CN107645458B - Three-layer message drainage method and controller - Google Patents
Three-layer message drainage method and controller Download PDFInfo
- Publication number
- CN107645458B CN107645458B CN201710985040.XA CN201710985040A CN107645458B CN 107645458 B CN107645458 B CN 107645458B CN 201710985040 A CN201710985040 A CN 201710985040A CN 107645458 B CN107645458 B CN 107645458B
- Authority
- CN
- China
- Prior art keywords
- mac address
- layer
- controller
- return
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The application discloses a three-layer message drainage method and a controller, relates to the field of communication, and is used for draining a three-layer message when security equipment is started to check consistency under a service chain architecture. The method comprises the following steps: when the outbound three-layer message flows into the switching equipment, the controller replaces a source Media Access Control (MAC) address of the outbound three-layer message with a first virtual MAC address and replaces a destination MAC address of the outbound three-layer message with a second virtual MAC address; the controller controls the switching equipment to drain the outbound three-layer message to the safety equipment through the safety port; when a return three-layer message corresponding to the outbound three-layer message flows into the switching equipment, the controller replaces a target MAC address of the return three-layer message with a first virtual MAC address and replaces a source MAC address of the return three-layer message with a second virtual MAC address; the controller controls the switching equipment to drain the return three-layer message to the safety equipment through the safety port. The embodiment of the application is applied to safety equipment consistency check.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a three-layer packet steering method and a controller.
Background
In a network device arrangement scheme of a Service Chain (Service Chain) grid architecture, all security devices are attached to a switch, and the security devices generally have a bidirectional path consistency detection function of a session, that is, in a transparent mode, consistency of a source Media Access Control (MAC) and a destination MAC in a two-layer header of a message is checked, and if the source MAC and the destination MAC of a backhaul message are not consistent, the message flow is blocked.
In the transparent mode of the current service chain, the two-layer message flow can be normally drained, but for the three-layer message flow, because Dynamic Media Access Control (DMAC) of the bidirectional message flow of the three-layer message flow is the MAC of the switch, the flow can be directly cut off by the security device when the security device starts the consistency check at this time. If the consistency check is closed, the security protection function of most security devices is disabled, and the client network is at risk of being attacked.
Disclosure of Invention
The embodiment of the invention provides a three-layer message flow guiding method and a controller, which are used for guiding three-layer messages when security equipment is started to check consistency under a service chain architecture.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a three-layer packet steering method is provided, where the method is applied to a network architecture formed by a controller, a switching device, and a security device in a service chain form, the security device is in a transparent mode, and a security port on the switching device, which is connected to the security device, is in a routing mode, and the method includes:
when a three-layer outbound message flows into the switching equipment, the controller replaces a source Media Access Control (MAC) address of the three-layer outbound message with a first virtual MAC address and replaces a destination MAC address of the three-layer outbound message with a second virtual MAC address, wherein the three-layer outbound message corresponds to the first virtual MAC address and the second virtual MAC address one to one;
the controller controls the switching equipment to drain the outbound three-layer message to the safety equipment through the safety port;
when a return three-layer message corresponding to the go three-layer message flows into the switching equipment, the controller replaces a source MAC address of the return three-layer message with a corresponding second virtual MAC address and replaces a target MAC address of the return three-layer message with a corresponding first virtual MAC address;
and the controller controls the switching equipment to drain the return three-layer message to the safety equipment through the safety port.
In a second aspect, a controller is provided, which is applied to a network architecture formed by a controller, a switch device, and a security device in a service chain form, where the security device is in a transparent mode, and a security port on the switch device, connected to the security device, is in a routing mode, and the controller includes:
a replacing unit, configured to replace, by the controller, a source media access control MAC address of a go-three layer packet with a first virtual MAC address and replace a destination MAC address of the go-three layer packet with a second virtual MAC address when the go-three layer packet flows into the switching device, where the go-three layer packet corresponds to the first virtual MAC address and the second virtual MAC address one to one;
the flow guiding unit is used for controlling the switching equipment to guide the outbound three-layer message to the safety equipment through the safety port;
the replacing unit is further configured to, when a return three-layer packet corresponding to the go three-layer packet flows into the switching device, replace, by the controller, a source MAC address of the return three-layer packet with a corresponding second virtual MAC address, and replace, by the controller, a destination MAC address of the return three-layer packet with a corresponding first virtual MAC address;
and the flow guide unit is further configured to control the switching device to guide the return three-layer packet to the security device through the security port.
