CN107645458A - Three-tier message drainage method and controller - Google Patents
Three-tier message drainage method and controller Download PDFInfo
- Publication number
- CN107645458A CN107645458A CN201710985040.XA CN201710985040A CN107645458A CN 107645458 A CN107645458 A CN 107645458A CN 201710985040 A CN201710985040 A CN 201710985040A CN 107645458 A CN107645458 A CN 107645458A
- Authority
- CN
- China
- Prior art keywords
- tier message
- mac address
- controller
- journey
- return
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This application discloses a kind of three-tier message drainage method and controller, it is related to communication field, three-tier message is drained when safety means open consistency check under service chaining framework for realization.This method includes:When going journey three-tier message to flow into the switching equipment, the source MAC address for removing journey three-tier message is replaced with the first virtual mac address by controller, and the target MAC (Media Access Control) address for removing journey three-tier message is replaced with into the second virtual mac address;Controller control switching equipment will go journey three-tier message to be drained to safety means by secure port;When return three-tier message corresponding with removing journey three-tier message flows into switching equipment, the target MAC (Media Access Control) address of return three-tier message is replaced with the first virtual mac address by controller, and the source MAC of return three-tier message is replaced with into the second virtual mac address;Return three-tier message is drained to safety means by controller control switching equipment by secure port.The embodiment of the present application is applied to safety means consistency check.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of three-tier message drainage method and controller.
Background technology
The network equipment arrangement of service chaining (Service Chain) grid architecture by all safety means being suspended to one
On platform interchanger, safety means typically all possess the two-way approach consistency detection function of session, i.e., under transparent mode, to report
Source media access control (Media Access Control, MAC) and purpose MAC uniformity in two layers of header of text are examined
Look into, if it find that return packet is inconsistent with removing the source MAC and purpose MAC of journey message, then the message flow will be blocked.
The transparent mode of current service chain, for two layer message stream can with normal drainage, but during for three-tier message stream, by
In the dynamic media access control (Dynamic Media Access Control, DMAC) of the bi-directional stream of three-tier message stream
All it is the MAC of interchanger, then flow can directly be blocked by safety means when now safety means open consistency check.And if
Consistency check is closed, the function of safety protection of most of safety means can be caused to fail, customer network faces wind under fire
Danger.
The content of the invention
Embodiments of the invention provide a kind of three-tier message drainage method and controller, for realizing under service chaining framework
Safety means drain when opening consistency check to three-tier message.
To reach above-mentioned purpose, embodiments of the invention adopt the following technical scheme that:
First aspect, there is provided a kind of three-tier message drainage method, applied to controller, switching equipment and safety means with
The network architecture that service chaining form is formed, the safety means are transparent mode, on the switching equipment with the safety means
The secure port of connection is route pattern, and this method includes:
When going journey three-tier message to flow into the switching equipment, the controller is by the source media for removing journey three-tier message
Access control MAC addresses replace with the first virtual mac address, and the target MAC (Media Access Control) address for removing journey three-tier message is replaced with
Second virtual mac address, it is described to remove journey message and first virtual mac address and a pair of second virtual mac address 1
Should;
The controller controls the switching equipment to go journey three-tier message to be drained to institute by the secure port by described
State safety means;
When with it is described go the corresponding return three-tier message of journey three-tier message to flow into the switching equipment when, the controller will
The source MAC of the return three-tier message replaces with corresponding second virtual mac address, and by the return three-tier message
Target MAC (Media Access Control) address replaces with corresponding first virtual mac address;
The controller controls the switching equipment that the return three-tier message is drained into institute by the secure port
State safety means.
Second aspect, there is provided a kind of controller, applied to controller, switching equipment and safety means in the form of service chaining
The network architecture of composition, safety means are transparent mode, the secure port being connected on the switching equipment with the safety means
For route pattern, the controller includes:
Replacement unit, for when going journey three-tier message to flow into the switching equipment, the controller to go journey three by described
The source MAC address of layer message replaces with the first virtual mac address, and by the purpose for removing journey three-tier message
MAC Address replaces with the second virtual mac address, journey message and first virtual mac address and described second virtual of going
MAC Address corresponds;
Drainage unit, for controlling the switching equipment to go journey three-tier message to be drained to by the secure port by described
The safety means;
The replacement unit, it is additionally operable to work as and goes the journey three-tier message corresponding return three-tier message inflow exchange with described
During equipment, the source MAC of the return three-tier message is replaced with corresponding second virtual mac address by the controller, and
The target MAC (Media Access Control) address of the return three-tier message is replaced with into corresponding first virtual mac address;
The drainage unit, it is additionally operable to control the switching equipment that the return three-tier message is passed through into the secure port
It is drained to the safety means.
The third aspect, there is provided a kind of computer-readable recording medium for storing one or more programs, it is one or
Multiple programs include instruction, and the instruction makes the controller perform the method described in first aspect when being executed by a controller.
The embodiment of the present application provides a kind of three-tier message drainage method and controller, and not Tongfang is identified by controller
To Business Stream and issue corresponding flow table, using policybased routing mode journey three-tier message and return three-tier message will be gone to guide safety into
Equipment, and the target MAC (Media Access Control) address for going the source MAC of journey three-tier message for return three-tier message is replaced, remove journey three-tier message
Target MAC (Media Access Control) address is the source MAC of return three-tier message so that what safety means obtained removes the MAC Address of journey three-tier message
MAC Address with return three-tier message is symmetrical, then safety means carry out that during consistency check above-mentioned Business Stream will not be blocked,
Realize and three-tier message is drained when safety means open consistency check under service chaining framework.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described.
Fig. 1 is a kind of schematic diagram of the network architecture for service chaining form that the embodiment of the present application provides;
Fig. 2 is a kind of schematic flow sheet for three-tier message drainage method that the embodiment of the present application provides;
Fig. 3 is a kind of schematic diagram for three-tier message drainage that the embodiment of the present application provides;
Fig. 4 is the schematic diagram for another three-tier message drainage that the embodiment of the present application provides;
Fig. 5 is the schematic flow sheet for another three-tier message drainage method that the embodiment of the present application provides;
The structural representation for a kind of controller that the embodiment of the present application provides in Fig. 6.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes.
Shown in reference picture 1, the network architecture for the service chaining form that the embodiment of the present application provides includes switching equipment 11, soft
Part defines network (Software Defined Network, SDN) controller 12 and safety means 13.Hung by all safety means
Onto a switching equipment.Safety means 13 can include fire wall (Firewall, FW), intrusion detection defence (Intrusion
Detection and Prevention, IDP), network application fire wall (Web Application Firewall, WAF), stream
Control equipment etc..Switching equipment can include interchanger or the three-layer equipment with function of exchange.
Flow table described in the embodiment of the present application includes matched rule and controlling behavior two parts, and matched rule can be data
Each field of message and some device interior forwarding status informations, controlling behavior include abandoning (drop), do not abandon (drop
Cancel), redirect, change message content, traffic statistics, outlet mask (egress mask), next-hop etc..Flow table it is each
Priority relationship be present between individual list item,, can if configuring flow table on the interface when data message reaches exchange interface
Automatically according to priority whether sequential search message meets the matched rule of list item in flow table, if it does, then performing the first
With controlling behavior corresponding to item.Flow table redirection action priority is higher than the action commonly forwarded, i.e., common forwarding and flow table weight
When the outlet of orientation is inconsistent, the outlet of message is defined by the outlet of flow table.
The route pattern of safety means described in the embodiment of the present application, which refers to, configures IP address on safety means, message is in safety
Routing forwarding is walked in equipment, at this time needs additionally to divide IP address section to safety means.Such case can only forward to three layers
Message drainage, can not be produced again after otherwise having arrived safety means.Partial security equipment does not support route pattern.
The transparent mode of safety means described in the embodiment of the present application need not then configure IP address on a security device, report
Text transparent transmission direct on a security device, does not change message content.Such case can drain to all messages.
The MAC Address for removing journey three-tier message and return three-tier message described in the embodiment of the present application symmetrically refers to:Go journey three
Layer message source MAC it is identical with the target MAC (Media Access Control) address of return three-tier message, go journey three-tier message target MAC (Media Access Control) address and
The source MAC of return three-tier message is identical.
Embodiment 1,
Shown in reference picture 2, the embodiment of the present application provides a kind of three-tier message drainage method, applied to above-mentioned network rack
Structure, this method include:
S101, when go journey three-tier message flow into switching equipment when, controller will go the source media interviews control of journey three-tier message
MAC Address processed replaces with the first virtual mac address, and the target MAC (Media Access Control) address for removing journey three-tier message is replaced with into the second Virtual MAC
Address;And controller control switching equipment will go journey three-tier message to be drained to safety means by secure port.
Journey message and the first virtual mac address and the second virtual mac address is gone to correspond.
Exemplified by using a safety means as service chaining, shown in reference picture 3, it is assumed that safety means include FW, and exchange is set
Standby is interchanger.The service chaining of flow A bindings is FW, then path of the three-tier message from A to B is A->P1->P2->FW->P5->
P6->B (solid line);Path of the corresponding return three-tier message from B to A is:B->P6->P5->FW->P2->P1->A (dotted line).
It is route pattern that controller, which can configure the secure port being connected on switching equipment with safety means, its object is to
Make switching equipment not transmit other two layer messages, be that P2, P5 are configured to route pattern for above-mentioned example.Controller
It is transparent mode that safety means, which can be configured, and its object is to safety means is not route according to the MAC Address of message
Or forwarding, it is that FW is configured to transparent mode for above-mentioned example.
First virtual mac address and the second virtual mac address are stored in the next skip list and interface table of switching equipment, its
In, next skip list is used for the target MAC (Media Access Control) address for storing forwarding three-tier message, and interface table is used for the source for storing forwarding three-tier message
MAC Address.
Virtual MAC refers to be similar to real MAC address form in form, but concrete numerical value is non-genuine MAC Address.Assuming that
First virtual mac address is MAX-X, and the second virtual mac address is MAX-Y, then MAX-X and MAX-Y is added into next skip list
Egr_l3_next_hop, and MAX-X and MAX-Y is added into interface table egr_l3_intf.
Specifically, the source MAC for removing journey three-tier message can be replaced with the first Virtual MAC by controller according to interface table
Address, the target MAC (Media Access Control) address for removing journey three-tier message is replaced with by the second virtual mac address according to next skip list.
Exemplary, shown in solid in reference picture 3, controller can issue flow table in advance, be hit when removing journey three-tier message
During the flow table, by flow into interchanger from P1 journey three-tier message can be gone to drain into P2, while the source MAC that journey three-tier message will be removed
Address MAC-A is substituted for MAC-X, and target MAC (Media Access Control) address MAC- gateways (MAC of switching equipment) are substituted for MAC-Y.
S102, when return three-tier message corresponding with removing journey three-tier message flows into switching equipment, controller is by return three
The source MAC of layer message replaces with corresponding second virtual mac address, and the target MAC (Media Access Control) address of return three-tier message is replaced
First virtual mac address corresponding to being changed to;And controller control switching equipment draws return three-tier message by secure port
It flow to safety means.
Specifically, because return three-tier message is corresponding with removing journey three-tier message, and with removing journey message and the first Virtual MAC
Location and the second virtual mac address correspond, therefore controller can be replaced the source MAC of return message according to interface table
For corresponding second virtual mac address, the target MAC (Media Access Control) address of return message replaced with according to next skip list corresponding to it is first empty
Intend MAC Address.
Exemplary, in reference picture 3 shown in dotted line, controller can issue flow table in advance, when return three-tier message is hit
During the flow table, the return message redirecting of interchanger can will be flowed into from P2 to P5, while by the source MAC of return three-tier message
Location MAC-B is substituted for MAC-Y, and target MAC (Media Access Control) address MAC- gateways are substituted for MAC-X.
After replacement, the source MAC that removes journey three-tier message is MAC-X, target MAC (Media Access Control) address MAC-Y, three layers of return
The source MAC of message is MAC-Y, target MAC (Media Access Control) address MAC-X, and safety means identify the MAC Address pair of the two messages
Claim, therefore corresponding message flow will not be blocked.
The three-tier message drainage method that the embodiment of the present application provides, the Business Stream of different directions is identified simultaneously by controller
Corresponding flow table is issued, using policybased routing mode journey three-tier message and return three-tier message will be gone to guide safety means into, and replace
The source MAC for removing journey three-tier message is the target MAC (Media Access Control) address of return three-tier message, removes the target MAC (Media Access Control) address of journey three-tier message
For the source MAC of return three-tier message so that what safety means obtained removes three layers of report of MAC Address and return of journey three-tier message
The MAC Address of text is symmetrical, then safety means carry out that during consistency check above-mentioned Business Stream will not be blocked, and realize in service chaining
Three-tier message is drained when safety means open consistency check under framework.
Shown in reference picture 5, the above method can also include step S103:
S103, when removing journey three-tier message or return three-tier message drains between multiple safety means, controller set
The virtual mac address of journey three-tier message or return three-tier message is gone to keep constant.
Specifically, can be by setting holding (KEEP) field of forwarding strategy (Forwarding Policy, FP) list item
So that above-mentioned MAC Address is constant.
So that two safety means are formed service chaining as an example, shown in reference picture 4, it is assumed that safety means include FW and IDP, hand over
Exchange device is interchanger.The service chaining of flow A bindings is FW->IDP, then path of the three-tier message from A to B is A->P1->P2->
FW->P3->P4->IDP->P5->P6->B (solid line);Path of the corresponding return three-tier message from B to A is:B->P6->P5->
IDP->P4->P3->FW->P2->P1->A (dotted line).Similarly, port P3, P4 is also configured as route pattern, and IDP is also configured as
Transparent mode.
Controller goes journey three-tier message to be redirected after flowing into interchanger from port P3 corresponding to FW by issuing flow table
To port P4 corresponding to IDP so that remove journey three-tier message according to service chaining FW->IDP is transmitted;Pass through the KEEP of FP list items simultaneously
Field keeps going the source MAC of journey three-tier message and the target MAC (Media Access Control) address constant, and now flow into IDP removes journey three-tier message
Source MAC is still MAC-X, and target MAC (Media Access Control) address is still MAC-Y.
Similarly, controller flows into interchanger by issuing flow table return three-tier message from port P4 corresponding to IDP
After be redirected to port P3 corresponding to FW so that return three-tier message is according to service chaining IDP->FW is transmitted;Pass through FP list items simultaneously
KEEP fields keep the source MAC of return three-tier message and target MAC (Media Access Control) address constant, now flow into FW three layers of return report
The source MAC of text is still MAC-Y, and target MAC (Media Access Control) address is still MAC-X.
By with upper type, no matter how many individual safety means in the system be present, for each safety means, going journey
The MAC Address of three-tier message and return three-tier message is all symmetrical, therefore corresponds to message flow all without blocking.
Shown in reference picture 5, the above method can also include step S104:
S104, controller configure the first virtual mac address and the second virtual mac address to the triggering route of switching equipment
Table, triggering routing table be used for control go journey three-tier message or return three-tier message from safety means flow back to switching equipment after due to control
Device processed does not issue flow table so as to trigger three-layer routing forwarding.
Specifically, by the way that MAC-X, MAC-Y are added into this triggering routing table of my_station_tcam so that go journey
Three-tier message or return three-tier message from safety means flow back to interchanger after because controller does not issue flow table so as to trigger three layers
Routing forwarding.Triggering routing table is mainly going journey three-tier message or return three-tier message to complete after all safety means drain finally
Worked when flowing out interchanger.
It is exemplary, shown in reference picture 3 or Fig. 4, after going journey three-tier message to flow into interchanger from port P5, controller
Flow table is not issued, therefore triggers this triggering routing table of my_station_tcam, is forwarded by traditional routing.Because MAC-Y is in my_
In station_tcam tables, triggering three-layer routing forwarding, exported after hitting routing table from P6, now go to the source of journey three-tier message
MAC Address is replaced by MAC- gateways, and purpose MAC is replaced by MAC-B.
Similarly, shown in reference picture 3 or Fig. 4, after return three-tier message flows into interchanger from port P2, controller is not
Flow table is issued, therefore triggers this triggering routing table of my_station_tcam, is forwarded by traditional routing.Because MAC-X is in my_
In station_tcam tables, triggering three-layer routing forwarding, exported after hitting routing table from P1, now the source of return three-tier message
MAC Address is replaced by MAC- gateways, and purpose MAC is replaced by MAC-A.
The step allows outflow switching equipment to go journey three-tier message or the return three-tier message normally to reach receiving terminal.
Embodiment 2,
The embodiment of the present application provides a kind of controller, applied to the above-mentioned network architecture, shown in reference picture 6, the control
Device 60 includes:
Replacement unit 601, for when going journey three-tier message to flow into switching equipment, controller will to go to the source of journey three-tier message
MAC address replaces with the first virtual mac address, and the target MAC (Media Access Control) address for removing journey three-tier message is replaced with
Second virtual mac address, journey message and the first virtual mac address and the second virtual mac address is gone to correspond.
Drainage unit 602, for controlling switching equipment that journey three-tier message will be gone to be drained to safety means by secure port.
Replacement unit 601, it is additionally operable to when return three-tier message corresponding with removing journey three-tier message flows into switching equipment, control
Device processed by the source MAC of return three-tier message replace with corresponding to the second virtual mac address, and by the mesh of return three-tier message
MAC Address replace with corresponding to the first virtual mac address.
Drainage unit 602, it is additionally operable to control switching equipment that return three-tier message is drained into safe set by secure port
It is standby.
In a kind of possible design, the first virtual mac address and the second virtual mac address are stored under switching equipment
In one skip list and interface table, wherein, next skip list is used for the target MAC (Media Access Control) address for storing forwarding three-tier message, and interface table is used to deposit
The source MAC of storage forwarding three-tier message.
In a kind of possible design, replacement unit 601 is specifically used for:The source of journey three-tier message will be gone to according to interface table
MAC Address replaces with the first virtual mac address, and is replaced with the target MAC (Media Access Control) address for removing journey three-tier message according to next skip list
Second virtual mac address;The source MAC of return three-tier message is replaced with by the second virtual mac address, and root according to interface table
The target MAC (Media Access Control) address of return three-tier message is replaced with into the first virtual mac address according to next skip list.
In a kind of possible design, shown in reference picture 6, controller also includes dispensing unit 603, dispensing unit 603,
For when removing journey three-tier message or return three-tier message drains between multiple safety means, three layers of report of journey to be removed in controller setting
The virtual mac address of text or return three-tier message keeps constant.
In a kind of possible design, dispensing unit 603, for by the first virtual mac address and the second virtual mac address
Configure to the triggering routing table of switching equipment, triggering routing table and remove journey three-tier message or return three-tier message from safety for control
Equipment is flowed back to after switching equipment because controller does not issue flow table so as to trigger three-layer routing forwarding.
Because the controller in the embodiment of the present invention can apply to the above method, therefore, it can be obtained technology effect
Fruit also refers to above method embodiment, and the embodiment of the present invention will not be repeated here.
It should be noted that replacement unit, drainage unit, dispensing unit can be the processor individually set up, can also
It is integrated in some processor of controller and realizes, in addition it is also possible to is stored in depositing for controller in the form of program code
In reservoir, called by some processor of controller and perform the function of above each unit.Processor described here can be with
It is a central processing unit (English full name:Central Processing Unit, English abbreviation:), or specific collection CPU
Into circuit (English full name:Application Specific Integrated Circuit, English abbreviation:ASIC), either
It is configured to implement one or more integrated circuits of the embodiment of the present invention.
The embodiment of the present application provides a kind of computer-readable recording medium for storing one or more programs, it is one or
Multiple programs include instruction, and the instruction makes the controller perform the side as described in Fig. 2 or Fig. 5 when being executed by a controller
Method.
It should be understood that in various embodiments of the present invention, the size of the sequence number of above-mentioned each process is not meant to perform suitable
The priority of sequence, the execution sequence of each process should be determined with its function and internal logic, without the implementation of the reply embodiment of the present invention
Process forms any restriction.
Those of ordinary skill in the art are it is to be appreciated that the list of each example described with reference to the embodiments described herein
Member and algorithm steps, it can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
Performed with hardware or software mode, application-specific and design constraint depending on technical scheme.Professional and technical personnel
Described function can be realized using distinct methods to each specific application, but this realization is it is not considered that exceed
The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method, can be with
Realize by another way.For example, apparatus embodiments described above are only schematical, for example, the unit
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, equipment or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (English full name:Read-Only Memory, English letter
Claim:ROM), random access memory (English full name:Random Access Memory, English abbreviation:RAM), magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (11)
1. a kind of three-tier message drainage method, is formed applied to controller, switching equipment and safety means in the form of service chaining
The network architecture, it is characterised in that the safety means are transparent mode, are connected on the switching equipment with the safety means
Secure port is route pattern, and methods described includes:
When going journey three-tier message to flow into the switching equipment, the controller is by the source media interviews for removing journey three-tier message
Control MAC Address replaces with the first virtual mac address, and the target MAC (Media Access Control) address for removing journey three-tier message is replaced with into second
Virtual mac address, it is described to go journey message to be corresponded with first virtual mac address and second virtual mac address;
The controller controls the switching equipment to go journey three-tier message to be drained to the peace by the secure port by described
Full equipment;
When with it is described go the corresponding return three-tier message of journey three-tier message to flow into the switching equipment when, the controller will described in
The source MAC of return three-tier message replaces with corresponding second virtual mac address, and by the purpose of the return three-tier message
MAC Address replaces with corresponding first virtual mac address;
The controller controls the switching equipment that the return three-tier message is drained into the peace by the secure port
Full equipment.
2. according to the method for claim 1, it is characterised in that first virtual mac address and the second virtual mac address
It is stored in the next skip list and interface table of the switching equipment, wherein, the next skip list is used to store forwarding three-tier message
Target MAC (Media Access Control) address, the interface table be used for store forwarding three-tier message source MAC.
3. according to the method for claim 2, it is characterised in that
The source MAC address for removing journey three-tier message is replaced with the first virtual mac address by the controller,
And the target MAC (Media Access Control) address for removing journey three-tier message is replaced with into the second virtual mac address, including:
It is virtual that the source MAC for removing journey three-tier message according to the interface table is replaced with described first by the controller
MAC Address, and it is virtual according to the next skip list target MAC (Media Access Control) address for removing journey three-tier message to be replaced with into described second
MAC Address;
The controller by the source MAC of the return three-tier message replace with corresponding to the second virtual mac address, and by institute
The target MAC (Media Access Control) address for stating return three-tier message replaces with corresponding first virtual mac address, including:
The controller source MAC of the return three-tier message is replaced with according to the interface table corresponding to it is second virtual
MAC Address, and it is first virtual corresponding to according to the next skip list, the target MAC (Media Access Control) address of the return three-tier message replaced with
MAC Address.
4. according to the method for claim 1, it is characterised in that methods described also includes:When it is described go journey three-tier message or
When return three-tier message drains between multiple safety means, journey three-tier message or the return are gone described in the controller setting
The virtual mac address of three-tier message keeps constant.
5. according to the method for claim 1, it is characterised in that methods described also includes:
The controller configures the first virtual mac address and the second virtual mac address to the triggering route of the switching equipment
Table, the triggering routing table, which is used to controlling, described goes journey three-tier message or the return three-tier message to be flowed back to from the safety means
Because the controller does not issue flow table so as to trigger three-layer routing forwarding after the switching equipment.
6. a kind of controller, the network architecture formed applied to controller, switching equipment and safety means in the form of service chaining, its
It is characterised by, the safety means are transparent mode, and the secure port being connected on the switching equipment with the safety means is
Route pattern, the controller include:
Replacement unit, for when going journey three-tier message to flow into the switching equipment, the controller to remove three layers of report of journey by described
The source MAC address of text replaces with the first virtual mac address, and by the purpose MAC for removing journey three-tier message
Address replaces with the second virtual mac address, described to remove journey message and first virtual mac address and second Virtual MAC
Address corresponds;
Drainage unit, for controlling the switching equipment to go journey three-tier message to be drained to institute by the secure port by described
State safety means;
The replacement unit, it is additionally operable to work as and removes the journey three-tier message corresponding return three-tier message inflow switching equipment with described
When, the controller by the source MAC of the return three-tier message replace with corresponding to the second virtual mac address, and by institute
The target MAC (Media Access Control) address for stating return three-tier message replaces with corresponding first virtual mac address;
The drainage unit, it is additionally operable to control the switching equipment to drain the return three-tier message by the secure port
To the safety means.
7. controller according to claim 6, it is characterised in that first virtual mac address and the second Virtual MAC
Location is stored in the next skip list and interface table of the switching equipment, wherein, the next skip list is used to store three layers of report of forwarding
The target MAC (Media Access Control) address of text, the interface table are used for the source MAC for storing forwarding three-tier message.
8. controller according to claim 7, it is characterised in that the replacement unit is specifically used for:
The source MAC for removing journey three-tier message is replaced with by first virtual mac address, and root according to the interface table
The target MAC (Media Access Control) address for removing journey three-tier message is replaced with into second virtual mac address according to the next skip list;
Second virtual mac address corresponding to the source MAC of the return three-tier message replaced with according to the interface table, and
First virtual mac address corresponding to the target MAC (Media Access Control) address of the return three-tier message replaced with according to the next skip list.
9. controller according to claim 6, it is characterised in that the controller also includes dispensing unit,
The dispensing unit, for going journey three-tier message or return three-tier message to be drained between multiple safety means when described
When, the controller set described in go the virtual mac address of journey three-tier message or the return three-tier message to keep constant.
10. controller according to claim 6, it is characterised in that the controller also includes dispensing unit,
The dispensing unit, for the first virtual mac address and the second virtual mac address to be configured into touching to the switching equipment
Send out routing table, the triggering routing table, which is used to controlling, described goes journey three-tier message or the return three-tier message to be set from the safety
It is standby to flow back to after the switching equipment because the controller does not issue flow table so as to trigger three-layer routing forwarding.
A kind of 11. computer-readable recording medium for storing one or more programs, it is characterised in that one or more of journeys
Sequence includes instruction, and the instruction makes the controller perform as described in any one of claim 1 to 5 when being executed by a controller
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710985040.XA CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710985040.XA CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107645458A true CN107645458A (en) | 2018-01-30 |
| CN107645458B CN107645458B (en) | 2020-04-24 |
Family
ID=61122532
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710985040.XA Active CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107645458B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098856A (en) * | 2021-03-29 | 2021-07-09 | 绿盟科技集团股份有限公司 | Virtual private network VPN implementation method and safety device in transparent mode |
| CN113364797A (en) * | 2021-06-18 | 2021-09-07 | 广东省新一代通信与网络创新研究院 | Network system for preventing DDOS attack |
| CN114363027A (en) * | 2021-12-27 | 2022-04-15 | 武汉思普崚技术有限公司 | Control method and device for drainage, backflow and remote access |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
| CN103023827A (en) * | 2012-11-23 | 2013-04-03 | 杭州华三通信技术有限公司 | Data forwarding method for virtualized data centre and realization equipment of data forwarding method |
| US20130329734A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for providing value-added services in sdn-based networks |
| CN104639414A (en) * | 2015-01-30 | 2015-05-20 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment |
| CN104869058A (en) * | 2015-06-04 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Method and device for transmitting data message |
| CN105763606A (en) * | 2016-02-04 | 2016-07-13 | 杭州华三通信技术有限公司 | Service chain agent aggregation method and system |
| CN105978806A (en) * | 2016-03-11 | 2016-09-28 | 北京星网锐捷网络技术有限公司 | Service chain drainage method and device |
| CN106713026A (en) * | 2016-12-15 | 2017-05-24 | 锐捷网络股份有限公司 | Service chain topological structure, service chain setting method and controller |
| CN107204942A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of implementation method that service chaining transparent transmission is realized based on five-tuple |
-
2017
- 2017-10-20 CN CN201710985040.XA patent/CN107645458B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
| US20130329734A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for providing value-added services in sdn-based networks |
| CN103023827A (en) * | 2012-11-23 | 2013-04-03 | 杭州华三通信技术有限公司 | Data forwarding method for virtualized data centre and realization equipment of data forwarding method |
| CN104639414A (en) * | 2015-01-30 | 2015-05-20 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment |
| CN104869058A (en) * | 2015-06-04 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Method and device for transmitting data message |
| CN105763606A (en) * | 2016-02-04 | 2016-07-13 | 杭州华三通信技术有限公司 | Service chain agent aggregation method and system |
| CN105978806A (en) * | 2016-03-11 | 2016-09-28 | 北京星网锐捷网络技术有限公司 | Service chain drainage method and device |
| CN107204942A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of implementation method that service chaining transparent transmission is realized based on five-tuple |
| CN106713026A (en) * | 2016-12-15 | 2017-05-24 | 锐捷网络股份有限公司 | Service chain topological structure, service chain setting method and controller |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098856A (en) * | 2021-03-29 | 2021-07-09 | 绿盟科技集团股份有限公司 | Virtual private network VPN implementation method and safety device in transparent mode |
| CN113098856B (en) * | 2021-03-29 | 2023-01-17 | 绿盟科技集团股份有限公司 | Virtual private network VPN implementation method and safety device in transparent mode |
| CN113364797A (en) * | 2021-06-18 | 2021-09-07 | 广东省新一代通信与网络创新研究院 | Network system for preventing DDOS attack |
| CN114363027A (en) * | 2021-12-27 | 2022-04-15 | 武汉思普崚技术有限公司 | Control method and device for drainage, backflow and remote access |
| CN114363027B (en) * | 2021-12-27 | 2023-05-12 | 武汉思普崚技术有限公司 | Control method and device for drainage, backflow and remote access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107645458B (en) | 2020-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104104718B (en) | User autonomous routing customization system based on software-defined network | |
| CN104811400B (en) | A kind of distributed network equipment | |
| CN102427429B (en) | A kind of realize the method for switch built-in message security protection, system and switch | |
| CN105227463B (en) | A kind of communication means in distributed apparatus between business board | |
| CN102783097B (en) | Packet transfer system, control apparatus, transfer apparatus, method of creating processing rules | |
| CN105745870B (en) | Extend operation from for detecting the serial multistage filter flowed greatly removal nose filter to remove stream to realize | |
| CN101595666B (en) | System and method for managing subscriber usage of a communications network | |
| CN104937879B (en) | Method and apparatus for placing service in a network | |
| CN105706401A (en) | Hierarchical routing with table management across hardware modules | |
| CN107710685A (en) | Flow route is carried out in a network by communication paths automatically generate and physically different | |
| Wang et al. | Survivable virtual network mapping using optimal backup topology in virtualized SDN | |
| CN107645458A (en) | Three-tier message drainage method and controller | |
| CN101106518B (en) | Service denial method for providing load protection of central processor | |
| CN105099917B (en) | The retransmission method and device of service message | |
| CN105099953B (en) | The partition method and device of cloud data center virtual network | |
| CN104184708B (en) | Suppress the method and edge device ED of MAC Address attack in EVI networks | |
| CN109698788A (en) | Flow forwarding method and flow forwarding device | |
| CN105122747A (en) | Control device and control method in software defined network (sdn) | |
| CN105847185A (en) | Message processing method and apparatus for distributed device and distributed device | |
| TW201517576A (en) | Ethernet protection switching system, switch protection system for network, and method for protecting switching functions within network | |
| CN107346259A (en) | A kind of implementation method of Dynamical Deployment security capabilities | |
| CN106453138A (en) | Message processing method and apparatus | |
| CN106789759A (en) | A kind of message up sending method and exchange chip | |
| CN105099915B (en) | A kind of method and apparatus for establishing service path | |
| CN106713026A (en) | Service chain topological structure, service chain setting method and controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |