customer end A is crossed, when the message of the session of transmission is forwarded to this After second switch, the message received is transmitted to the first fire wall and the second fire wall by second switch, For example, forwarding the message of the session by the 3rd interface and the message of the session being forwarded by the 4th interface.Together Sample, customer end A can send the message of the session by the first network to the customer end B, work as transmission The message of the session be forwarded to after first interchanger, the message received is transmitted to by first interchanger First fire wall and second fire wall, for example, forwarding the message of the session by first interface and passing through Second interface forwards the message of the session.

Step S206：First fire wall receives and the message of the session is forwarded to first interchanger.

Specifically, first fire wall receives the message of second switch forwarding, in a kind of optional side In case, whether first fire wall includes above-mentioned meeting in the message is judged after knowing that itself is master firewall The five-tuple in list item is talked about, if forwarding the packet to the first interchanger comprising if.In another optional side In case, first fire wall need not confirm that itself is master firewall or slave firewall, but directly sentence The five-tuple in above-mentioned session entry whether is included in the message that disconnecting is received, turns the message if comprising if Issue the first interchanger.

When above-mentioned second switch, to give second fire wall have sent same with the message sent to the first fire wall Message when, in a kind of optional scheme, second fire wall know from as slave firewall when, Abandon the message of the session received, in another optional scheme, second fire wall receive this The message that two interchangers are sent, without confirming itself to be master firewall or slave firewall, directly sentences Whether break in the message comprising the five-tuple information in the conversational list set up, if should by what is received comprising if Message is transmitted to first interchanger.

Step S207：First interchanger receives the message of first fire wall transmission.

Step S208：First interchanger forwards first fire wall to send message to the first network.

Specifically, first interchanger is received after the message of first fire wall transmission, by the report received Text is forwarded in the first network.It should be noted that when oriented first interchanger of above-mentioned second fire wall When forwarding the message of above-mentioned session, first interchanger does not receive the message of second fire wall transmission, or First interchanger receives the message of second fire wall transmission, but abandons the report of second fire wall transmission Text, for example, the first interface being connected with first fire wall can be set to main interface by first interchanger, The second interface being connected with second fire wall is set to standby interface, first interchanger first is connect by this Mouth and the second interface receive message, but abandon the message arrived by standby interface, or first friendship Change planes and message is not received by the second interface as standby interface.

By performing step S201~208, first fire wall and second fire wall are according to identical first message The session entry of same session is established, the message of the session is forwarded during the non-failure of first fire wall, when this Without the session entry is backuped into second fire wall during the first fire wall failure, second fire wall itself The above-mentioned session entry set up can be used to take over the forwarding of the message of the session.

Occur below by way of step S209~S212 description after masterslave switchover, the second fire wall is as new primary Fire wall takes over a kind of implementation of message forwarding.

Step S209：The second switch sends the message of the session to second fire wall.

Specifically, the second switch can in real time or timing detect first fire wall whether failure； Can be detected by other equipment first fire wall whether failure, then by the result of detection notify to this Two interchangers.The second switch detects whether the mode of failure can be specially first fire wall：Pass through Two-way converting detection (Bidirectional Forwarding Detection, BFD) mechanism detection and first fire wall Connected link, either where the software of the equipment where first fire wall or first fire wall The network interface card of equipment whether failure；Or judge to continue not receive the time of the message of first fire wall transmission Whether exceed a time threshold set in advance, failure is then shown more than the time threshold.Certainly can be with Detect by other means first fire wall whether failure, other modes differ a citing herein.

When detecting between the first fire wall failure or first interchanger and first fire wall During link down, the second switch using second fire wall as master firewall, if this second exchange Machine receives the message from the second network again, in a kind of optional scheme, the second switch to this Two fire walls send the message, and no longer send the message to first fire wall, for example, second exchange 4th interface is set to new main interface by machine, and the 3rd interface is set into standby interface, then new by being used as 4th interface of main interface sends message, does not send message by the 3rd interface as standby interface.Another Plant in optional scheme, the second switch is reset after main interface and standby interface, to first fire prevention Wall and second fire wall all send the message.In another optional scheme, the second switch to this Second fire wall sends the message, and detects the first fire wall failure or first interchanger and institute State and whether recover normally after the link down between the first fire wall, if recovered normal, then this Two interchangers receive the message from second network next time when, the message received is sent to this First fire wall and second fire wall.Other alternatives will not enumerate herein.

Step S210：Second fire wall receives and the message of the session is forwarded to the first interchanger.

Specifically, second fire wall receives the message that the message of second switch transmission and judgement are received In whether there is first message；When the message that second fire wall is received includes first message, second fire prevention Wall based on the first message in addition to setting up session, in a kind of optional scheme, and second fire wall can also be sentenced Disconnected itself is slave firewall or master firewall, if then second fire wall should for master firewall First message is transmitted to first interchanger, due to first fire wall failure, therefore second fire wall It has been configured for master firewall, therefore second fire wall can forward the first message first interchanger. In another optional scheme, second fire wall does not judge it itself is master firewall or standby fire prevention Wall, but the first message received is directly transmitted to first interchanger.

Further, included in second fire wall receives the message that the second switch is sent and remove first message During data message in addition, second fire wall judges that the data message is according to the session entry having built up The no message for the corresponding session of the session entry, can in one kind if the data message is the message of the session In the scheme of choosing, second fire wall gives the data message forwarding after knowing that itself is master firewall First interchanger；In another optional scheme, second fire wall, which is omitted, confirms that itself prevents to be primary Wall with flues or slave firewall, but directly give first interchanger by the data message forwarding received.

It should be noted that when first fire wall also receives the message of second switch transmission, and this When including first message in message, first fire wall, can in one kind in addition to setting up session based on the first message In the scheme of choosing, first fire wall can also judge it itself is slave firewall or master firewall, if It is that then first fire wall is received the first message and set up based on the first message after session slave firewall, loses Discard the first message.Because first fire wall is detected failure in step S209, therefore this first is prevented It is no longer master firewall that wall with flues, which is configured for slave firewall, therefore first fire wall can be discarded The first message.In another optional scheme, first fire wall omits judge it itself is master firewall Or slave firewall, but the first message received is directly transmitted to first interchanger.

Further, when the first fire wall receive the second switch transmission message in include except first message with During outer data message, whether first fire wall judges the data message according to the session entry having built up It is optional in one kind if the data message is the message of the session for the message of the corresponding session of the session entry Scheme in, first fire wall is known after as slave firewall, and the data message is discarded； In another optional scheme, first fire wall omits judge it itself is master firewall or standby fire prevention Wall, directly gives first interchanger by the data message forwarding received.

Step S211：First interchanger receives the message of second fire wall transmission.

Step S212：First interchanger forwards second fire wall to send message to the first network.

Specifically, first interchanger can in real time or timing detect first fire wall whether failure； Can be detected by other equipment first fire wall whether failure, then by the result of detection notify to this One interchanger.This first exchanges machine testing first fire wall whether the mode of failure can be specially：Pass through The link that is connected with first fire wall of BFD mechanism detection, or equipment where first fire wall are soft The network interface card of equipment where part, or first fire wall whether failure；Or judge to continue not receive this Whether the time for the message that the first fire wall is sent exceedes a time threshold set in advance, more than the time Threshold value then shows failure.Certainly can also detect by other means first fire wall whether failure, other Mode differs a citing herein.

If first interchanger the non-failure of the first fire wall and first fire wall and first interchanger it Between link when not interrupting, the message of second fire wall transmission is not received, then is detecting first fire prevention When wall failure or the link down, using second fire wall as master firewall, and receive this second prevent The message is simultaneously forwarded in first network by the message of wall with flues transmission.

If first interchanger the non-failure of the first fire wall and first fire wall and first interchanger it Between link when not interrupting, receive and abandon the message of second fire wall transmission, then detect this first When fire wall failure or the link down, using second fire wall as master firewall, no longer abandoning should Second fire wall send message but the message is forwarded in first network.

For example, second interface is set to new main interface by first interchanger, first interface is set to standby Interface, the first interchanger can receive message by the second interface as new main interface, and will by this Two interfaces to message be transmitted to the first network.

In the method described by Fig. 2, the first interchanger sends same to the first fire wall and the second fire wall Message so that the first message of the first fire wall and the second fire wall in the message sets up identical meeting List item is talked about, so, second fire wall need not back up the session entry from first fire wall, When the first fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation connects For the business on first fire wall, it is to avoid service disconnection.

The above-mentioned method for illustrating the embodiment of the present invention, for the ease of preferably implementing the embodiment of the present invention Such scheme, correspondingly, the interchanger of the embodiment of the present invention is provided below.

Fig. 5 is referred to, Fig. 5 is a kind of first interchanger 50 provided in an embodiment of the present invention, first exchange Machine 50 includes processor 501, memory 502 and network interface 503, the processor 501, memory 502 and network interface 503 be connected with each other by bus.

Memory 502 include but is not limited to be random access memory (RAM), read-only storage (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory) or portable read-only storage (CD-ROM)。

Processor 501 can be one or more central processing units (Central Processing Unit, abbreviation CPU), in the case where processor 501 is a CPU, the CPU can be monokaryon CPU, can also It is multi-core CPU.

Network interface 503 can be wireline interface, for example Fiber Distributed Data Interface (Fiber Distributed Data Interface, abbreviation FDDI), gigabit Ethernet (Gigabit Ethernet, abbreviation GE) interface； Network interface 503 can also be wave point.

Memory 502 is additionally operable to the information such as storage session entry, dependent instruction and data.

Processor 501 in first interchanger 50 is used to read the program stored in the memory 502 After code, following operate is performed：

The multiple messages for coming from first network, first interchanger are received by the network interface 503 50 are connected with the first fire wall, the second fire wall and the first network, and the multiple message is described first The message transmitted between network and the second network, first fire wall is master firewall, and described second prevents Wall with flues is slave firewall, first fire wall and the second fire wall respectively with first interchanger 50 and Second switch connect, the second switch also with second network connection；

Send described to first fire wall and second fire wall respectively by the network interface 503 Multiple messages, are sent by the network interface 503 to first fire wall and second fire wall Message is identical, so that first fire wall and second fire wall are all in accordance with the multiple message Session first message set up the session entry of the affiliated session of session first message, the session entry includes five Whether tuple, the message that the five-tuple is used to judge to flow through fire wall belongs to the session；

Come from second network by what the network interface 503 received that first fire wall sends The message of the session；

By the institute for coming from second network described in the network interface 503 to first network forwarding State the message of session.

By performing aforesaid operations, the first interchanger 50 is sent equally to the first fire wall and the second fire wall Message so that the first message of the first fire wall and the second fire wall in the message sets up identical session List item, so, second fire wall need not back up the session entry from first fire wall, when When first fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation is taken over Business on first fire wall, it is to avoid service disconnection.

In a kind of optional scheme, the processor 501 is by the network interface 503 respectively to described First fire wall and second fire wall are sent after the multiple message, and the processor 501 is additionally operable to：

Detect whether first fire wall breaks down, or first interchanger 50 is prevented with described first Whether the link between wall with flues interrupts；

If between the first fire wall failure or first interchanger 50 and first fire wall Link down, then received by the network interface 503 and forward what second fire wall sent to come from In the message of the session of second network.

In another optional scheme, the processor 501 detects whether first fire wall occurs event Barrier, be specially：By two-way converting testing mechanism BFD detect first fire wall whether failure.

In another optional scheme, the processor 501 detect the first fire wall failure or Before link down described in person between the first interchanger 50 and first fire wall, the processor 501 It is additionally operable to：

The message for the session for coming from second network that second fire wall is sent is not received, or Person receives the institute for coming from second network that second fire wall is sent by the network interface 503 The message of session is stated, and abandons the session for coming from second network that second fire wall is sent Message.

In another optional scheme, the network interface 503 include first interchanger 50 with it is described First fire wall connected first interface, and first interchanger 50 are connected with second fire wall Second interface,

The processor 501 detects the first fire wall failure or first interchanger 50 and institute State before the link down between the first fire wall, the first interface is arranged to main interface, described second Interface is arranged to standby interface；First interchanger 50 is received by the first interface and forwards described The message for the session for coming from second network that one fire wall is sent, first interchanger 50 is not The message for the session for coming from second network that second fire wall is sent is received, or is passed through The second interface receives the report for the session for coming from second network that second fire wall is sent Text, and abandon the message of the session for coming from second network received by the second interface；

The processor 501 detects the first fire wall failure or first interchanger 50 and institute After stating the link down between the first fire wall, the first interface is set to standby interface, by described the Two interfaces are set to main interface, received by the second interface and forward that second fire wall sends come From the message of the session in second network.

It should be noted that the interchanger 50 implements that can also to correspond to method shown in reference picture 2 real The corresponding description of example is applied, here is omitted.

Fig. 6 is referred to, Fig. 6 is the structural representation of another the first interchanger 60 provided in an embodiment of the present invention Figure, first interchanger 60 can include receiving unit 601 and transmitting element 602, the He of receiving unit 601 Transmitting element 602 is described in detail as follows.

Receiving unit 601, which is used to receive, comes from multiple messages of first network, first interchanger 60 with First fire wall, the second fire wall are connected with the first network, and the multiple message is the first network The message transmitted between the second network, first fire wall is master firewall, second fire wall For slave firewall, first fire wall and the second fire wall respectively with first interchanger 60 and second Interchanger connect, the second switch also with second network connection；

Transmitting element 602 is used to send the multiple to first fire wall and second fire wall respectively Message, the message that first interchanger 60 is sent to first fire wall and second fire wall is phase With, so that first fire wall and second fire wall are first all in accordance with the session in the multiple message Message sets up the session entry of the affiliated session of session first message, and the session entry includes five-tuple, institute State five-tuple be used for judge flow through the message of fire wall and whether belong to the session；

Receiving unit 601 is additionally operable to receive the institute for coming from second network that first fire wall is sent State the message of session；

Transmitting element 602 be additionally operable to the first network forwarding described in come from described in second network The message of session.

By running said units, the first interchanger 60 is sent equally to the first fire wall and the second fire wall Message so that the first message of the first fire wall and the second fire wall in the message sets up identical session List item, so, second fire wall need not back up the session entry from first fire wall, when When first fire wall breaks down, the session entry that second fire wall can be directly based upon itself foundation is taken over Business on first fire wall, it is to avoid service disconnection.

In a kind of optional scheme, first interchanger 60 also includes detection unit, and the detection unit is used In sending the multiple message to first fire wall and second fire wall respectively in transmitting element 602 Afterwards, detect whether first fire wall breaks down, or first interchanger 60 and described first Whether the link between fire wall interrupts；

If first interchanger 60 detects the first fire wall failure or first interchanger Link down between 60 and first fire wall, then receiving unit 601 be additionally operable to receive it is described second prevent The message for the session for coming from second network that wall with flues is sent, the transmitting element 602 is additionally operable to Forward the message of the session for coming from second network of the second fire wall transmission.

In another optional scheme, the detection unit is specifically for passing through two-way converting testing mechanism BFD detect first fire wall whether failure.

In another optional scheme, first interchanger 60 also includes discarding unit, in the detection Unit detect the first fire wall failure or first interchanger 60 and first fire wall it Between link down before, receiving unit 601 is additionally operable to not receive that second fire wall sends comes from The message of the session of second network, or receiving unit 601 are used to receive second fire wall The message of the session for coming from second network sent, the discarding unit, which is used to abandon, receives single The message for the session for coming from second network that second fire wall that member 601 is received is sent.

In another optional scheme, first interchanger 60 includes first interchanger 60 and institute The connected first interface of the first fire wall is stated, and first interchanger 60 is connected with second fire wall Second interface,

Detection unit detects the first fire wall failure or first interchanger 60 and described first Before link down between fire wall, the first interface is arranged to main interface, the second interface quilt It is set to standby interface；The receiving unit 601 of first interchanger 60 receives described first by the first interface to be prevented The message for the session for coming from second network that wall with flues is sent, the forwarding of transmitting element 602 receives single What first fire wall that member 601 is received by the first interface was sent comes from second network The session message, the receiving unit 601 of the first interchanger 60 do not receive what second fire wall was sent Come from the message of the session of second network, or receiving unit 601 is connect by the standby interface The message for the session for coming from second network that second fire wall is sent is received, discarding unit is lost Abandon receiving unit 601 by the standby interface to the session for coming from second network report Text；

First interchanger 60 also includes dispensing unit, and dispensing unit is used to detect described first in detection unit After link down between fire wall failure or first interchanger 60 and first fire wall, The first interface is set to standby interface, the second interface is set to main interface, receiving unit 601 It is additionally operable to after second interface is set to main interface by the dispensing unit, receives described by the second interface The message for the session for coming from second network that second fire wall is sent, transmitting element 602 is also used What second fire wall received in forwarding receiving unit 601 by the second interface was sent comes from The report of the session of second network.

It should be noted that the interchanger 60 implements that can also to correspond to method shown in reference picture 2 real The corresponding description of example is applied, here is omitted.

The above-mentioned method and interchanger for illustrating the embodiment of the present invention, for the ease of preferably implementing this hair The such scheme of bright embodiment, correspondingly, the system that the embodiment of the present invention is provided below.

It is a kind of message forwarding system 70 provided in an embodiment of the present invention to refer to Fig. 7, Fig. 7, and this document turns Hair system 70 includes the first interchanger 701, second switch 702, the first fire wall 703 and the second fire prevention Wall 704, wherein, first interchanger 701 and the first fire wall 703, the second fire wall 704 and described First network is connected, and first fire wall 703 is master firewall, and second fire wall 704 is standby With fire wall, the fire wall 704 of the first fire wall 703 and second respectively with first interchanger 701 Connected with second switch 702, the second switch 702 also with second network connection, wherein：

First interchanger 701, multiple messages of first network are come from for receiving, and the multiple message is The message transmitted between the first network and the second network；Respectively to first fire wall 703 and described Second fire wall 704 sends the multiple message, and first interchanger 701 is to first fire wall 703 The message sent with second fire wall 704 is identical；

First fire wall 703 and second fire wall 704, are respectively used to exchange according to described first Session first message in the multiple message that machine 701 is sent sets up the meeting of the affiliated session of session first message List item is talked about, the session entry includes five-tuple, and the message that the five-tuple is used to judge to flow through fire wall is It is no to belong to the session；

First fire wall 703, is additionally operable to come from second net to first interchanger 701 forwarding The message of the session of network；

First interchanger 701, is additionally operable to coming from for the reception transmission of the first fire wall 703 described The message of the session of second network；

First interchanger 701, be additionally operable to the first network forwarding described in come from second net The message of the session of network.

By running the message forwarding system 70, the first interchanger 701 is anti-to the first fire wall 703 and second Wall with flues 704 sends same message so that the fire wall 704 of the first fire wall 703 and second is according to the report First message in text sets up identical session entry, so, and second fire wall 704 need not be from this Back up the session entry on first fire wall 703, when the first fire wall 703 breaks down, this second prevent The session entry that wall with flues 704 can be directly based upon itself foundation takes over business on first fire wall 703, Avoid service disconnection.

In a kind of optional scheme,

First interchanger 701 is connected including first interchanger 701 with first fire wall 703 First interface, and the second interface that first interchanger 701 is connected with second fire wall 704, Second fire wall 704, is additionally operable to forward the institute from second network to first interchanger 701 State the message of session；

First interchanger 701, for detect first fire wall 703 whether failure or described Whether the link between the first interchanger 701 and first fire wall 703 interrupts, and detect it is described Between the failure of first fire wall 703 or first interchanger 701 and first fire wall 703 The first interface is set to main interface before link down, the second interface is set to standby interface； Detecting the failure of the first fire wall 703 or first interchanger 701 and the described first fire prevention The first interface is set to standby interface after link down between wall 703, the second interface is set It is set to main interface；

Detecting the failure of the first fire wall 703 or first interchanger 701 and described first Before link down between fire wall 703, received respectively by the first interface and the second interface What first fire wall 703 and second fire wall 704 were sent comes from the described of second network The message of session, and abandon the session from second network received by the second interface Message；

Detecting the failure of the first fire wall 703 or first interchanger 701 and described first After link down between fire wall 703, second fire wall is received by the second interface respectively The message of 704 sessions for coming from second network sent, and pass through to first network forwarding What the second interface was received comes from the message of the session of second network.

The second fire wall 704 described in another optional scheme, is additionally operable to detection second fire wall Whether 704 be slave firewall, if the second fire wall 704 is slave firewall, forbids handing over to described first Change planes the message of the session of 701 forwardings from second network, forbid to the second switch 702 Forward the message of the session from the first network.

Further, implementing for the first interchanger 701 can also be corresponded to reference in embodiment illustrated in fig. 5 The first interchanger 50 and embodiment illustrated in fig. 6 in the first interchanger 60 realization；Second switch 702 Implement and can also correspond to second switch in reference picture 5 and embodiment illustrated in fig. 6 and realize；First Fire wall 703 implements the first fire wall that can also be corresponded in reference picture 5 and embodiment illustrated in fig. 6 Realize；Implementing for second fire wall 704 can also be corresponded in reference picture 5 and embodiment illustrated in fig. 6 Second fire wall is realized.

In summary, by implementing the embodiment of the present invention, the first interchanger is prevented fires to the first fire wall and second Wall sends same message so that the first message of the first fire wall and the second fire wall in the message is built Vertical identical session entry, so, second fire wall need not be backed up from first fire wall should Session entry, when the first fire wall breaks down, second fire wall can be directly based upon itself foundation Session entry takes over the business on first fire wall, it is to avoid service disconnection.

One of ordinary skill in the art will appreciate that all or part of flow in above-described embodiment method is realized, It can be by computer program to instruct the hardware of correlation to complete, described program can be stored in computer In read/write memory medium, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method. And foregoing storage medium includes：ROM, RAM, magnetic disc or CD etc. are various can be with store program codes Medium.

Above example only discloses preferred embodiment in the present invention, it is impossible to the right of the present invention is limited with this Scope, one of ordinary skill in the art will appreciate that all or part of flow of above-described embodiment is realized, and according to The equivalent variations that the claims in the present invention are made, still fall within and invent covered scope.

Claims

1. a kind of message forwarding method, it is characterised in that including：

2. according to the method described in claim 1, it is characterised in that first interchanger is respectively to described First fire wall and second fire wall are sent after the multiple message, and methods described also includes：

3. method according to claim 2, it is characterised in that described first exchanges described in machine testing the Whether one fire wall breaks down, and is specially：

4. according to the method in claim 2 or 3, it is characterised in that first interchanger is detected Link down between the first fire wall failure or first interchanger and first fire wall Before, methods described also includes：

5. method according to claim 4, it is characterised in that first interchanger includes described the The first interface that one interchanger is connected with first fire wall, and first interchanger and described second The connected second interface of fire wall,

6. a kind of first interchanger, it is characterised in that first interchanger include processor, memory and Network interface, wherein：

The network interface is used to receive message and sends message；

The memory is used for store instruction and data；

7. the first interchanger according to claim 6, it is characterised in that the processor passes through described After network interface sends the multiple message to first fire wall and second fire wall respectively, institute Processor is stated to be additionally operable to：

8. the first interchanger according to claim 7, it is characterised in that the processor detection is described Whether the first fire wall breaks down, and is specially：

9. the first interchanger according to claim 7 or 8, it is characterised in that the processor detection Into the link between the first fire wall failure or first interchanger and first fire wall Before disconnected, the processor is additionally operable to：

10. the first interchanger according to claim 9, it is characterised in that the network interface includes The first interface that first interchanger is connected with first fire wall, and first interchanger and institute The connected second interface of the second fire wall is stated,

11. a kind of message forwarding system, it is characterised in that the system includes the first interchanger, the second friendship Change planes, the first fire wall and the second fire wall；Wherein, first interchanger and the first fire wall, second Fire wall is connected with the first network, and first fire wall is master firewall, second fire wall For slave firewall, first fire wall and the second fire wall are handed over first interchanger and second respectively Change planes connection, the second switch also with second network connection, wherein：

12. system according to claim 11, it is characterised in that first interchanger includes described The first interface that first interchanger is connected with first fire wall, and first interchanger and described the The connected second interface of two fire walls, second fire wall is additionally operable to come to first interchanger forwarding From the message of the session of second network；

13. method according to claim 11, it is characterised in that：

Second fire wall, is additionally operable to whether detection second fire wall is slave firewall, if second Fire wall is slave firewall, then forbids to first interchanger forwarding from described in second network The message of session, forbids forwarding the message of the session from the first network to the second switch.