In a third aspect, there is provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a controller, cause the controller to perform the method of the first aspect.
The embodiment of the application provides a three-layer message flow guiding method and a controller, wherein service flows in different directions are identified through the controller, corresponding flow tables are sent down, a strategy routing mode is used for guiding a going three-layer message and a returning three-layer message to a safety device, a source MAC address of the going three-layer message is replaced to be a target MAC address of the returning three-layer message, the target MAC address of the going three-layer message is the source MAC address of the returning three-layer message, the MAC address of the going three-layer message obtained by the safety device is symmetrical to the MAC address of the returning three-layer message, the service flows cannot be blocked when the safety device conducts consistency check, and the three-layer message flow guiding is achieved when the safety device is started to conduct consistency check under a service chain framework.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a schematic diagram of a network architecture in the form of a service chain according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a three-layer message flow guiding method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a three-layer packet flow guidance according to an embodiment of the present application;
fig. 4 is a schematic diagram of another three-layer packet flow according to the embodiment of the present application;
fig. 5 is a schematic flowchart of another three-layer message flow guiding method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a controller according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Referring to fig. 1, a Network architecture in the form of a service chain provided in the embodiment of the present application includes a switching device 11, a Software Defined Network (SDN) controller 12, and a security device 13. All the safety devices are hung on one switching device. The security device 13 may include a Firewall (FW), Intrusion Detection and Prevention (IDP), Web Application Firewall (WAF), flow control device, and the like. The switching device may comprise a switch or a three-tier device having switching functionality.
The flow table in the embodiment of the present application includes two parts, a matching rule and a control action, the matching rule may be information about each field of a data packet and forwarding states inside some devices, and the control action includes drop (drop), non-drop (drop cancel), redirection, message content modification, flow statistics, exit mask (egress mask), next hop, and the like. When a data message reaches the switch interface, if the flow table is configured on the interface, whether the message accords with the matching rule of the entries in the flow table or not can be automatically checked according to the priority sequence, and if the message is matched, the control action corresponding to the first matching entry is executed. The priority of the flow table redirection action is higher than that of the normal forwarding action, namely when the normal forwarding and the outlet of the flow table redirection are not consistent, the outlet of the message is based on the outlet of the flow table.
The routing mode of the security device described in the embodiment of the present application refers to that an IP address is configured on the security device, and when a packet is forwarded on the security device by walking, an IP address segment needs to be additionally divided for the security device. In this case, only the messages forwarded by the three layers can be drained, otherwise, the messages cannot be forwarded out after arriving at the security device. Some security devices do not support the routing mode.
The transparent mode of the security device in the embodiment of the application does not need to configure an IP address on the security device, and the message is directly transmitted through the security device without changing the content of the message. This case may drain all messages.
The MAC addresses of the outbound three-layer packet and the return three-layer packet in the embodiment of the present application are symmetric, that is: the source MAC address of the outbound three-layer message is the same as the destination MAC address of the return three-layer message, and the destination MAC address of the outbound three-layer message is the same as the source MAC address of the return three-layer message.
Examples 1,
Referring to fig. 2, an embodiment of the present application provides a three-layer packet steering method, which is applied to the network architecture, and the method includes:
s101, when a three-layer outbound message flows into a switching device, a controller replaces a source Media Access Control (MAC) address of the three-layer outbound message with a first virtual MAC address and replaces a target MAC address of the three-layer outbound message with a second virtual MAC address; and the controller controls the switching equipment to drain the outbound three-layer message to the safety equipment through the safety port.
The journey-going message corresponds to the first virtual MAC address and the second virtual MAC address one by one.
Taking a security device as an example of a service chain, as shown in fig. 3, it is assumed that the security device includes FW and the switching device is a switch. If the service chain bound by the flow A is FW, the path from A to B of the three-layer message is A- > P1- > P2- > FW- > P5- > P6- > B (solid line); the corresponding path from B to A of the return three-layer message is as follows: b- > P6- > P5- > FW- > P2- > P1- > A (dotted line).
The controller may configure the security port connected to the security device on the switch device as a routing mode, which aims to enable the switch device not to transmit other two-layer messages, for the above example, to configure P2 and P5 as the routing mode. The controller may configure the security device in a transparent mode, which aims to prevent the security device from routing or forwarding according to the MAC address of the packet, for the above example, configuring the FW in a transparent mode.
The first virtual MAC address and the second virtual MAC address are stored in a next hop table and an interface table of the switching equipment, wherein the next hop table is used for storing and forwarding a destination MAC address of the three-layer message, and the interface table is used for storing and forwarding a source MAC address of the three-layer message.
Virtual MAC refers to a form similar in form to a real MAC address, but with a specific value being a non-real MAC address. Assuming that the first virtual MAC address is MAX-X and the second virtual MAC address is MAX-Y, then MAX-X and MAX-Y are added to the next hop table egr _ l3_ next _ hop and MAX-X and MAX-Y are added to the interface table egr _ l3_ intf.
Specifically, the controller may replace a source MAC address of the outbound three-layer packet with a first virtual MAC address according to the interface table, and replace a destination MAC address of the outbound three-layer packet with a second virtual MAC address according to the next hop table.
For example, referring to the solid line in fig. 3, the controller may issue a flow table in advance, and when a outbound three-layer packet hits the flow table, the outbound three-layer packet flowing into the switch from P1 may be directed to P2, and at the same time, the source MAC address MAC-a of the outbound three-layer packet is replaced by MAC-X, and the destination MAC address MAC-gateway (MAC of the switching device) is replaced by MAC-Y.
S102, when a return three-layer message corresponding to the return three-layer message flows into the exchange equipment, the controller replaces a source MAC address of the return three-layer message with a corresponding second virtual MAC address and replaces a target MAC address of the return three-layer message with a corresponding first virtual MAC address; and the controller controls the switching equipment to drain the return three-layer message to the safety equipment through the safety port.
Specifically, the return three-layer message corresponds to the go three-layer message, and the go message corresponds to the first virtual MAC address and the second virtual MAC address one to one, so the controller can replace the source MAC address of the return message with the corresponding second virtual MAC address according to the interface table, and replace the destination MAC address of the return message with the corresponding first virtual MAC address according to the next hop table.
For example, referring to the dotted line in fig. 3, the controller may issue a flow table in advance, and when a return three-layer packet hits the flow table, the return packet flowing into the switch from P2 may be redirected to P5, and the source MAC address MAC-B of the return three-layer packet is replaced by MAC-Y, and the destination MAC address MAC-gateway is replaced by MAC-X.
After replacement, the source MAC address of the going three-layer message is MAC-X, the destination MAC address is MAC-Y, the source MAC address of the returning three-layer message is MAC-Y, the destination MAC address is MAC-X, and the safety equipment recognizes that the MAC addresses of the two messages are symmetrical, so that the corresponding message flow cannot be cut off.
The three-layer message flow guiding method provided by the embodiment of the application identifies service flows in different directions and sends the corresponding flow tables down through the controller, the outbound three-layer message and the return three-layer message are guided to the security device in a policy routing mode, the source MAC address of the outbound three-layer message is replaced to be the destination MAC address of the return three-layer message, and the destination MAC address of the outbound three-layer message is the source MAC address of the return three-layer message, so that the MAC address of the outbound three-layer message obtained by the security device is symmetrical to the MAC address of the return three-layer message, the service flows cannot be blocked when the security device performs consistency check, and the three-layer message flow guiding is realized when the security device starts the consistency check under a service chain architecture.
Referring to fig. 5, the method may further include step S103:
s103, when the outbound three-layer message or the return three-layer message is guided among the plurality of safety devices, the controller sets the virtual MAC address of the outbound three-layer message or the return three-layer message to be kept unchanged.
Specifically, the MAC address may be made unchanged by setting a KEEP (KEEP) field of a Forwarding Policy (FP) entry.
Taking the example where two security devices form a service chain, as shown in fig. 4, it is assumed that the security devices include FWs and IDPs and the switching device is a switch. The service chain bound by the flow A is FW- > IDP, and the path from A to B of the three-layer message is A- > P1- > P2- > FW- > P3- > P4- > IDP- > P5- > P6- > B (solid line); the corresponding path from B to A of the return three-layer message is as follows: b- > P6- > P5- > IDP- > P4- > P3- > FW- > P2- > P1- > A (dotted line). Similarly, ports P3, P4 are also configured in routing mode, and the IDP is also configured in transparent mode.
The controller transmits the flow table to redirect the outbound three-layer message to a port P4 corresponding to the IDP after the outbound three-layer message flows into the switch from a port P3 corresponding to the FW, so that the outbound three-layer message is transmitted according to a service chain FW- > IDP; and simultaneously, the source MAC address and the destination MAC address of the outbound three-layer message are kept unchanged through the KEEP field of the FP table entry, the source MAC address of the outbound three-layer message flowing into the IDP is still MAC-X, and the destination MAC address is still MAC-Y.
Similarly, the controller transmits the flow table to redirect the return three-layer message to a port P3 corresponding to FW after the return three-layer message flows into the switch from a port P4 corresponding to the IDP, so that the return three-layer message is transmitted according to a service chain IDP- > FW; and simultaneously, the source MAC address and the destination MAC address of the return three-layer message are kept unchanged through the KEEP field of the FP table entry, the source MAC address of the return three-layer message flowing into the FW is still MAC-Y, and the destination MAC address is still MAC-X.
By the above mode, no matter how many security devices exist in the system, for each security device, the MAC addresses of the outbound three-layer message and the return three-layer message are symmetrical, so that the corresponding message flow cannot be intercepted.
Referring to fig. 5, the method may further include step S104:
and S104, the controller configures the first virtual MAC address and the second virtual MAC address to a trigger routing table of the switching equipment, and the trigger routing table is used for controlling the three-layer routing forwarding of the going three-layer message or the returning three-layer message to be triggered because the controller does not send a flow table after the going three-layer message or the returning three-layer message flows back to the switching equipment from the safety equipment.
Specifically, the MAC-X, MAC-Y is added into the my _ station _ tcam triggering routing table, so that after a going three-layer message or a returning three-layer message flows back to the switch from the security device, the controller does not issue the flow table, thereby triggering three-layer routing forwarding. The trigger routing table mainly plays a role when the outgoing three-layer message or the return three-layer message finally flows out of the switch after all safety equipment is drained.
For example, referring to fig. 3 or fig. 4, after the outgoing three-layer packet flows into the switch from port P5, the controller does not issue the flow table, so the my _ station _ tcam is triggered to trigger the routing table, and the forwarding is performed according to the conventional route. Because the MAC-Y triggers the forwarding of the three-layer route in the my _ station _ tcam table, the three-layer route is output from the P6 after hitting the routing table, the source MAC address of the outbound three-layer message is replaced by the MAC-gateway at the moment, and the destination MAC is replaced by the MAC-B.
Similarly, referring to fig. 3 or fig. 4, after the return three-layer packet flows into the switch from port P2, the controller does not issue the flow table, so the mystation tcam triggers the routing table, and the return three-layer packet is forwarded by the conventional route. Because the MAC-X triggers the forwarding of the three-layer route in the my _ station _ tcam table, the three-layer route is output from the P1 after hitting the routing table, the source MAC address of the return three-layer message is replaced by the MAC-gateway at the moment, and the destination MAC is replaced by the MAC-A.
The step enables the outbound three-layer message or the return three-layer message flowing out of the exchange equipment to normally reach the receiving end.
Examples 2,
The embodiment of the present application provides a controller, which is applied to the above network architecture, and referring to fig. 6, the controller 60 includes:
a replacing unit 601, configured to replace, by the controller, a source media access control MAC address of the outbound three-layer packet with a first virtual MAC address and replace a destination MAC address of the outbound three-layer packet with a second virtual MAC address when the outbound three-layer packet flows into the switching device, where the outbound packet corresponds to the first virtual MAC address and the second virtual MAC address one to one.
And a flow guiding unit 602, configured to control the switching device to guide the outbound three-layer packet to the security device through the security port.
The replacing unit 601 is further configured to, when a return three-layer packet corresponding to the outbound three-layer packet flows into the switching device, replace, by the controller, a source MAC address of the return three-layer packet with a corresponding second virtual MAC address, and replace, by the controller, a destination MAC address of the return three-layer packet with a corresponding first virtual MAC address.
The flow guiding unit 602 is further configured to control the switching device to guide the return three-layer packet to the security device through the security port.
In one possible design, the first virtual MAC address and the second virtual MAC address are stored in a next hop table and an interface table of the switching device, where the next hop table is used to store a destination MAC address for forwarding a three-layer packet, and the interface table is used to store a source MAC address for forwarding a three-layer packet.
In one possible design, the replacement unit 601 is specifically configured to: replacing a source MAC address of the outbound three-layer message with a first virtual MAC address according to the interface table, and replacing a target MAC address of the outbound three-layer message with a second virtual MAC address according to the next hop table; and replacing the source MAC address of the return three-layer message with a second virtual MAC address according to the interface table, and replacing the target MAC address of the return three-layer message with a first virtual MAC address according to a next hop table.
In one possible design, referring to fig. 6, the controller further includes a configuration unit 603, where the configuration unit 603 is configured to set a virtual MAC address of the outbound three-layer packet or the return three-layer packet to remain unchanged when the outbound three-layer packet or the return three-layer packet is routed among the plurality of security devices.
In a possible design, the configuring unit 603 is configured to configure the first virtual MAC address and the second virtual MAC address to a trigger routing table of the switching device, where the trigger routing table is used to control the three-layer forwarding or forwarding packet to flow back to the switching device from the security device, and then trigger the three-layer routing forwarding because the controller does not issue a flow table.
Since the controller in the embodiment of the present invention can be applied to the method, the technical effect obtained by the controller can also refer to the method embodiment, and the embodiment of the present invention is not described herein again.
The replacing unit, the flow guiding unit, and the configuring unit may be independent processors, or may be implemented by being integrated into one of the processors of the controller, or may be stored in a memory of the controller in the form of program codes, and the one of the processors of the controller may call and execute the functions of the above units. The processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention.
Embodiments of the present application provide a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a controller, cause the controller to perform the method as described in fig. 2 or fig. 5.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (9)
1. A three-layer message flow guiding method is applied to a network architecture formed by a controller, switching equipment and safety equipment in a service chain mode, and is characterized in that the safety equipment is in a transparent mode, a safety port connected with the safety equipment on the switching equipment is in a routing mode, and the method comprises the following steps:
when a three-layer outbound message flows into the switching equipment, the controller replaces a source Media Access Control (MAC) address of the three-layer outbound message with a first virtual MAC address and replaces a destination MAC address of the three-layer outbound message with a second virtual MAC address, wherein the three-layer outbound message corresponds to the first virtual MAC address and the second virtual MAC address one to one;
the controller controls the switching equipment to drain the outbound three-layer message to the safety equipment through the safety port;
when a return three-layer message corresponding to the go three-layer message flows into the switching equipment, the controller replaces a source MAC address of the return three-layer message with a corresponding second virtual MAC address and replaces a target MAC address of the return three-layer message with a corresponding first virtual MAC address;
the controller controls the switching equipment to drain the return three-layer message to the safety equipment through the safety port;
the method further comprises the following steps:
the controller configures a first virtual MAC address and a second virtual MAC address to a trigger routing table of the switching equipment, wherein the trigger routing table is used for controlling the three-layer forwarding message or the three-layer forwarding message to flow back to the switching equipment from the safety equipment, and then the controller does not issue a flow table so as to trigger three-layer routing forwarding.
2. The method of claim 1, wherein the first and second virtual MAC addresses are stored in a next hop table of the switching device, wherein the next hop table is used for storing destination MAC addresses for forwarding three-layer packets, and an interface table is used for storing source MAC addresses for forwarding three-layer packets.
3. The method of claim 2,
the controller replaces a source Media Access Control (MAC) address of the outbound three-layer message with a first virtual MAC address, and replaces a destination MAC address of the outbound three-layer message with a second virtual MAC address, and the method comprises the following steps:
the controller replaces the source MAC address of the outbound three-layer message with the first virtual MAC address according to the interface table, and replaces the destination MAC address of the outbound three-layer message with the second virtual MAC address according to the next hop table;
the controller replaces the source MAC address of the return three-layer packet with a corresponding second virtual MAC address, and replaces the destination MAC address of the return three-layer packet with a corresponding first virtual MAC address, including:
and the controller replaces the source MAC address of the return three-layer message with a corresponding second virtual MAC address according to the interface table, and replaces the destination MAC address of the return three-layer message with a corresponding first virtual MAC address according to the next hop table.
4. The method of claim 1, further comprising: when the outbound three-layer message or the return three-layer message is drained among the plurality of safety devices, the controller sets the virtual MAC address of the outbound three-layer message or the return three-layer message to be kept unchanged.
5. A controller applied to a network architecture formed by a controller, a switch device and a security device in a service chain form, wherein the security device is in a transparent mode, and a security port on the switch device connected to the security device is in a routing mode, the controller comprising:
a replacing unit, configured to replace, by the controller, a source media access control MAC address of a go-three layer packet with a first virtual MAC address and replace a destination MAC address of the go-three layer packet with a second virtual MAC address when the go-three layer packet flows into the switching device, where the go-three layer packet corresponds to the first virtual MAC address and the second virtual MAC address one to one;
the flow guiding unit is used for controlling the switching equipment to guide the outbound three-layer message to the safety equipment through the safety port;
the replacing unit is further configured to, when a return three-layer packet corresponding to the go three-layer packet flows into the switching device, replace, by the controller, a source MAC address of the return three-layer packet with a corresponding second virtual MAC address, and replace, by the controller, a destination MAC address of the return three-layer packet with a corresponding first virtual MAC address;
the flow guiding unit is further configured to control the switching device to guide the return three-layer packet to the security device through the security port;
the controller further comprises a configuration unit for configuring the configuration unit,
the configuration unit is configured to configure the first virtual MAC address and the second virtual MAC address to a trigger routing table of the switching device, where the trigger routing table is configured to control the three-layer outbound packet or the three-layer inbound packet to flow back to the switching device from the security device, and then trigger three-layer routing forwarding because the controller does not issue a flow table.
6. The controller of claim 5, wherein the first and second virtual MAC addresses are stored in a next hop table of the switching device, wherein the next hop table is used for storing destination MAC addresses for forwarding three-layer packets, and an interface table is used for storing source MAC addresses for forwarding three-layer packets.
7. The controller according to claim 6, wherein the replacement unit is specifically configured to:
replacing the source MAC address of the outbound three-layer message with the first virtual MAC address according to the interface table, and replacing the destination MAC address of the outbound three-layer message with the second virtual MAC address according to the next hop table;
and replacing the source MAC address of the return three-layer message with a corresponding second virtual MAC address according to the interface table, and replacing the destination MAC address of the return three-layer message with a corresponding first virtual MAC address according to the next hop table.
8. The controller of claim 5, further comprising a configuration unit,
the configuration unit is configured to set, by the controller, a virtual MAC address of the outbound three-layer packet or the return three-layer packet to remain unchanged when the outbound three-layer packet or the return three-layer packet is routed among the plurality of security devices.
9. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a controller, cause the controller to perform the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710985040.XA CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710985040.XA CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107645458A CN107645458A (en) | 2018-01-30 |
| CN107645458B true CN107645458B (en) | 2020-04-24 |
Family
ID=61122532
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710985040.XA Active CN107645458B (en) | 2017-10-20 | 2017-10-20 | Three-layer message drainage method and controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107645458B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098856B (en) * | 2021-03-29 | 2023-01-17 | 绿盟科技集团股份有限公司 | Virtual private network VPN implementation method and safety device in transparent mode |
| CN113364797B (en) * | 2021-06-18 | 2023-02-03 | 广东省新一代通信与网络创新研究院 | Network system for preventing DDOS attack |
| CN114363027B (en) * | 2021-12-27 | 2023-05-12 | 武汉思普崚技术有限公司 | Control method and device for drainage, backflow and remote access |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
| CN103023827A (en) * | 2012-11-23 | 2013-04-03 | 杭州华三通信技术有限公司 | Data forwarding method for virtualized data centre and realization equipment of data forwarding method |
| CN104639414A (en) * | 2015-01-30 | 2015-05-20 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment |
| CN104869058A (en) * | 2015-06-04 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Method and device for transmitting data message |
| CN105763606A (en) * | 2016-02-04 | 2016-07-13 | 杭州华三通信技术有限公司 | Service chain agent aggregation method and system |
| CN105978806A (en) * | 2016-03-11 | 2016-09-28 | 北京星网锐捷网络技术有限公司 | Service chain drainage method and device |
| CN106713026A (en) * | 2016-12-15 | 2017-05-24 | 锐捷网络股份有限公司 | Service chain topological structure, service chain setting method and controller |
| CN107204942A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of implementation method that service chaining transparent transmission is realized based on five-tuple |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9055006B2 (en) * | 2012-06-11 | 2015-06-09 | Radware, Ltd. | Techniques for traffic diversion in software defined networks for mitigating denial of service attacks |
-
2017
- 2017-10-20 CN CN201710985040.XA patent/CN107645458B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127696A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | Data forwarding method for layer 2 network and network and node devices |
| CN103023827A (en) * | 2012-11-23 | 2013-04-03 | 杭州华三通信技术有限公司 | Data forwarding method for virtualized data centre and realization equipment of data forwarding method |
| CN104639414A (en) * | 2015-01-30 | 2015-05-20 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment |
| CN104869058A (en) * | 2015-06-04 | 2015-08-26 | 北京京东尚科信息技术有限公司 | Method and device for transmitting data message |
| CN105763606A (en) * | 2016-02-04 | 2016-07-13 | 杭州华三通信技术有限公司 | Service chain agent aggregation method and system |
| CN105978806A (en) * | 2016-03-11 | 2016-09-28 | 北京星网锐捷网络技术有限公司 | Service chain drainage method and device |
| CN107204942A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of implementation method that service chaining transparent transmission is realized based on five-tuple |
| CN106713026A (en) * | 2016-12-15 | 2017-05-24 | 锐捷网络股份有限公司 | Service chain topological structure, service chain setting method and controller |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107645458A (en) | 2018-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101572771B1 (en) | System and methods for controlling network traffic through virtual switches | |
| US7401355B2 (en) | Firewall load balancing using a single physical device | |
| EP3014851B1 (en) | Apparatus and method for distribution of policy enforcement point | |
| US20150215841A1 (en) | Session-based packet routing for facilitating analytics | |
| CN107645458B (en) | Three-layer message drainage method and controller | |
| CN108353068B (en) | SDN controller assisted intrusion prevention system | |
| US10848432B2 (en) | Switch fabric based load balancing | |
| CN105099917B (en) | The retransmission method and device of service message | |
| US20100333191A1 (en) | System and method for protecting cpu against remote access attacks | |
| CN106789542A (en) | A kind of implementation method of cloud data center security service chain | |
| CN105830404A (en) | Method for implicit session routing | |
| CN102427429B (en) | A kind of realize the method for switch built-in message security protection, system and switch | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| CN108833305A (en) | The virtual network framework of host | |
| CN107154902B (en) | Method and apparatus for handling traffic between VLANs in an Ethernet tree | |
| US10476790B2 (en) | Service chaining at a network device | |
| CN107682342B (en) | Method and system for DDoS (distributed denial of service) flow traction based on openflow | |
| JP2001249866A (en) | Network with distributed fire wall function, fire wall server with fire wall distribution function and edge node with fire wall function | |
| US10965596B2 (en) | Hybrid services insertion | |
| CN101496365B (en) | Configurable resolution policy for data switch feature failures | |
| US9036647B2 (en) | Method and apparatus for network security | |
| CN109412864B (en) | Method for externally accessing docker container environment in non-docker network environment | |
| Cisco | Cisco IOS Switching Paths Overview | |
| CN110661721B (en) | Message anti-attack method and device | |
| CN111885068A (en) | Bypass deployment traffic distribution method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |